Every step in our application development, testing, and deployment process is designed to ensure security in our products. Our Product and Technology teams employ enterprise Secure Software Development Life Cycle (SSDLC) as well as DevSecOps accountability practices. Our development process includes an in-depth security risk assessment and review of OnCorps features. Static and dynamic source code analyses help integrate enterprise security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application. Annually, a leading third-party security firm performs an application-level security vulnerability assessment of our application to identify potential vulnerabilities. The third-party firm performs testing procedures to identify standard and advanced web application security vulnerabilities.
Our technology, from architecture to applications, prioritizes data security and provides configurable tools to meet the security needs of every customer, including the most risk averse.
We use powerful encryption technologies to protect customer data at rest and in transit. OnCorps relies on the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits for encryption at rest. Transport Layer Security (TLS) protects user access via the internet, and over internal connections to help secure network traffic from passive eavesdropping, active tampering, or message forgery. Our Key Management Service (KMS) covers the full lifecycle management of cryptographic keys used to encrypt and decrypt customer data at rest. Auditing.
OnCorps authenticates every user or system accessing the platform. OnCorps allows customers to create end-user identities within OnCorps or integrate them into OnCorps from external systems, such as active directory. OnCorps security access is role-based, supporting SAML for single sign-on and x509 certificate authentication for both user and web services integrations.
SAML allows for a seamless, single-sign-on experience between the customer’s internal web portal and OnCorps. OnCorps also supports OpenID Connect.
Our native login for OnCorps Enterprise Products only stores the password in the form of a secure hash as opposed to the password itself. Unsuccessful login attempts and successful log in/log out activities are logged for audit purposes. Inactive user sessions are automatically timed out after a specified time.