These docs are for v1.0. Click to read the latest docs for v3.2.

Security & Compliance Policy

FOSSA is committed to the security of your application’s data. As part of this commitment, we use a variety of industry-standard security technologies and procedures to protect your information from unauthorized access, use, or disclosure.

FOSSA's security program covers the following areas:

  • Application Security
  • Infrastructure and Network Security
  • Compliance
  • Privacy
  • Corporate Security
  • Physical Security

Our employees are required to attend annual security awareness training and are informed of their security responsibilities as part of an extensive and regularly reviewed Information Security Policy.

Application, Quality & Code Security

  • Code is pulled and analyzed in ephemeral, isolated containers or virtualized environments
  • Company employs engineers & contractors dedicated to Application Quality & Testing
  • FOSSA engineers employ regular peer code review
  • Fully encrypted one-way access of sensitive data (i.e. user passwords, access tokens, etc.)
  • FOSSA never generates permanent (non-revokable) access credentials for 3rd-party services. Tokens are regularly churned upon expiration and follow the OAuth spec.

Independent Audits & Vulnerability / Penetration Testing

FOSSA undergoes third-party penetration tests on a regular basis. All items found in the testing are addressed, mitigated, or remediated depending on the severity of the finding. A summary report is available to customers that are currently under contract with FOSSA at the Enterprise level under NDA.

In addition to regular penetration testing, we have continual third-party and internal vulnerability scanning performed throughout our infrastructure and development process. This is meant to complement the regular penetration test and to ensure there are no gaps throughout periods.

In addition to internal and third-party security testing we commission directly, we encourage outside security researchers to test the FOSSA application and report any vulnerabilities found to the FOSSA Security Team, in accordance with our Responsible Disclosure Policy. Testing is performed by account owners or members authorized by the account owner to conduct testing. We will respond and fix vulnerabilities in accordance with our commitment to security and privacy, and will not take legal action against or terminate access to FOSSA for those who discover and report security vulnerabilities through proper channels.

FOSSA maintains a documented Incidence Response Plan.

Web / Infrastructure Security

FOSSA's web infrastructure is secured behind firewalls and multiple levels of isolation.

  • All application data transmitted over HTTPs
  • 24/7 application monitoring and DDoS protection
  • Multiple firewalls, load balancers, virtualization and network infrastructure isolate application from the outside world
  • Hosted in Amazon Web Services datacenters (ISO 27001 and FISMA certified)

ISO 27001 / FISMA, SSAE16 / ISAE 3402 Type II Attestations

We utilize Amazon Web Services to host the entirety of FOSSA's environment.

Amazon undergoes annual independent audits for the following:

Disaster Recovery, Availability and SLAs

We have a documented and tested Contingency Plan and Disaster Recovery plan. These plans are tested at least annually or when there is a major change in the FOSSA environment. Lessons learned from the tests are compiled and are remediated by our engineering department.

FOSSA employs hourly data backups and has a distributed, self-healing infrastructure that implements high-availability best practices. We also depend on infrastructure that implements disaster recovery and high availability.

FOSSA's Enterprise plan offers custom SLA's to complement and guarantee availability.

On-Prem Security

FOSSA's on-prem option is fully sealed and can operate in permanently-offline "airgapped" environments.

All data (including open source analysis, cache, etc...) is located and communicated behind the firewall. See our Architecture Overview.

  • Native HTTPs support baked into on-prem offering
  • Application is distributed with multiple layers of containerization, virtualization & sandboxing across the stack
  • Successfully passed security review for Fortune 50 on-prem deployments

Corporate, Physical, Operational & Information Privacy

  • 2-Factor authentication required for all employees across SaaS accounts
  • All employees operate off of company-owned hardware with IT on-boarding and off-boarding support, malware detection and firewalls.
  • Office located in private facilities with 24/7 security, surveillance and access cards
  • Office facilities have a separate "Guest" network and internal employee network

All FOSSA employees, upon initial hire, go through security awareness training. This training includes some of the best practices and guidelines from the security industry.

User Security Controls

SAML-Based Single Sign On

On designated FOSSA plans, you can enable SAML-based single sign-on (SSO) using Google Apps for Work, Okta, or Bitium. SSO not only improves the user experience by making it seamless to log into the FOSSA application, SSO also enhances security by allowing companies to control and maintain their own identity management, which translates into fewer user identities and simpler accessibility across trusted domains.

Read the documentation for detailed instruction on how to setup SSO.

Role-Based Access Control

The FOSSA application has a set of Enterprise level access controls, including:

  • Single Sign On
  • Two-Factor Authentication
  • Password complexity settings
  • Session timeout
  • Role Based Access Control

Roles can be configured for a variety of permissions including read-only, editing and administrative roles. FOSSA's RBAC implementation integrates directly with SAML / LDAP permissions.

Read FOSSA's documentation to learn more about role-based permissions.