VALVEN ATLAS / SECURITY
Security: The Key Component Keeping Everything Together
We believe in the contribution we will make to the software development ecosystem and any failure to cover the security aspect of the solution will serve the complete opposite of our main objective. Therefore, from company vision, motivation to the Valven Atlas team and every action we take is designed with a security perspective.
Data Relation
We do not clone any repositories, store any code parts because we know that one of the main assets of software companies is the code base and it cannot be risked by any means.
Only the git metadata is fetched and we run our algorithms on the metadata. We also delete the metadata right after we complete our analysis. The main focus of this analysis is to cover code diff, contributor actions, commits, pull requests, reviews and we can get all the data out of integrations to Git and Issue management tools through the metadata.
Security Details
Partial Retrievals
Retrieve commit metadata, not the codebase
Secure Methods
Secure methods to retrieve metadata
Data Encryption
Keep the data, tokens encrypted
Role-Based Access
Authorized access to the platform
Delete Critical Data
The patches are removed after the analysis
Best Practices
Pentests, Risk Management, network security, more
Encrypted Communication and Storage
In data transaction and storing, Valven Atlas utilizes HTTPS in each application and SSL for all database connections and all data in the system is encrypted with AES while resting in the database to guard sensitive data transmitted and stored.
The keys for encryption and decryption are also hashed as an additional security measure.
Additionally, we only ask for read-only access to your repositories and get permission for a minimum scope to provide you with our valuable insights.
Infrastructure Quality
One of the crucial security steps is ensuring the infrastructure is also up-to-date, constantly monitored, maintained with the latest technologies.
We are running our service on the Amazon Web Services platform with microservice architecture on Kubernetes. Amazon Web Services is a platform that prioritizes data security and transparency with the following certifications meeting principles of security, availability, confidentiality, and privacy;
SOC 1 Type 2
SOC 2 Type 2
SOC 3 Type 2
Cloud Security Alliance (CSA) STAR Level 1
ISO/IEC 27001
Our services do not have public IPs accessible from the Internet. All the traffic coming through known IP addresses goes through load balancers using NAT behind a firewall applying additional security policies.
Additionally, one of the methods we use is periodic CiS scans to detect any vulnerabilities on our servers. This enables us to prevent any issues related to the servers we run our service.
Extended Security Measures In Every Step /
Any access to any type of data from external systems or individuals is prevented. Only internal access from authorized employees with secure methods and specific IP addresses is allowed to the servers.
Access Control
Penetration test tools to scan our services for related security concerns are used periodically. We also run periodic tests by third-party trusted providers and our security team to cover loose ends.
Penetration Tests
The data stored in our service is minimized to reduce the risk. After our analysis, we delete the metadata, and when any repository connection is removed, we automatically purge all the data related to the repository.
Opt-out Option
We have a disaster recovery plan to keep the analysis results secure. The plan is well documented, reviewed and tested periodically. The plan is covering all aspects of backup strategies to recover.
Disaster Recovery
We are utilizing several libraries, with approved approaches, in our services. We are constantly running OWASP scans on our services to minimize the risk and eliminate vulnerabilities that occur in the additional libraries.
Dependency Checks
Since various users can access the system according to their roles, it is important to place monitoring and audit mechanisms in place to identify such issues and prevent more serious issues to arise.
Monitor & Audit Logs
In order to prevent any security breaches caused by improvements, we are scanning our code base before every release update as the last step. No release update with failed static code analysis is published.
Static Code Analysis
Unlikely data breach cases, we have an incident response policy planned to reduce the impact of such issues by triggering communication procedures to notify the customers and related parties to reduce the effect.