1. Knowledge base
  2. Security and Compliance

Secure Development Lifecycle and Operational Security

Developers at Yva.ai are familiar with the OWASP Top 10 vulnerabilities and know how to write secure code based on internal documents on secure development and documents that are publicly available from OWASP.

Each process and part of architecture of the product is confirmed to comply with the ISO / IEC 27001:2013.

Internal document "Secure development policy" is designed specifically for our team. This regulation is intended to define and establish the procedure for managing information security requirements when developing software at Yva.ai. 

During the development process, we use SonarCloud to automatically scan the code. SonarCloud is a cloud-based code analysis service designed to detect problems with code quality in 25 different programming languages. It helps us constantly ensure the maintainability, reliability and security of the code.

Before publishing a product with new functionality, we also use DAST scanner to review the code  to identify potential vulnerabilities missed by the SAST scanner and developers.

Yva.ai is developed using the agile (Kanban) methodology. Continuous, on-the-job training, including secure coding techniques, and coaching are provided to all developers. 

Before any public release, extensive regression testing is performed to ensure that the software continues to adhere to design specifications. Our process for reviewing, testing, and deploying code includes peer code reviews, automated and manual testing, and repeatable build and release process. All the software are tested for security. 

The testing environment for Yva.ai makes use of test fixtures which reproduce real data patterns. Tests are run in our local development network. Both the testing and development environments are isolated from the live production environment. We do not use user data in our local development and testing environments.

Penetration tests

Yva.ai performs penetration tests to evaluate the security of the system.

The results of our last penetration tests are available per request.

Incident management plan

Yva.ai has the documentation for the Information Security Incident Management Procedure that is intended to determine and establish the rules for identifying, responding to, resolving and analyzing the causes of information security incidents at Yva.ai, Inc.

Yva.ai uses the requirements of GDPR (Act. 33) for Breach notification procedure to the tenant using our SaaS solution.

Business Continuity Strategy

Yva.ai has the Business Continuity Strategy that is aimed at determining the general approach to ensuring the continuity of the main business process within the scope of the information security management system for the processes of Yva.ai, Inc. This documentation includes the Restore Point Objective and the Restore Time Objective for each process.

Web Application Firewall usage

Yva.ai uses the Microsoft Azure Web Application Firewall for the SaaS solution.

Security Information and Event Management

Yva.ai uses Microsoft Azure  Sentinel for merging of internal and external events from different sources of the SaaS solution.

 

 

 

  Next →
Encryption of data