We are considering purchasing SonarCloud’s services for our organization, but have some questions about the security policy that are not answered on the posted security statement. Any information would be greatly appreciated:
1.What platform and programming language used to develop the application?
a. How do you assess the application and underlying technology security vulnerabilities?
b. What is the application patch management/release methodology, especially for security fixes?
2.Do you support SSO? What are the supported authentication protocol and technology?
3.Does the solution provide role-based access permissions to users?
a. Would it be possible to customize the roles according to our business needs
4. How do you achieve security of data at rest?
a. What is the encryption algorithm/key strength?
b. How are the encryption keys managed?
5.How is the security of data in transit achieved?
a. What are the minimum requirements for supported browser?
6.Do you maintain detailed audit logs of user and admin activities?
a. How long are the logs stored, and can it be provided to customers if required?
b. Would it be possible to integrate/forward these logs to customer log monitoring infrastructure?
c. Is it possible for system administrators or power users to remove audit log entries?
7.Device/location-based access control options
a. Can we restrict access to the application from a specific customer public IP gateway?
b. Do you perform user behaviour analysis to identify malicious activity?