Security Measures Implemented in Sharpen AI Development Pipeline
At Sharpen, we prioritize the security and integrity of our products to protect our customers' data and ensure a reliable user experience. To reinforce our commitment to security, we have integrated a suite of advanced security scanners and monitoring tools into our continuous integration and deployment (CI/CD) pipeline, as well as real-time threat detection and monitoring in our cloud infrastructure. These tools help us identify and remediate potential vulnerabilities early in the development process and protect our infrastructure from emerging threats.
This document outlines the security measures we have implemented and explains what they mean for you as our valued customer.
Security Scanners and Monitoring Tools Integrated
Our CI/CD pipeline includes the following security scanners and AWS monitoring services:
- Snyk Static Application Security Testing (SAST)
- Snyk Dependency Scanning
- Snyk Secret Detection
- AWS GuardDuty
- AWS Lambda Network Activity Monitoring
1. Snyk Static Application Security Testing (SAST)
What is SAST?
SAST is an automated process that analyzes our source code to detect security vulnerabilities such as coding errors, insecure configurations, and potential backdoors. It examines the code without executing it, providing a thorough analysis of the application's internal structure.
How Does It Work?
- Early Detection: SAST scans are performed during the build stage of our CI/CD pipeline, allowing us to identify vulnerabilities before the application is deployed.
- Comprehensive Analysis: The scanner checks for a wide range of issues, including SQL injection flaws, cross-site scripting (XSS), buffer overflows, and more.
- Advanced SAST Enabled: We have enabled GitLab's Advanced SAST features to enhance the depth and breadth of our code analysis.
What It Means for You
- Enhanced Security: By identifying and addressing vulnerabilities early, we reduce the risk of security breaches in the deployed product.
- Reliability: Early detection of issues leads to more stable and secure releases.
- Compliance: Ensures adherence to industry security standards and best practices.
2. Snyk Dependency Scanning
What is Dependency Scanning?
Dependency Scanning analyzes the third-party libraries and packages our application relies on to identify known vulnerabilities. Since many vulnerabilities arise from outdated or insecure dependencies, this scanner is crucial for maintaining a secure codebase.
How Does It Work?
- Automated Checks: During the test stage, the scanner inspects all dependencies listed in our project configuration files.
- Vulnerability Database Matching: It cross-references our dependencies against a comprehensive database of known vulnerabilities (e.g., CVEs).
- Alerts and Remediation: If a vulnerable dependency is found, we receive alerts with remediation advice, such as upgrading to a secure version.
What It Means for You
- Trustworthy Components: Ensures that all components used in our application are secure and up-to-date.
- Reduced Risk: Minimizes the likelihood of vulnerabilities introduced through third-party libraries.
- Continuous Monitoring: Ongoing scans mean any new vulnerabilities discovered in dependencies are promptly addressed.
3. Snyk Secret Detection
What is Secret Detection?
Secret Detection scans our codebase for accidentally committed secrets, such as API keys, passwords, and private certificates. Exposing such secrets can lead to unauthorized access and data breaches.
How Does It Work?
- Automated Scanning: Analyzes the repository during the test stage for patterns that match known secret formats.
- Immediate Alerts: Notifies our development team if any secrets are detected.
- Preventive Measures: Encourages the use of environment variables and secure storage for sensitive information.
What It Means for You
- Protection of Sensitive Data: Prevents the leakage of credentials that could compromise your data or systems.
- Enhanced Security Practices: Promotes secure coding standards within our development team.
- Risk Mitigation: Reduces the chance of unauthorized access due to exposed secrets.
4. AWS GuardDuty
What is GuardDuty?
GuardDuty is an intelligent threat detection service provided by AWS that continuously monitors for malicious or unauthorized behavior within our AWS accounts and infrastructure.
How Does It Work?
- Threat Intelligence Feeds: GuardDuty uses machine learning, anomaly detection, and third-party data to detect suspicious activity.
- Comprehensive Monitoring: It analyzes data sources such as AWS CloudTrail logs, VPC Flow Logs, and DNS logs.
- Real-Time Alerts: GuardDuty provides alerts for unusual or potentially harmful activity, including unauthorized access attempts, API calls from unusual IP addresses, and more.
5. AWS Lambda Network Activity Monitoring
What is Lambda Network Activity Monitoring?
AWS Lambda Network Activity Monitoring is a feature of GuardDuty that tracks and analyzes network activity for our Lambda functions to detect potential threats or unusual patterns.
How Does It Work?
- Real-Time Analysis: Monitors network traffic for each Lambda function, looking for anomalies or malicious connections.
- Threat Detection: Detects unusual behavior, such as connections to known malicious IP addresses or suspicious data transfers.
- Alerts on Potential Issues: Notifies us of any network activity that may indicate a security issue with our Lambda functions.
Download the Snyk Vulnerability Report
For a detailed report of identified vulnerabilities and security insights, please download our Snyk Vulnerability Report.
Benefits to You as Our Customer
- Improved Application and Infrastructure Security: Proactively identifies and resolves security issues.
- Compliance with Security Standards: Aligns with OWASP Top Ten and AWS Security Best Practices.
- Reduced Risk of Data Breaches: Minimizes impact on your data and operations.
- Continuous Security Assurance: Maintains strong security posture with continuous scans and monitoring.
- Transparency and Trust: Our commitment to security builds trust with our customers.
For further inquiries or detailed information about our security practices, please contact our security team at security@sharpennotes.com