The security and quality of our infrastructure and software is a critical success factor for us. For this reason we carry out various safety and quality checks as part of our operational safety, which are listed in this document.
Infrastructure vulnerability scans
We use a comprehensive solution for managing vulnerabilities within an organization's digital infrastructure. Strict vulnerability remediation times are defined and monitored. Key features of this solution we leverage:
-
Risk-based view of attack surface: Provides a risk-based perspective to quickly identify, investigate, and prioritize critical assets and vulnerabilities.
-
Continuous asset discovery and assessment: Continuously discovers and assesses both known and unknown assets, including those in dynamic cloud or remote workforce environments.
-
Extensive CVE and configuration coverage: Offers comprehensive coverage of Common Vulnerabilities and Exposures and configurations, allowing for quick identification of exposures and risk reduction through intuitive dashboard visualizations and risk scores.
-
Automated vulnerability prioritization: Combines vulnerability data, threat intelligence, and data science to automate the prioritization of vulnerabilities, ensuring high-risk vulnerabilities are addressed promptly.
-
Risk scores for remediation: Uses easy-to-understand risk scores to facilitate quick remediation actions before a breach occurs.
-
Additional features: Continuous discovery and assessment with always-on sensors, built-in threat intelligence, real-time visualization of risk, tracking of vulnerabilities, assets, and remediations.
Scanned assets
- Server (virtual machines: Windows and Linux).
Advanced threat protection
We use a cloud-native application protection platform (CNAPP) with security measures and practices designed to protect cloud-based applications from various cyber threats and vulnerabilities. It combines the capabilities of:
- A development security operations (DevSecOps) solution that unifies security management at the code level across multi-cloud and multiple-pipeline environments.
- A cloud security posture management (CSPM) solution that surfaces actions that the user can take to prevent breaches.
- A cloud workload protection platform (CWPP) with specific protections for servers, containers, storage, databases, and other workloads.
The platform scans a variety of assets to enhance an organization's security posture:
- General resources: It analyzes the security state of resources connected to the organization's subscriptions, identifying potential security issues and providing recommendations for improvement.
- Specific asset categories: This includes total resources, unhealthy resources with active security recommendations, unmonitored resources with agent monitoring issues, and unregistered subscriptions.
- External attack surface: It discovers and maps the digital attack surface, providing an external view of the online infrastructure. This includes identifying unknowns, prioritizing risk, pinpointing weaknesses, and gaining visibility into third-party attack surfaces.
- Storage blobs: When a blob is uploaded to a protected storage account, a malware scan is triggered to check for potential threats.
- Container registry images: It scans images in container registries that have been pushed, imported, or pulled within the last 30 days, detecting vulnerabilities and providing remediation recommendations.
Scanned assets
- All cloud hosted resources (storages, databases, containers, app services, and others).
- Network within and from outside the cloud environment.
Software composition analysis (SCA)
Software composition analysis (SCA) scans open-source software for known vulnerabilities that include:
- Identifying open source components: Analyze applications and identify their reliance on open source packages via direct or transitive dependencies.
- License compliance management: Identify the different open source licenses used, which helps mitigate the legal risk associated with open source software.
- Security vulnerabilities: Correlate with vulnerability databases and point to vulnerabilities in open source dependencies.
- Governance and control: Automatically enforce security and license policies across the different stages of the software development lifecycle.
Scanned assets
- Packages and libraries used in the source code.
- Open source licenses in the source code.
Static application security testing (SAST)
We use static application security testing (SAST) to analyze our source, byte, or binary code for security vulnerabilities without running the application. SAST helps us identify and rectify security flaws early in the development cycle, saving time and reducing the costs associated with post-deployment fixes.
In our development process, SAST is integrated into the continuous integration/continuous deployment (CI/CD) pipeline, enabling regular and automated security checks. This method reviews our non-running application code to find issues such as input validation errors and insecure coding practices.
SAST supports all programming languages and frameworks we use, ensuring our code adheres to security standards and best practices like the OWASP Top 10.
SAST is an integral part of our software development process, allowing our developers to address security issues efficiently as part of their regular workflow.
Scanned assets
- Application source code.
Application security management (ASM)
Application security management (ASM) protects against application-level attacks that aim to exploit code-level vulnerabilities, such as server-side-request-forgery (SSRF), SQL injection, Log4Shell, and reflected cross-site scripting (XSS).
The tool leverages in-app detection rules to detect and protect against threats in an organization's application environment and trigger security signals whenever an attack impacts the production system or a vulnerability is triggered from the code.
Scanned assets
- Inbound network.
- Used packages and libraries in source code.
Malware scanners
We have implemented a comprehensive cybersecurity strategy, including regular malware scans on all servers and workstations. This approach is crucial in identifying and mitigating potential threats posed by various forms of malware. By scanning our servers, we ensure the backbone of our IT infrastructure remains secure against sophisticated cyber threats. Similarly, scanning all workstations helps safeguard against threats that might originate from everyday usage and internet browsing. This proactive stance in malware detection and prevention is a key aspect of maintaining our IT systems' overall security and integrity.
Scanned assets
- Laptops.
- Server.
- Files uploaded by customers.
Static code analysis—TQE
The goal of technical quality engineering (TQE) is to improve the code quality of a system generally. During this process, the static code analysis is performed to detect redundancy, check guidelines and security policies, and more.
Scanned assets
- Application source code.