At Semansys we see security as one of our core values and as a result, we take both preventive and reactive measures to secure your data. In the service of enterprise customers, we realize that their data and more importantly the systems and infrastructure that process their data must be secured at every step of the way. We demonstrate our ability to uphold high security through our ISO certifications (9001, 27001, 20000-1) and preventive and reactive measures outlined below.
In addition, we wanted to take this opportunity to address the recent vulnerability detected in Log4j (CVE-2021-44228). This potential vulnerability prompted us to revisit all our processes and controls in our software development. After carefully analyzing the issue we determined this industry vulnerability does not affect us directly as we are hosted on Microsoft Windows Servers/Azure infrastructure using the dotnet stack based on C#.
We want to take this opportunity to explain how we ensure your security:
All infrastructure hosting Private Cloud and Public Cloud instances of xbrlOne, xbrlOne Compliant Cloud, and SemansysNext are all vulnerability scanned quarterly by our internal security team. This is in addition to infrastructure scans provided by our hosting provider. This allows us to proactively get ahead of potential issues.
During every change, all software is scanned. This means that when we deploy new versions of the software, the software is scanned for security issues as defined by the industry (OWASP). We also include SAST (Static Application Security Testing) where our dependent libraries are checked for any vulnerabilities. These layers of preventative security measures help ensure customer data security.
Though we strive through preventative measures to never have an issue, we admit it could occur. Following our support procedures around reported Incidents, Problems, Changes, and Releases we will always follow-up immediately and take corrective actions to solve the issue at hand.
Our security team also reviews all the information available, such as the recent articles about Log4j, and takes corrective action as a priority. They have the ability that once the fix is identified to be able to release it in an emergency (off-cycle) or follow our scheduled weekly release depending on the severity. These reactive security measures add a responsive layer of protection to ensure customer data security.