Security is integrated into the entire lifecycle of the ONEiO service through a Secure Software Development Lifecycle (SSDLC) and a dedicated Information Security Management System (ISMS).
Key measures include:
Policies and Governance
- Secure Software Development Policy: Governs the entire lifecycle, ensuring security is embedded from planning through deployment.
- ISO 27001:2022 Certification: The development and operational processes are part of an ISO-certified ISMS, ensuring adherence to international security standards.
- Peer Reviews: All code changes, including infrastructure-as-code and server image updates, undergo mandatory peer review before production deployment.
Technical Controls in Development
- Automated Scanning: The CI/CD pipeline includes static code analysis (SAST), open-source library vulnerability scanning, and container image scans (using tools like Aikido, SonarSource, and AWS Inspector).
- Environment Segregation: Development, staging, and production environments are strictly isolated in separate AWS accounts and VPCs to prevent cross-environment data exposure.
- Hardened Infrastructure: ONEiO uses only hardened, AWS-optimized server images and follows AWS security best practices.
Deployment and Testing
- Secure CI/CD Pipeline: Software is automatically tested and deployed to staging for end-to-end testing before reaching production.
- Penetration Testing: Independent third parties conduct annual web application security audits and penetration tests based on OWASP and OSSTMM standards.
- Vulnerability Management: A formal process addresses the identification, evaluation, and treatment of vulnerabilities across all environments.
Data Protection by Design
- Encryption: Integration data is encrypted at rest (AES-256) and in transit (TLS 1.2/1.3).
- Least Privilege: Access to development and production systems is restricted based on role-based access and the "need-to-know" principle.
More comprehensive information can be found on ONEiO SaaS Security.
Comments
Please sign in to leave a comment.