SonarCloud Additional Due Diligence

Hello,

I have been conducting my company’s security due diligence prior to using SonarCloud and had some additional questions after reviewing your public facing documents:

• Am I able to view a standard agreement from your organization in order to see what security clauses will be included?
• Is our data encrypted at rest within your organization?
• What controls are in place to identify any unauthorized data exfiltration?

Thanks

Hey there.

Our security statement should help you.

Hi Colin,

I reviewed your Security Statement/Trust Center page, as well as your Whistic Security Profile, Terms of Service, and your Privacy Policy, and the questions raised previously were not answered there. I raised them with the sales team we have been working with and was redirected to this forum.

Thanks,
Adam

The only agreement there is to speak of would be the SonarCloud Terms and Conditions.

• Is our data encrypted at rest within your organization?

I believe this is answered in the security statement.

SonarCloud databases, snapshots, and backups are encrypted at rest to AES-256 standards, in all environments, with Sonar-managed keys. Logs are stored in protected S3 buckets and encrypted with AWS-managed keys.

• What controls are in place to identify any unauthorized data exfiltration?

I believe this is also answered in the security statement.

At the infrastructure level, access to data is controlled by limiting the host to network zones that only SonarCloud Operations can access. The production environment is strictly separate from our development and testing environments.

At the software level, SonarCloud ensures private source code is accessible only to the members code repository platform organization, in addition to a few SonarCloud Operations team members, and for support purposes only. Furthermore, customers can delete their projects, and therefore, source code and issue reports from our system at any time. This is entirely under the customer’s control. Data may be held within the secure snapshot retention cycle for up to one year for legitimate purposes.

I appreciate the extra information Colin.

In regards to the data encryption question, we are looking for clarification on, specifically, if our data/code is encrypted, as the security statement just mentions SonarCloud databases, etc, and not application data.

This discussion post from March of 2021 states that application data is not encrypted:

“Just to clarify, we do not encrypt application data at rest in the database where the source-code is stored. We use S3 buckets for logs and other peripheral functions.”

Is the above statement outdated or does it still hold true?

I appreciate the clarification!
Thanks,
Adam

It’s outdated, and the application data stored in the database is now encrypted as reflected in the current security documentation.