Security: The Key Component Keeping Everything Together
We believe in the contribution we will make to the software development ecosystem and any failure to cover the security aspect of the solution will serve the complete opposite of our main objective. Therefore, from company vision, motivation to the Valven Atlas team and every action we take is designed with a security perspective.
We do not clone any repositories, store any code parts because we know that one of the main assets of software companies is the code base and it cannot be risked by any means.
Only the git metadata is fetched and we run our algorithms on the metadata. We also delete the metadata right after we complete our analysis. The main focus of this analysis is to cover code diff, contributor actions, commits, pull requests, reviews and we can get all the data out of integrations to Git and Issue management tools through the metadata.
Retrieve commit metadata, not the codebase
Keep the data, tokens encrypted
Secure methods to retrieve metadata
Authorized access to the platform
Delete Critical Data
The patches are removed after the analysis
Pentests, Risk Management, network security, more
Encrypted Communication and Storage
In data transaction and storing, Valven Atlas utilizes HTTPS in each application and SSL for all database connections and all data in the system is encrypted with AES while resting in the database to guard sensitive data transmitted and stored.
The keys for encryption and decryption are also hashed as an additional security measure.
Additionally, we only ask for read-only access to your repositories and get permission for a minimum scope to provide you with our valuable insights.
One of the crucial security steps is ensuring the infrastructure is also up-to-date, constantly monitored, maintained with the latest technologies.
We are running our service on the Digital Ocean platform with microservice architecture on Kubernetes. Digital Ocean is a platform that prioritizes data security and transparency with the following certifications meeting principles of security, availability, confidentiality, and privacy;
SOC 1 Type 2
SOC 2 Type 2
SOC 3 Type 2
Cloud Security Alliance (CSA) STAR Level 1
Our services do not have public IPs accessible from the Internet. All the traffic coming through known IP addresses goes through load balancers using NAT behind a firewall applying additional security policies.
Additionally, one of the methods we use is periodic CiS scans to detect any vulnerabilities on our servers. This enables us to prevent any issues related to the servers we run our service.
Extended Security Measures In Every Step /
Our multi-tenant architecture enables us to separate the data for each user and organization to distribute the risk and provide a more flexible architecture. In this way, it is possible to restrict access to data and dashboards based on each organization’s setup.
Additionally, the data stored in the system is only accessible through the application so there is no human access to the sensitive data stored in the database.
Penetration tests are a valuable tool to detect any security breaches that can be spoiled by attackers wishing to harm the service.
We are using penetration test tools to periodically scan our services to eliminate any security issues that may occur at any point. In addition to periodic penetration tests conducted by third-party trusted providers, our security team constantly makes their manual tests to cover any loose ends.
While minimizing the data stored in our service by deleting the metadata after our analysis, when any repository connection is removed, we automatically purge all the data related to the repository.
You have the option to remove data related to any specific repository at any time you wish. This process is completed securely by the token shared through your Git provider.
We have a disaster recovery plan in place to prevent any issues that may lead to disastrous effects.
The plan is well documented and reviewed & tested periodically. The plan is covering all aspects of backup strategies, constantly monitoring the data that is kept in the production environment.
We are utilizing several libraries to provide approved approaches in our services. While we are following OWASP practices in the development process, security issues in these other libraries may arise at any time.
In order to minimize the risk by constantly running OWASP scans on our services and the additional libraries in case of the occurrence of any vulnerabilities.
OWASP is an approved, up-to-date service that can detect publicly disclosed issues in libraries.
Monitor & Audit Logs
Since various users can access the system according to their roles, these users with permission to write may make mistakes in the system management. Valven Atlas has continuous monitoring and auditing processes to identify such issues and prevent more serious issues to arise.
By enabling the monitoring of both software and infrastructure patterns and activating such mechanisms like audit logs in our systems to keep the data in the solution and the infrastructure safe and secure.
Static Code Analysis
While developing a solution, any vulnerabilities should be continuously identified and fixed before a new release is published.
In order to prevent any security breaches caused by improvements, we are scanning our code base before every release update as the last step. If the static code analysis results in failure, the release is published after the root cause is detected and fixed.
In case of an unlikely case of a data breach, we have an incident response policy planned to reduce the impact of such issues.
This incident response policy includes escalated emailing, and communication procedures to notify the customers and related parties to reduce the impact automatically by enabling required actions as swiftly as possible.