Skip to main contentSkip to page footer
 

 |  Blog Blog

Back

Secure software development at M&M Software. Because security begins with trust.

Software is everywhere. It controls machines, processes data and connects people. The more networked the world becomes, the more important security becomes. That's why we at M&M Software don't see security as an add-on, but as an integral part of professional development.

Security is responsibility

Cyberattacks cause immense damage every year: financially, legally and in terms of trust in a company. Anyone who develops software has a responsibility towards users, customers and society. 
Security is not a ‘nice-to-have’ for us. It is a quality feature. And it creates trust. Trust is the foundation of every successful collaboration.

Thinking about security right from the start


Secure software is not created at the end of a project, but at the very beginning. Security begins with the requirements analysis, influences architecture and implementation, accompanies all tests and does not end with the release. Every step counts.

For us, this means secure software development:

  • Threat models
    Identifying and assessing potential threats before development saves time and money and minimises risk; always accompanied by our security experts.
  • Consideration of current security requirements and guidelines 
    We identify relevant security requirements and look for economically viable solutions appropriate to the risk. Our internal security policies and guidelines support us in all project phases.
  • Static code analysis including static security checks (SAST)
    Our comprehensive tooling identifies potential vulnerabilities and quality deficiencies even before the code review by a second person, which is of course also mandatory. Quality gates prevent the delivery of recognised problems.
  • Source composition analysis (SCA)
    Naturally, we create a software bill of materials (SBOM) for you with all third-party components used. We also take over the active monitoring of known vulnerabilities in third-party components during the course of the project.
  • Documentation of security-relevant information
    All important information on security decisions or other security-relevant matters is documented, including the necessary instructions that belong in the product manual.
  • Preparation for compliance with the Cyber Resilience Act
    The Cyber Resilience Act will be mandatory for almost all products from December 2027 and prescribes extensive security measures. We will prepare your product and the necessary documentation in good time. Our Product Security Incident Response Team (PSIRT) will also support you with the reporting obligations that will apply from September 2026.
  • Careful selection of third-party components
    We only use libraries and tools that we have extensively tested. Are they secure? Are they regularly maintained? Are there alternatives? If not, we minimise the risk by making conscious decisions.
  • Active vulnerability management
    Whether in our own code or in third-party components used: When security vulnerabilities emerge, we react immediately. We analyse, fix and document them. We also inform our customers transparently and, if necessary, support them in informing their end users accordingly.
  • Clear rules and comprehensible documentation
    Our internal guidelines support the development of secure software. All security-relevant measures and reviews are documented. Our technical documentation shows how our software is operated securely and what changes an update entails.

People make the difference


Security is not just a technical issue. It depends on the knowledge and awareness of people. That's why we provide our employees with targeted, role-based training. Because only those who recognise risks can avoid them.

Security is not a peripheral issue for us. It is part of our corporate culture and is managed by our Cyber & Software Security Competence Centre. Security is teamwork.

PSIRT - our central point of contact


Despite all precautions, security vulnerabilities can still be discovered. This can happen through users or through independent security researchers. In such cases, clear communication is key. Our PSIRT, the Product Security Incident Response Team, takes reports seriously, forwards them directly and works on solutions. We keep our customers up to date and are available to answer any questions.

We are also happy to support our customers in setting up and establishing their own PSIRT process. In this way, we help to systematically strengthen the ability to respond to security incidents.

Conclusion: Security is a process and our claim


For us, security is not a finished state, but a continuous process supported by expertise, clear structures and the commitment of our employees. This results in solutions that are trustworthy.

About the author

 

Ralf King is a security expert and head of our Cyber and Software Security Competence Centre. As a qualified software engineer, he has gained personal experience of the tasks and challenges in the various project phases, from software developer to project manager, while establishing the topic of software security at an early stage. Today, he and his security team support the project teams in every phase and take care of the security development lifecycle in accordance with IEC 62443-4-1.

About the author

 

Sven Rieger is Head of Software Development Services and Chief Architect at M&M Software. He designs digital solutions that support users, simplify processes and solve problems. The Software Development Services department supports projects in all overarching topics. He focuses on software architecture and development processes, the targeted use of technological innovations, understanding specialist domains and developing tailor-made solutions.

Created by
Back