Security Culture

We run regular code security reviews during the build process and implement code analyses as part of our CI/CD pipelines. This leads to the final important security layer—the protection of the application and infrastructure during deployment and operations.

We implement data validation on different levels to protect against most common attack vectors (XSS, SQL, Commands and other injections).

Within our operational activities, we monitor unusual and unsafe actions and enable immediate reactions to threats by either the support team or the system. We believe that such a left-shifted security approach facilitates building secure products by design.

Platform & Endpoint Security

The security controls in our platform go beyond those native to the Microsoft Azure cloud hosting platform that we use. In cloud services, security is a shared responsibility. With that in mind, we continuously monitor and review our resources deployed in Azure
Leveraging security features available within Microsoft Azure.
Leveraging tools like SonarQube and Wazuh within our DevSecOps practices.
Network and logs analysis with anomaly detection.
Vulnerability scanning and management.
iPhone mockup
Internal security audits and also openness to audits conducted on behalf of our enterprise partners.
Endpoint protection - Network and logs analysis with anomaly detection.
Implementing additional security features as presented below.

Quality Assurance 

Security Audits

We cooperate on a monthly basis with 3rd-party companies and we also allow our Enterprise Partners to commence such audits on their own. These audits (black-box and white-box) cover all elements of our System and check on the OWASP recommendations and CVE database for known vulnerabilities.

Testing

We implement automated testing frameworks on our own. Not only do they cover the business side of the features, but also the security aspects for the platform. This way we can automatically review the platform for any regressions that could pose a threat to us and our partners.

Guideline compliance

At Synerise, we make ensuring data security an integral part of what we do. Starting with our development process, we follow OWASP Security Guidelines and other measures used by leading organizations.

Deployment Flexibility

Our default type of deployment is cloud-based, resources are shared among users using logical isolation. If you are affected by some more restrictive regulation, 
we can also provide service in a private cloud or on-premise. More detailed information about the different types of deployments can be found in the table below. 
Thanks to the variety of deployment types, you can keep full control of sensitive data. 

Key Security Features

IP restrictions

We provide the option to define IP address whitelists for both User access to the application and REST API based integrations so that you can limit access only to the IP addresses that are required.

Multi-factor authentication

You have the freedom to enforce MFA on people who wish to access your data no matter if they come from your Organization or not.

Data encryption

We use TLS based encryption for transmitted data with safe ciphers and at-rest data encryption based on technologies provided by Microsoft Azure.

Secure by design

Security has been an important part of our process from the very beginning of our SDLC. Static code analysis is a part of our CI/CD process. Additionally, we perform a secure code review of each code change. Last but not least, we also conduct secure architecture reviews and threat modeling.

API Gateway & Application Firewall

The heart of our granular permission system is our proprietary api gateway that responsible for permissions and access grants. It is enforced with an application firewall, keeping us safe from various types of attacks.

Granular permission system

Our tailor-made permissions system enables you to define granular permissions for both your Users and REST API based integrations, so that you can allow only what is required to support your business needs and not compromise security.

Audit log

Every action within the platform leaves a trace and we can distinguish three levels in the audit log: System audit log containing logs about every action within the platform, no matter the origin, application audit log that’s accessible from within the platform and end-users event logs that contain information about any action on an end user's profile.

Audits and vulnerability scanning

We cooperate on a monthly basis with 3rd-party companies and also allow our Partners to conduct such audits on their own. We have also implemented multiple tools to conduct vulnerability scanning and monitoring on a constant basis starting with source code, going through the platform and our endpoints.

Identity and Access Management

The IAM module that we have implemented supports both user access to the platform and also serves as a business feature that you may implement within your Applications to enable RaaS (Registration as a Service), Apple, Facebook, Google and Oauth based authentication and configure password policies, access controls, session (token) expirations.
More new features are coming.