Security
      Back to home
      1. Help Center
      2. Cloud
      3. Security

      ActiveNav Cloud Security Model

      ActiveNav Cloud has specific security requirements determined by the product's functionality and deployment. The product team maintains a Product Security Model that drives development and testing practices.

      Product Security Model

      ActiveNav Cloud defines a Product Security Model that establishes a framework for security-related requirements in any development or engineering effort. The Product Security Model defines the following elements (prepared per the Microsoft Security Development Lifecycle recommended practices)

      • Product Secure Champion - responsible for the Product Security Model of the product
      • Threat model for product and how the design mitigates these threats
      • Security requirements for user authentication and authorization
      • Minimum quality profile to be validated by automated security testing
      • Risk assessment for product - based on factors such as Threat modeling outcomes, consideration of deployment modes, etc.
      • Review interval for the security model
      • Incident handling plan for all systems related to the product build, test, and operation

      Developer Training

      The increased sophistication of approaches that malicious actors can apply to attempt to gain access to IT systems, and the nature of the data that we process, means that customers are increasingly seeking to understand the steps we take to ensure the security of our products.

      All product development staff are provided with core training in the fundamental principles of secure coding practices and testing for issues relating to security. The training focuses on issues related to web application security highlighted by OWASP.

      • All ActiveNav staff are required to complete KnowBe4 information security training annually, covering Common Threats and Security Awareness.
      • All development staff are required to review Secure Development and Threat Modeling guidelines.
      • Developers, at a minimum, will take courses on OWASP vulnerability principles and additional courses on specific areas of risk.

      Application Security Testing

      We utilize a range of automated tools to analyze and test ActiveNav Cloud to identify quality and security issues. The specific approach defined for ActiveNav Cloud is determined by the security requirements of this product, which, at a minimum, includes Static Composition Analysis, Static Application Security Testing, and Dynamic Application Security Testing. We use Veracode's SCA, SAST, and DAST products to maintain Veracode Verified Team status.

      Software Composition Analysis (SCA)

      To avoid risks being imported to ActiveNav Cloud through third-party components, we use Software Composition Analysis (SCA). SCA maintains a catalog of third-party components to ensure license compatibility with our products and enables awareness of any existing or future vulnerabilities in the selected components.

      Static Application Security Testing (SAST)

      SAST analysis is deployed to analyze source code to model data flow on a "whole product" basis to increase the overall quality of our code and can highlight any security issues before new code is deployed into production, such as:

      • Cross-Site Scripting
      • SQL Injection
      • Information Leakage into Logs
      • Identify and eliminate coding patterns known to be a potential cause of defects or security issues.
      • Ensure defined coding policies are adhered to
      • Resist the creation of hard-to-maintain code structures

      Dynamic Application Security Testing (DAST)

      We run DAST weekly to check for issues that cannot be found in static testing, such as:

      • Factors Relating to HTTP Security
      • Use of Cookies
      • Authentication