NopSec Unified VRM Security and Governance
NopSec remains a leader in cybersecurity, offering a range of vulnerability management solutions to organizations across industries. However, as a software as a service (SaaS) provider in the cybersecurity space, we recognize our responsibility to keep our customers’ data safe, or we would become a part of the problem we are trying to fix. We use many of the same vulnerability management practices that we offer to our customers to secure our digital assets from potential cyber threats. Learn more about NopSec’s vulnerability assessment methodology and how we are working to keep your data safe.
Who We Are
It all starts with hiring the right people. NopSec is made up of highly skilled security professionals that are well versed in the latest trends in cybersecurity. Our developers and engineers are trained in secure coding practices and have integrated security into their workflows. Studies show that addressing security as early as possible in the software development lifecycle (SDL) minimizes the cost and effort necessary to produce secure software. Our in-house services team includes individuals experienced in penetration testing who can identify and fix any security issues missed earlier in the development lifecycle.
It’s easy for SaaS providers to get caught up in customer requests, sprints, and production deadlines. Still, NopSec remains committed to the highest level of security to give our customers more peace of mind.
Security is not a point-in-time check for us — it is a question and concern at each step of the way. We choose to consider security with each minor release, every customer onboarding, and every new feature implemented. And even if you do not choose us if following a proof-of-concept with our product, we will ensure that your data is securely deleted so you do not have to worry.
Unified VRM Design and Architecture
Our Unified VRM Architecture uses the Django web framework, a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Django reduces the hassle that comes with securing web applications. It is free, easy to use, and open source, so development teams can quickly realize their visions without leaving their assets vulnerable to potential hacks.
Like all SaaS providers, NopSec collects data from its customers. However, this information is limited to what is necessary for customers to use the product. Our Unified VRM collects the following personal identifiable information (PII): names, email addresses, and departments of individuals with access to the Unified VRM. In addition to PII, NopSec may also collect and store customer vulnerability data, asset configuration data, patch information, service tickets, and other proprietary IT asset information depending on integrations used by customers.
However, NopSec will never disclose this information to a third party, including law enforcement, other government entity, or civil litigant, except as directed by the customer or required by law. If a third party contacts NopSec regarding the release of this information, we will forward the inquiry to the customer.
Publicly listed contact information will be provided unless separate contact information is provided specifically for this purpose. If required by law to disclose customer data to a third party, NopSec will attempt to notify the customer in advance unless legally prohibited from doing so.
Data Encryption and Unified VRM Access
Our Unified VRM also encrypts customer data on a per-customer basis. Customer data is protected by symmetric encryption using AES with 256-bit key sizes. During the onboarding process, a customer-specific secret key is generated and stored. When the customer logs into Unified VRM, the key is decrypted and stored in memory only. Each database query must be decrypted using this key.
Unique keys are created for each customer. Keys are created and stored in a Gemalto (SafeNet) HSM. There is no direct human access to the secret key at any point in time. It is a split-key system with one key in the HSM and the other decrypted and loaded into memory from a different location. Processes exist to rekey customer data if a compromise is suspected or if requested by customers. The process to do this is available upon request.
When issuing reports to customers, our vulnerability management software will only include information relevant to the customer. We offer custom reports based on each user’s role in the vulnerability remediation process. Additionally, all customer communication is encrypted using HTTPS.
NopSec secures customer data throughout the entire lifecycle, starting with the first customer-unique encryption key that is created during onboarding. When our relationship with the customer comes to an end, we ensure that customer data is securely deleted.
In addition to these safeguards, NopSec is ready to respond to an attack if one should occur. Incapsula’s WAF (web application firewall) service addresses application-layer attacks and threats, while AlienVault USM is used to detect and respond to network-based attacks and threats. CloudWatch, the cloud platform from AWS, enables NopSec to monitor for cloud-native anomalies and threats.
NopSec uses AWS products and features to make Unified VRM highly scalable. Load balancers and auto-scaling application servers provide speed on the front-end, while a multi-tenant architecture with a redundant, scalable database rounds out the back-end. AWS CloudWatch is used to monitor instance availability.
Speed is crucial when it comes to remediating potential vulnerabilities. Our security teams are standing by 24/7, so they can address these issues in real-time. Patch management is overseen by experienced professionals to ensure that the issue has been resolved.
NopSec understands the changing cybersecurity landscape, ensuring that our security operations can prevent the latest forms of attacks. We don’t rely on outdated systems or methods and continuously update our vulnerability management software to improve quality control. We incorporate vulnerability prioritization into everything we do.
Nothing could be more important than keeping your company’s data safe. You need to partner with reliable vulnerability management software as a service provider to protect your digital assets from a potential attack. This applies to the SaaS provider as well. If you don’t choose NopSec, spend some time vetting your SaaS provider to ensure that they are keeping your personal information safe.
Download the full NopSec Unified VRM Security and Governance report to learn more about the measures NopSec takes to ensure customer data is secure and complies with regulations.