Netsparker Compliance and Technical Security Statement
At Netsparker, security is the cornerstone of our company culture. Netsparker offers vulnerability assessment and management products, and its internal focus is to align with global security standards.
To accomplish this task, Netsparker has taken four primary steps. We have a rigorous training program in place for new recruits that starts the moment they step into the company. They receive training on security, compliance, and governance-related matters as well as on the delivery of security-related resources. In addition to this training, Netsparker provides security tools to employees to be used in both internal and external communications and feature development, such as PGP Keys, multi-factor authentication enforcement, VPN protection, and IP restriction for all related servers and endpoints.
Invicti’s access controls are strict, and all development, staging, and production environments are completely separated. All customer data, including backups, is kept encrypted at rest and in transfer (SSL certification, AES 256 and TLS 1.2).
Netsparker has security tools and services in its environments, such as SOC as a service and SIEM tools for collecting internal logs and event data. Netsparker utilizes Amazon Web Services (AWS) as its cloud provider, and AWS is SOC 2 and ISO 27001 compliant. In addition to this, Netsparker utilizes AWS Shield for comprehensive protection against all known infrastructure (Layer 3 and 4) attacks, AWS Key Management Service (KMS) for key management systems, and AWS WAF for a web application firewall that helps protect Invicti’s web applications and APIs against common web exploits.
Netsparker utilizes a static code analysis tool to control each update and changes in development. Additionally, request, patch, and change management processes are being followed with the industry leading products. Application penetration tests are conducted twice a year by independent third parties. Netsparker is consistently awarded excellent ratings with zero findings.
In summary, with each of these security measures and as further detailed in this document, Netsparker takes active ownership of and interest in its internal security practices both because of our internal commitment to security and because it is our business.
2. ORGANIZATIONAL SECURITY
Invicti’s information security roles and responsibilities are defined within the organization as described below. The security team focuses on information security, global security auditing and compliance, as well as defining the security controls for protection of Invicti’s production and internal environments.
The executive leadership team is responsible for approving and ensuring that the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization.
The Chief Information Security Officer (CISO) is a senior-level employee of the Company that oversees the Company’s information security program.
The Information Security Committee (ISC) is a forum for executives to discuss the Company-wide computing strategy and to support employees in contributing to the effectiveness of the information security management system.
3. AWARENESS, TRAINING AND VETTING
Netsparker provides training on general information security and data privacy-related topics to its personnel, and Netsparker may also provide mandatory role-specific training for certain personnel, if necessary. Additionally, Netsparker HR team members conduct background checks on new hires in accordance with applicable law and data protection requirements. These background checks may include education history, criminal record, CV screening, reference check, and code or skill assignments.
4. ACCESS MANAGEMENT AND IDENTIFICATION
Netsparker follows applicable law and applicable industry standards regarding access management to authenticate and authorize users. Netsparker will not use shared or generic identification credentials to access customer data. Additionally, Netsparker periodically reviews and revokes access rights of users, as needed, and Netsparker provides and revokes Netsparker-managed employee identification credentials via documented technical and logical control procedures.
Authentication to Invicti’s resources, including cloud environments, devices, servers, workstations, or applications, is not allowed with default passwords and, if available, Netsparker will use role-based access control, single sign-on (SSO), and identity and access management (IAM) to restrict access.
Netsparker promptly revokes access from Netsparker personnel and authorized third parties who no longer require access to customer data upon termination of their employment with the company.
All access to customer data is via a secure connection (like SSL and TLS) between Invicti’s service locations (including access through any of Invicti’s cloud service providers) and customers.
Netsparker ensures secure access to Invicti’s environments and access to customer data via a Virtual Private Network (VPN), Multi-factor authentication, and IP restrictions.
4.2 Password Policy
Netsparker employee passwords are required to be a minimum of 10 characters with complexity requirements (English upper-case, lower-case letters, numbers, and special characters). Admin/developer (privileged accounts) passwords are required to be a minimum of 16 characters with complexity requirements (English upper-case, lower-case letters, numbers, and special characters). Employee ID will be locked out after 5 failed login attempts for a time period of 30 minutes. Screen Locks are set to 15 minutes inactivity.
Netsparker maintains a centralized repository of all identification credentials used to access Invicti’s environment in which customer data resides.
5. SECURE DATA HANDLING
Netsparker utilizes the following security measures in its cloud product environment:
Data transfers, data at rest and backups are encrypted with TLS 1.2, SSL certificates and AES-256Bit
Secure data disposal procedures, including but not limited to using secure erase commands, degaussing, and “crypto shredding” of data when required. Invicti’s procedures follow industry standards, such as NIST 800-88 or ISO 27001, recommendations.
