|Lenses.io Ltd is a company registered in England & Wales|
Company Registered Number 09975716
VAT number: GB 231980705
Registered office address
New Penderel House, 4th Floor, 283-288 High Holborn
London, United Kingdom, WC1V 7HP
|Lenses.io Inc. is a company registered|
in the United States of America
Registered office address
82 Nassau St #60550
New York, NY 10038
Lenses ® Enterprise
Software Security Certification
The following document outlines the Software Security Certification and policies that Lenses.io is following, to ensure high security standards during Software Development Life Cycle (SDLC), in order to deliver a product that can adhere to the modern security aware organization including leading Financial, Insurance and Healthcare organizations.
The nature of the Software is a Product. The Product is currently not offered as a Service (SaaS) and is hosted internally on Client's hardware, network and security infrastructure.
1.1 All source code of the Software is stored in GitHub.
1.2 Source code access requires a mandatory SSO process for all Software Engineers and employees.
1.3 Source code access requires a mandatory 2FA process for all Software Engineers and employees.
1.4 Source code commits are allowed only through a process of raising a PR that needs to be reviewed and accepted by two other independent CODEOWNERS before accepted to be merged.
1.5 Source code is automatically scanned and checked against known libraries with vulnerabilities.
1.6 Source code for every minor and major release is also published to an independent Software Escrow service.
2.1 The Software is built fully automated, in a CI/CD system.
2.2 The CI/CD process is audited and driven by definitions within the source code of the relevant project.
2.3 No access to the CI/CD environment is allowed on a physical level.
2.4 The CI/CD system uses in-transit encryption (https).
2.5 Access to the CI/CD tooling is allowed only via secure and encrypted VPN connection.
2.6 All build artifacts are automatically stored in secure artifact repository systems.
2.7 Write access is not allowed on the artifact system, read-only access via SSO and 2FA.
Third party libraries used by the Software are monitored for security vulnerabilities. The complete list of all third-party libraries are reviewed manually as per the release process, and audited and available online at https://lenses.io/third-party-software for every minor and major release of the Software.
The following areas of the Product are externally audited via an InfoSec process in terms of penetration testing elements of the
4.2 Token Generation
4.5 Broken authentication
4.6 Excessive Data Exposure
4.7 XML external entities
4.8 Broken Access Control
4.9 Broken function level authorization
4.10 Mass Assignment
4.11 Security misconfiguration
4.12 Improper Assets Management
4.13 Insufficient Logging & Monitoring
4.14 Information Disclosure
4.15 JVM app checks
Last update: 1 Dec 2020
The Software Security Certification document may be updated from time to time, with the understanding that any such updates will not materially reduce the terms and conditions experienced by the Customer.