...
For all servers we implement a two-factor-authentication.
We only used well established providers (Heroku and AWS).
The servers are located in the EU.
We only offer an https interface to the clients.We perform a regular vulnerability scan of the cloud service
The cloud servers are hardened / the open ports are minimized.
Protection of our apps
Cybersecurity design guidelines
As we are a small company a full-blown quality management system has not been established. However we adhere to the following principles during development and any change:
Our Cloud apps follow the security requirements set by Atlassian.
All user input (e.g. via dialogs) has to must be escaped before inserted into templatesits output.
All data transferred from the client to the server (e.g. cache data) has to be escaped before inserted into templatesits output.
All REST interfaces or servlets contain a check whether the current user has the appropriate permission before executing any actions.
GET requests shall be avoided in case data is updated - risk of forged requests.
All permission checks are done on the server not the client.
When a request collects data from multiple content entity objects we check that the current user has a view permission on them before including them in the result.
We only include the necessary information the responses.
We minimize the number of 3rd party libraries in our apps.
In case we use 3rd libraries we check the published anomalies list before using them and regularly after release.
Cloud only: we do not store customer data within our cloud appsservers except those date needed to setup the service.
Cybersecurity audits
We perform cybersecurity audits depending on the criticality:
...