SonarCloud Security Assessment

Hello,

Hope everyone is safe and healthy!

Just like some here, we are glad to inform you that we have completed our POC regarding SonarQube and SonarCloud, and will happily proceed with the Cloud Version.

However, in order for us to proceed with the next steps, we wanted someone who could assist us in filling up our Third-Party Security Assessment.

We understand that SonarCloud is really designed to be self-service and there are documentations and security links for us to go-through, but there are some instances it cannot be answered with those documentations.

We wanted to use SonarCloud before January ends.

We also talked with your Sales Team and told us that they also do not entertain any calls.

Hope you could help us with this.

Appreciate all the response.

Thank you so much!

Hi @ge_na

Welcome to this forum !
As you mentioned, SonarCloud is a shared platform with all security and privacy items explained directly on the website documentation:

You can describe here what are your questions regarding SonarCloud, if we can help you at some point answering them.

Carine

Hello Carine,

Thank you so much for your response. Here are the questions that needs to be fulfilled:

  1. Do you have any Information Security certificate (e.g. ISO 27001, PCI DSS, SOC) or IT security related accreditation?
  2. Do you have Information Security policies, to govern the Information Security function and protect your information assets?
  3. Do you have documented Information Security roles and responsibilities, and staff to perform these responsibilities?
  4. Do you have documented business continuity and disaster recovery policies, processes and plans?
  5. Do you have Information Security Risk Management processes that address assessment, mitigation and monitoring of information risk?
  6. Do you have documented policies and processes defined and implemented to ensure compliance with information security or privacy legal and regulatory requirements including regular reviews of compliance?
  7. Do you have Information Security Incident Management processes that include coordination with customer’s Information Security Incident Management processes?
  8. Do you have policies and processes defined and implemented for HR Information Security Management that clearly defines the roles and responsibilities of staff to protect information assets?
  9. Do you perform background verification checks for all staff in accordance with legal and regulatory requirements?
  10. Do you have Information Security training and awareness program in place for all employees (new, existing, permanent, or contractual staff)?
  11. Do you have a documented Access Control policy and processes for provisioning, revocation, revalidation, access reviews and remote access?
  12. Do you have documented policies and processes to monitor the actions of users with privileged access to systems?
  13. Do you have Secure Application / System Development policies and processes that address information security requirements for the development and implementation of application/systems?
  14. Do you follow any secure coding guidelines while developing applications/systems?
  15. Do you have documented policies and processes to ensure that application information security events are logged and the events are monitored?
  16. Do you have documented policies and processes to ensure that no actual customer data is used in testing or that such data is sanitized prior to use for testing purposes?
  17. Do you have Network Security policies and processes that address network segregation, network access control, network device administration, security configuration, and remote device management?
  18. Do you have a secure network architecture that addresses network segmentation and protection between the internal network and public networks and the segmentation of internal network to provide appropriate security zones?
  19. Do you have configuration standards for network devices that address secure configuration of these devices?
  20. Do you perform Vulnerability Assessment and/or Penetration Testing at periodic intervals and address issues identified in this testing in a timely manner?
  21. Are intrusion detection prevention (IDS/IPS) tools deployed in your network and configured to detect and/or prevent malicious attempts to compromise networks, systems or information and are these systems appropriately monitored and managed?
  22. Do you have processes to provide secure remote access to network devices for administrators that address business requirements, access controls, logging and review of access?
  23. Do you have Physical and Environmental Information Security policies and processes to physically protect information assets?
  24. Do you have policies, processes and tools to to facilitate the following:
  • Log monitoring and review
  • Monitoring and regular testing of backups
  • Centralized Access Management
  • Incident and Change Management
  • Workstation Security Management
  • Data Loss Prevention tools to monitor for data leakage
  1. Will this vendor process personal or sensitive information? Please provide approximation.

Hoping for your response.

Thank you so much!

Hello @ge_na,
Did you get any form of answer from Sonarsource’s side. I’m looking for any certification and audit documentation of Sonarcloud and -qube, yet could not find anything.
Thank you!