...
All user input (e.g. via dialogs) has to be escaped before inserted into templates.
All data transferred from the client to the server (e.g. cache data) has to be escaped before inserted into templates.
All REST interfaces or servlets contain a check whether the current user has the appropriate permission before executing any actions.
All permission checks are done on the server not the client.
When a request collects data from multiple content entity objects we check that the current user has a view permission on them before including them in the result.
We only include the necessary information the responses.
We minimize the number of 3rd party libraries in our apps.
In case we use 3rd libraries we check the published anomalies list before using them and regularly after release.
Cloud only: we do not store customer data within our cloud apps.
Cybersecurity audits
We perform cybersecurity audits depending on the criticality:
Protection of our infrastructure: 2 times / year
Protection of cloud servers: 2 times / year
Protection of apps: at every change or at least once per year for every app
The results are kept here.
Cybersecurity issue fixing
...