Software Security

Detailed Development Processes: Specific implementation details, internal checklists, and operational procedures are available after signing an NDA.

Secure Development Lifecycle (SDLC)

Modern Development Architecture

We rely on a modern, type-safe development architecture:

TypeScript Strict Mode: Type safety reduces security vulnerabilities
Python with typing: Static code analysis and type safety
OWASP Top 10: Established security guidelines as a framework
Privacy by Design: Privacy as a fundamental principle from the start

Development Phase

Mandatory Code Reviews: Peer review for all code changes via pull requests
AI-based Code Analysis: Automated Static Application Security Testing (SAST)
Dependency Scanning: Automatic verification of libraries and frameworks
Renovate Bot: Automatic dependency updates for security patches

Testing Phase

Bug Bounty Program: Continuous external security testing
External Penetration Testing: First test with SySS planned for August 2025
Security Regression Testing: Tests for every code change
Input Validation Testing: Framework-based validation tests

Deployment Phase

Container Security Scanning: Verification of container images
Kubernetes Deployment: Secure containerization
Configuration Management: Secure default configurations
Secrets Management: Secure management of API keys and passwords

Vulnerability Management

Automated Scans

We implement comprehensive automated security scans:

SAST Integration: Code analysis in the CI/CD pipeline (Gitleaks, Semgrep, Checkov)
Dependency Checks: Continuous checking for known CVEs
Container Scanning: Docker Hub image scans for vulnerability detection
Automated Updates: Renovate Bot for automatic dependency updates

Patch Management

Hot-Fix Pipeline: Quick updates for critical security issues
Automatic System Updates: Mandatory automatic system updates
Security-First Approach: Security updates have highest priority
Rollback Procedures: Safe rollback of faulty updates

Code Security

Input Validation

We implement comprehensive input validation measures:

Framework-based Validation: Input validation through React/Node.js/Python framework features
SQL Injection Prevention: Prepared statements and ORM
XSS Protection: Output encoding and Content Security Policy
Generic Error Messages: No stack traces in production
OWASP Top 10 Compliance: Protection against most common web attacks

Authentication & Authorization

JWT-based Authentication: Secure token implementation
Role-Based Access Control (RBAC): Role-based permissions
API Keys with User Scope: Coupling of API keys to user permissions
Least Privilege Principle: Minimal required permissions
UUIDs and CUIDs: Protection against IDOR attacks through non-sequential IDs

Data Protection

Data Classification: Categorization of sensitive data (public/internal/confidential)
Encryption Standards: TLS 1.3 for modern encryption
Principle of Least Privilege: Minimal data access
Retention Policies: Documented retention guidelines
GDPR-compliant Deletion Processes: Implemented data deletion

Third-Party Security

Dependency Management

We implement comprehensive third-party security measures:

Approved Software Policy: Only licensed/approved software
Vulnerability Scanning: Daily dependency scans
License Compliance: Verification of license compatibility
Update Monitoring: Renovate Bot for automatic updates
Data Processing Agreements (DPA): With all subcontractors

AI Provider Compliance

Particularly strict requirements for AI providers:

Primarily EU-based Providers: Microsoft Azure EU, Mistral AI, Google EU
Explicit Guarantees: No use of customer data for AI training
US Providers: Only with explicit opt-in decision with Data Privacy Framework
Transparent Warnings: User information when processing US data