Security Whitepaper - YSoft SAFEQ Cloud | Page 20

SECURITY WHITEPAPER

SECURITY WHITEPAPER

We use extensive software gating and traffic management to control features based on customer preferences ( private beta , public beta , full launch ). Y Soft features seamless updates , and as a SaaS application , scheduled maintenance windows in relation to new releases . Major feature changes are communicated through pre-release and post release product update posts .
Newly developed code is first deployed to the dedicated and separate Y Soft pre-production environment for the last stage of load testing before being promoted to production . Network-level segmentation prevents unauthorized access between preproduction and production environments .
VULNERABILITY SCANNING AND PENETRATION TESTING
Y Soft manages a multi-layered approach to vulnerability scanning , using a variety of industry-recognized tools to ensure comprehensive coverage of our technology stack .
Vulnerability scans are configured to scan for exploitable vulnerabilities on a regular basis . Continually running scans , using adaptive scanning inclusion lists , and continuously updating vulnerability detection signatures helps Y Soft stay ahead of many security threats .
According to our Software Security Development standard and our Security testing standard , Y Soft has implemented industry best practices for secure SDLC including formal design reviews , code reviews , threat modelling and scanning of the code during development .
We also bring in industry-recognized third parties to perform quarterly penetration tests . The goal of these programs is to iteratively identify flaws that present security risk and rapidly address any issues . Penetration tests are performed against the application layers and network layers of the Y Soft technology stack addressing the OWASP Top 10 and other common Application Security Risk . Schedule of penetration testing is mandated by the Y Soft Security Testing standard .
The results from all Penetration tests are being evaluated by the Y Soft Cloud Operations and Security team , discussed , and prioritised according to the risk score with the Product Management team . Remediations are then planed and implemented . According to the ISO27001 risk assessment framework , all critical issues are also added to our Risk Treatment table and have the attention of the YSoft Information Security Steering Committee .
The content of the PEN Testing reports is highly sensitive information and considered confidential . We do NOT share PEN Testing reports with anyone outside Y Soft . In exceptional cases we might consider sharing a redacted version of our PEN Tests against a signed NDA ( Non-Disclosure Agreement ).
YSoft SAFEQ Cloud - 20 - YSOFT . COM