The following document outlines the Software Security Certification and policies that Lenses.io is following, to ensure high security standards during Software Development Life Cycle (SDLC), in order to deliver a product that can adhere to the modern security aware organization including leading Financial, Insurance and Healthcare organizations.

The nature of the Software is a Product. The Product is currently not offered as a Service (SaaS) and is hosted internally on Client's hardware, network and security infrastructure.

1. SOURCE CODE

1.1 All source code of the Software is stored in GitHub.

1.2 Source code access requires a mandatory SSO process for all Software Engineers and employees.

1.3 Source code access requires a mandatory 2FA process for all Software Engineers and employees.

1.4 Source code commits are allowed only through a process of raising a PR that needs to be reviewed and accepted by two other independent CODEOWNERS before accepted to be merged.

1.5 Source code is automatically scanned and checked against known libraries with vulnerabilities.

1.6 Source code for every minor and major release is also published to an independent Software Escrow service.

2. BUILD PROCESS

2.1 The Software is built fully automated, in a CI/CD system.

2.2 The CI/CD process is audited and driven by definitions within the source code of the relevant project.

2.3 No access to the CI/CD environment is allowed on a physical level.

2.4 The CI/CD system uses in-transit encryption (https).

2.5 Access to the CI/CD tooling is allowed only via secure and encrypted VPN connection.

2.6 All build artifacts are automatically stored in secure artifact repository systems.

2.7 Write access is not allowed on the artifact system, read-only access via SSO and 2FA.

3. THIRD PARTY LIBRARIES

Third party libraries used by the Software are monitored for security vulnerabilities. The complete list of all third-party libraries are reviewed manually as per the release process, and audited and available online at https://lenses.io/third-party-software for every minor and major release of the Software.

4. EXTERNAL SECURITY ASSESSMENT

The following areas of the Product are externally audited via an InfoSec process in terms of penetration testing elements of the

4.1 Authentication

• 4.1.1 Authentication standard methods;
• 4.1.2 Password storage;
• 4.1.3 Encryption of sensitive data;
• 4.1.4 Authorization header;

4.2 Token Generation

• 4.2.1 Token generation keys;
• 4.2.2 Time stamps;
• 4.2.3 Token expiration (TTL, RTTL);
• 4.2.4 Algorithms;

4.3 Access

• 4.3.1 Request throttling for brute-force attacks;
• 4.3.2 Man in the middle attacks;
• 4.3.2 Local cache and cookie storage;

4.4 Input

• 4.4.1 HTTP methods;
• 4.4.2 Content-type validation;
• 4.4.3 User input validation;
• 4.4.4 Sensitive parameters passed in URLs;

4.5 Injection

• 4.5.1 Cross site scripting;
• 4.5.2 SQL injections;
• 4.5.3 Blind XPATH injections;
• 4.5.4 LDP injections;

4.5 Broken authentication

• 4.5.1 Trust boundary violation;
• 4.5.2 Session expiration;
• 4.5.3 Race conditions;
• 4.5.4 Clickjacking/Frameable Responses;

4.6 Excessive Data Exposure

• 4.6.1 Unencrypted soap messages;
• 4.6.2 Hardcoded salts;
• 4.6.3 Hardcoded passwords;
• 4.6.4 Inadequate padding;
• 4.6.5 Weak cryptography (length);
• 4.6.6 Weak cryptography hashes (RSA or AES);
• 4.6.7 Personal Identifiable Information (PII);

4.7 XML external entities

• 4.7.1 XML entity injection;
• 4.7.2 XML entity expansion (“billion laughs attack”);
• 4.7.3 Server side request forgery;

4.8 Broken Access Control

• 4.8.1 Access restrictions;
• 4.8.2 Access control (LDAP Bind);
• 4.8.3 Server side file disclosures;

4.9 Broken function level authorization

• 4.9.1 Hierarchies and groups;
• 4.9.2 User functionality and user roles;
• 4.9.3 Service accounts authorization;
• 4.9.4 Account lockout;

4.10 Mass Assignment

• 4.10.1 Restricted object properties;
• 4.10.2 Authorization scope of the request;

4.11 Security misconfiguration

• 4.11.1 HTTP security headers;
• 4.11.2 Cross-origin resource sharing (CORS);

4.12 Improper Assets Management

• 4.12.1 Improper versioning control;
• 4.12.2 Incomplete or outdated assets;
• 4.12.3 Unpatched older versions;

4.13 Insufficient Logging & Monitoring

• 4.13.1 Multi stage attacks;
• 4.13.2 Unusual activity;
• 4.13.3 Incident response;

4.14 Information Disclosure

• 4.14.1 Log Data Analysis for Information Disclosure (no sensitive info leaking in logs);

4.15 JVM app checks

• 4.15.1 DDoS;
• 4.15.2 BufferOverFlows;
• 4.15.3 Mounting files from host allowing for Remote Code Executions / Arbitrary File Uploads / Code Executions;
• 4.15.4 Code Injection;

All issues are classified based on a severity scoring mechanism as HIGH, MEDIUM, LOW or BEST PRACTISE. All HIGH and MEDIUM reports addressed at a high priority. HIGH severity threats are communicated to affected customers.

5. REFERENCES

• PCI DSS v3.2
• OWASP - Brute Force Attack
• OWASP - Clickjacking
• OWASP - Session management
• Auditing Web Site Authentication
• CWE-307: Improper Restriction of Excessive Authentication Attempts

---

Last update: 11 Oct 2021

The Software Security Certification document may be updated from time to time, with the understanding that any such updates will not materially reduce the terms and conditions experienced by the Customer.