...
Our cloud servers are protected as follows:
We only access the servers via For all servers we implement a two-factor-authentication.
We only used well established providers.
The servers are located in the EU.
We only offer an https interface to the clients.
We perform a regular vulnerability scan of the cloud service.
...
All user input (e.g. via dialogs) has to be escaped before inserted into templates.
All data transferred from the client to the server (e.g. cache data) has to be escaped before inserted into templates.
All REST interfaces or servlets contain a check whether the current user has the appropriate permission before executing any actions.
All permission checks are done on the server not the client.
When a request collects data from multiple content entity objects we check that the current user has a view permission on them before including them in the result.
We only include the necessary information the responses.
We minimize the number of 3rd party libraries in our apps.
In case we use 3rd libraries we check the published anomalies list before using them and regularly after release.
Cloud only: we do not store customer data within our cloud apps.All app versions published after 2020-08-17 will undergo a static code analysis
Cybersecurity audits
We perform cybersecurity audits depending on the criticality:
...
The results are kept here: /wiki/spaces/PLUG/pages/1765998612.
Static Code analysis
All our apps will undergo a static code analysis with the focus on security. For our open source apps we will use Coverity. Static code analysis is applicable for all new releases starting 2020-08-18.
Penetration tests
We currently do not perform penetration tests. The main reason is that the attack vectors are well known and now sufficiently controlled by the design guidelines.
Cybersecurity issue fixing
...