If you have been in the development business, you are well aware of the fact that data breaches are a part of the development experience, and while there might be numerous reasons behind such events, software vulnerabilities are the major reason for these security breaches. Even to this day, when code security breaches are so common and happening around us, some still think of security as a feature and not as a necessity. As a result, when the software is designed without security as a top priority, flaws can be detected by cyber attackers, and they can inject malicious code in the system, and also steal important data. For instance, looking at the news that came out this week, The Federal Bureau of Investigation sent a security alert warning that hackers have been abusing misconfigured applications to access and steal source code repositories with proprietary or private/sensitive applications from US government agencies and private companies, since at least April 2020.
Therefore, securing your code should be among your top priorities, if not your number one priority. Secure coding practices differ based on the application of the software being developed from high-level principles to detailed code analysis. However, whether you are writing code for mobile devices, servers, personal computers, or embedded devices, keeping your code safe is critical, as failing to do so can result in one of the following:
- Denial of service to a single user,
- Loss of service,
- Compromised secrets,
- Damage to the systems of thousands of users.
It is our utmost priority to keep your code secure and make sure when it goes to the development phase there are no vulnerabilities left unattended, keeping our customers’ data protected at all times. Following are the security practices put in place to achieve that objective.
All of our services run on cloud powered by Amazon Web Services, meaning that Codacy does not host or run its own routers, load balancers, DNS servers, or physical servers. AWS provides strong security measures to protect our infrastructure and are compliant with most certifications.
Network level security monitoring and protection
Our network security architecture consists of multiple security zones. At Codacy, we make the use of virtual private cloud (VPC), a bastion host or VPN with network access control lists (ACL’s), and no public IP addresses; a firewall to monitor and control incoming and outgoing traffic; and an IP address filtering, to monitor and protect our network, as well as to make sure no unauthorized access is performed.
Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). Encryption at rest: All our user data is encrypted using battle-proofed encryption algorithms in the database. You can see our SSLLabs report here.
Data retention and removal
At Codacy, you get to choose whether you want to retain or remove your data. After your trial ends, every user can request the removal of usage data by contacting support or deleting their account. Read more about our privacy settings at codacy.com/privacy.
Business Continuity and Disaster Recovery
In case of a disaster, we are always at your disposal to guarantee a fast recovery of your data, since we back up all our critical assets and regularly attempt to restore the backup. On top of that, all our backups are encrypted.
Application Security Monitoring
We utilize a security monitoring solution in order to get visibility into our application security, identify attacks, and respond quickly to a data breach. We use technologies to monitor exceptions, logs, and detect anomalies in our applications. Besides, we collect and store logs to provide audit trails of our activity. We also use monitoring such as open tracing in our microservices.
One of the major components of our code review process is reviewing your code for security vulnerabilities. We develop security best practices and frameworks (mapped to OWASP Top 10, SANS Top 25). Developers participate in regular security training to learn about common vulnerabilities and threats. We review our code, and regularly update our dependencies and make sure none of them has known exposure. We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in the codebase, and Dynamic Application Security Testing (DAST) to scan our applications.
We offer both Single sign-on (SSO) and Role-based access control (RBAC) depending on the subscription model you choose. While all our accounts get RBAC, only our enterprise customers get access to SSO. Single sign-on is made available using Google, GitHub, or BitBucket accounts.
We are compliant with the General Data Protection Regulation (GDPR). GDPR is a cybersecurity standard put in place in Europe and several other parts of the world to hold organizations like ours accountable for the steps they take to ensure that user data is safe and secure. Compliance with GDPR means that we not only protect private information of EU citizens but also give them more control over their personal data.
All payment instrument processing is safely outsourced to Stripe, which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.
We have put strict internal procedures in place to ensure that no employee or administrator can have access to any of the user data. The only exceptions are made in the case of customer support problems with the permission of the customer. Moreover, all our employees also sign a Non-Disclosure and Confidentiality Agreement when joining the company in order to protect our customers’ sensitive information.
This outline provides a high-level overview of the security practices put in place by Codacy. All these steps are to ensure we protect you and your data’s security; Codacy is dedicated to providing its customers and users the highest level of transparency and control over the use of their data when using our services. If you have any questions regarding security, how we handle information, and personal data, please do reach out to us at firstname.lastname@example.org.