As hardcore engineers with pedigrees from finance, government and companies like Cloudera, working with sensitive data & security-conscious environments is part of our lifeblood. We pride ourselves in taking extra care when working with code access.
Application, Quality & Code Security
- Code is pulled and analyzed in ephemeral, isolated containers or virtualized environments
- Company employs engineers & contractors dedicated to Application Quality & Testing
- FOSSA engineers employ regular peer code review
- Fully encrypted one-way access of sensitive data (i.e. user passwords, access tokens, etc.)
- FOSSA never generates permanent (non-revokable) access credentials for 3rd-party services. Tokens are regularly churned upon expiration and follow the OAuth spec.
- All application data transmitted over HTTPs
- 24/7 application monitoring and DDoS protection
- Hosted in Amazon Web Services datacenters (ISO 27001 and FISMA certified)
- On-prem is fully sealed; all data (including open source analysis, cache, etc...) is located and communicated behind the firewall.
- Native HTTPs support baked into on-prem offering
- Application is distributed with multiple layers of containerization, virtualization & sandboxing across the stack
- Successfully passed security review for Fortune 50 on-prem deployments
Physical, Operational & Information Privacy
- 2-Factor authentication required for all employees
- Office located in private facilities with 24/7 security, surveillance and access cards
Security Disclosure Policy
If you think you've found a security issue, please email us at firstname.lastname@example.org or the founder directly at email@example.com with "[SECURITY]" in the title. DO NOT attempt to publically disclose or report the vulnerability.