User account passwords are stored as salted hash values as defined in RFC 2898. PBKDF2 with HMAC-SHA256 is used as the hashing algorithm, and salt length is 128-bit.
AWS S3 buckets use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3).
6. KEY MANAGEMENT
Netsparker utilizes the following security measures in its key management practices:
- Credentials for remote access to production servers are created manually and rotated every 90 days
- AWS IAM access keys that are used in Invicti Enterprise have only access to specified buckets and EC2 resources
- Every sensitive data is shared between employees with PGP encryption
- If any administrator quits or is laid off, the relevant account and IP address are removed, and AWS IAM access keys are rotated within 24 hours
7. ENDPOINT AND ENVIRONMENT SECURITY
Netsparker utilizes the following security measures in its endpoint and environment security practices:
Install, configure, and maintain perimeter and network security controls to prevent unauthorized access to customer data. Examples of security controls include firewalls, web application firewalls, anti-malware software and access control lists.
Maintain and configure endpoint security software and hardware on environments, desktops, laptops, including encryption, data loss prevention (“DLP”), anti-malware and anti-virus software. Netsparker ensures that such configurations generate alerts to Netsparker and logs accessible by Netsparker.
Implement and maintain a Security Operations Center as a service (“SOC”), Security Information and Event Management tool (“SIEM”), security logging, continuous security monitoring, and environment security configurations.
Implement and maintain security and hardening standards for cloud environments, including such as baseline configurations, patching, passwords, access control, VPN, multi-factor authentication, and IP restriction.
Use defense-in-depth techniques, including deep packet analysis and traffic throttling for the detection of and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g. ARP poisoning attacks) and/or distributed denial-of-service (DDoS) attacks.
Netsparker uses AWS Shield, AWS CloudTrail, New Relic and ELK frameworks for monitoring purposes and a production performance monitoring tool.
System-level objects are being hosted on AWS. All AWS configurations including VPC, EC2, IAM, and S3 are reviewed regularly.
Netsparker utilizes an uptime service to monitor production servers’ health. The SRE team monitors alerts and responds to critical events immediately. All alerts are configured to be escalated in the chain of command in case of a failure to notify the SRE team.
Netsparker has an automated daily trigger for security scans and if any issues are detected, an automated ticketing and alerting process will be in place to resolve the problem. In addition to that, each commit is reviewed by the security team.
Netsparker evaluates all security vulnerabilities as a priority and gets immediately analyzed and remediated. Netsparker carries out the necessary steps and root cause analysis to ensure it doesn’t happen again.
9. APPLICATION SECURITY
9.1 Software Development
Netsparker implements secure software development life cycle (“SDLC”) and secure coding practices.
Such coding practices include:
- Separate development, test, and production environments;
- Regular security reviews of the code improvements and implementations;
- Identifying risks and areas of exposure in applications, our development process, and architecture;
- Static and dynamic scanning of all software and/or applications storing, processing or transmitting customer data;
- Netsparker uses only non-production, obfuscated, or de-identified data in development and test environments. Production data is never being accessed from other environments.
Netsparker follows a process to review every new feature and every change even before the design stage, and this review is carried out before and after the implementation. Build server triggers a security scan before each change set goes to production, and if any issues are detected, a ticketing process will be in place to resolve the problem.
9.2 Segregated Environments
Invicti’s production systems can only be accessed by authorized Netsparker personnel with VPN, IP restrictions, and Multi-Factor Authentication. Invicti’s production and staging environments are on separate AWS VPC and subnets.
10. RISK MANAGEMENT
Netsparker maintains a risk assessment program that defines roles and responsibilities for performing risk assessment and responding to results. Netsparker performs an annual risk assessment to verify the design of controls that protect business operations and information technology.
Netsparker maintains a risk assessment remediation plan, and Netsparker assigns an owner (current Netsparker personnel) to each remediation plan. For risk acceptance, Netsparker management provides clear acknowledgement and a description of the risk. The risk acceptance includes a business justification.
11. VULNERABILITY AND PATCH MANAGEMENT
Netsparker conducts routine security vulnerability scans of Invicti’s systems and environments that access or store customer data. Netsparker performs routine (at least quarterly) environment and application-level scans for vulnerabilities, intrusions, and unauthorized changes to customer data (each a “Vulnerability Scan”).
At least twice every year, Netsparker hires an independent third-party cybersecurity firm to test a potential unauthorized user’s ability to penetrate Invicti’s product (a “Penetration Test”). Netsparker may provide to customers, upon customer’s request, an executive level summary of Invicti’s Vulnerability Scans and Penetration Tests.
