This statement is issued to support Nethive Security Development Policy which defines the security framework at Nethive. It declares Nethive's commitment to provide products and services that meet or exceed our external and internal customers' security requirements and to continually improve our efficiency and effectiveness in doing so.
Security at Nethive is designed, operated and controlled to continually assure that:
Products and services that Nethive builds and sells are secured-by-design and tested to comply with industry level security best practices.
Nethive complies with data protection regulations, including EU GDPR.
All security policies and procedures are documented as part of our Integrated Quality and Safety Management System (SGI / IMS) Development Security Policy, and Nethive employees and contractors, acting on Nethive's behalf, are required to cooperate and support Nethive’s pursuit of security and continual improvement and to adhere to the policies and procedures contained within the it SGI/IMS.
Nethive maintains several certification programs and is audited annually by reputable external auditing agencies on security standards including:
ISO 27001:2013
Nethive is also regularly audited by many of our customers. We respond to these audits seriously and value the feedback from our customers. The audit findings are remediated by Corrective Actions, entered in our CAPA management system, and we work with our customers to develop agreeable action plans to make any improvements needed with our processes.
Nethive is in constant examination of security tools and methodologies. Our SSDLC methodologies and processes include best practices adopted from OWASP Open Source Software Assurance Maturity Model (OpenSAMM). Nethive's SSDLC defines the secure development procedures and security gates to be reached by each Nethive product before being released to customers. Our secure development controls include:
- Security of communication protocols and OWASP best practices
- Threat Modeling
- Third party / open-source software composition analysis (SCA)
- Attack surface analysis
- Dynamic application security testing (DAST)
- Static application security testing (SAST)
- Container security analysis
All the details are demandend in the SSDLC guidelines.
Nethive R&D teams undergo continual training to reinforce security topics, using commercial training platforms and in-house developed classes and materials, including:
- Internal Best Practies
- Online courses
Mandatory secure development training completed by all developers covering a wide spectrum of Application Security topics.
In parallel with our Security Management Program, Nethive has an active Quality Management Program, driven by the requirements of ISO 9001:2015. Nethive maintains certification for ISO 9001 that covers our Customer Success Organization (Technical Support, Professional Services).
Responsible Disclosure: If you’ve discovered a security vulnerability, we want to hear about it, please see our policy to disclose in a responsible manner.
To report a security finding, please email us at dev@nethive.it.
Nethive requests that you don’t post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability. We’ll work with you to make sure we understand the scope of the issue and fully address any potential security issues.