Netsparker identifies, triages, documents, and remediates vulnerabilities and threats to customer data. Netsparker applies security patches and system updates to Netsparker-managed software and applications, appliances, and operating systems in a reasonable time frame based on the severity of the vulnerability, availability of the patch, and sensitivity of the underlying data.
Additionally, Netsparker triages and documents vulnerabilities and threats to customer data as identified by anti-virus scans, firewall reports, SOC and SIEM alerts, vulnerability scans, penetration tests, or other security data.
12. BUSINESS CONTINUITY AND DISASTER RECOVERY
Netsparker maintains a documented and operational Business Continuity and Disaster Recovery (BC&DR) plan. Netsparker exercises and updates its Business Continuity and Disaster Recovery plans at least annually. Netsparker shall make best efforts to meet the following timelines in a BC/DR scenario:
Recovery Time Objective: Maximum downtime will not exceed 8 hours. (3-year historical average downtime per incident is 8.5 minutes)
Maximum Tolerable Period of Disruption: Disaster recovery procedure will be executed if our service is unavailable for more than 2 hours.
Recovery Point Objective: All data in our service as of 24 hours prior to such disaster will be completely restored.
Netsparker works to ensure that the services remain reliable and available. Issues on critical services are handled by the primary responsible personnel as soon as possible, and if it is not resolved within 30 minutes, it is escalated to secondary responsible personnel.
Netsparker follows a documented backup and restore procedure.
Generic backup procedures are as follows:
- SQL Server Databases are backed up daily to AWS S3
- All production servers are backed up daily automatically using AWS snapshots and AWS Lambda services.
- Backups are maintained for 90 days
For customers using Invicti on-premises, it is such customers’ responsibility to prepare backups and apply rollbacks internally in their environment.
13. SECURITY BREACH NOTIFICATION AND INCIDENT MANAGEMENT
Netsparker maintains and annually updates a documented data breach action and response plan. If Netsparker discovers or is notified of a breach of security which results in unauthorized access, acquisition, disclosure, or use relating to any customer data or any violation of these security requirements, Netsparker will promptly:
- Notify customers of the data breach within 72 hours of becoming aware of the data breach;
- Investigate the data breach;
- Work to mitigate the effects of the data breach;
- Perform post-incident assessments on the results of such mitigation efforts.
Netsparker follows documented procedure for Information Security Incident Management.
The basic incident process encompasses six phases: preparation, detection, containment, investigation, remediation, and recovery.
14. REPORTING, AUDITING AND RIGHT TO AUDIT
Netsparker performs continuous monitoring, logging, review, and mitigation of attempted and successful access, and security event logs for vulnerabilities, intrusions, and unauthorized changes on endpoints and environments that contain customer data. All logs will be protected from unauthorized access or modification and be configured so as not to capture and record customer data.
To the extent required by applicable law, Netsparker will provide reasonable assistance to customers for any legal investigations of possible fraudulent or unauthorized use of or access to customer data and will, if applicable, conduct security vulnerability scans of Invicti’s systems and environments that access or store customer data. Netsparker may also participate in an annual security audit process via questionnaire if required for customer due diligence purposes.
Additionally, Netsparker performs internal audits on an ongoing basis to test the effectiveness of these technical security measures and to ensure its alignment with current industry standard practices.
15. DATA RESIDENCY
|DC ole||Resilience model||Name and address of Data Centre For public cloud please state CSP & Availability Zone(s)||DC Tier (Uptime Institute)|
|Primary||Active:Active||AWS US-East-1. Within each AWS Region, S3 operates in a minimum of three AZs.||Tier III+|
|Secondary||Active:Active||AWS EU-Central-1. Within each AWS Region, S3 operates in a minimum of three AZs.||Tier III+|
For on-premise versions of Netsparker, all data resides in the customers’ environment.
16. DATA RETENTION
Netsparker establishes and maintains a Data Retention Policy, standards, and guidelines relevant to information retention and disposal. For the on-premises version of the Netsparker product, all data resides on the customers’ infrastructure, so data management and retention is the responsibility of the users. There is also an option to configure retention period for old scan data in terms of days
17. DATA PROTECTION
Netsparker maintains a common set of personal data management principles to customer data that we may process, handle, and store. We protect personal data using appropriate physical, technical, and organizational security measures.
Netsparker gives additional attention and care to sensitive personal data and respects local laws and customs, where applicable.
© 2020 Netsparker Security Corp.
This document is the Confidential Information of Netsparker Security Corp. (“Netsparker”) and may not be reproduced by any means nor modified, decompiled, disassembled, published, or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of Netsparker. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of Netsparker, its affiliates, and / or its respective licensors.
INVICTI DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL INVICTI, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF INVICTI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.