Data Privacy

Threat Modeling is the first Synchronoss Secure SDLC touch point in the development process. Threat modeling is a process of recognizing key assets within a product, and identifying potential threats against those assets, analyzing the possible effects, and providing neutralizing counter measures. Through collaboration with our software architects, our infrastructure teams and our developer leads, this process produces a security model during the application design phase before software code implementation. The threat model provides a solution to avoid security problems by requiring a full analysis of each potential, known risk with a full counter measures provided alongside to each one, requiring counter measures to be in place before the application is configured or a single line of code is written.

As part of the Synchronoss Secure SDLC, a Static Application Security Test (SAST) scanning & remediation process is integrated directly into all qualifying application development environments. The SAST process is integrated into our Bamboo/Jenkins CI/CD release process across all verticals. This enables individual programs to control the frequency of scanning and the effective scheduling of resulting remediation effort. Our SCA engine, Fortify SCA, identifies security vulnerabilities efficiently in application source code early in the development process, thus enabling remediation at lower cost than later in the SDLC. The SCA function is in continuously used through- out the life of the application so security vulnerabilities can be resolved with less effort, in less time and with less cost.

Dynamic Application Security Testing (DAST) is a core function for all applications developed and is critical in identifying potential vulnerabilities in running applications, including those outside the code and in third-party interfaces. Our DAST process utilize an industry leading Dynamic Application scanner and can be run as a standalone operation on a selected running application or can be fully integrated into the team’s CI/CD Pipeline too. DAST scanning is a black-box testing process that can reveal a broad range of vulnerabilities, including input/output validation issues that could leave an application vulnerable to cross-site scripting or SQL injection. A DAST test can also help spot configuration mistakes and errors and identify other specific problems with applications. The DAST scan simulates the actions of an actual attacker to discover vulnerabilities not found by other testing techniques. Our scanning tool offers our developers & QA detailed remediation advice on vulnerabilities along with information that lets them recreate the security flaws shortening time to remediation timelines.

GIS offers compressive Open-Source Management via both industry leading open source and licensing compliance scanner as well as leveraging open-source tools, such as OWASP Dependency Checker. SNCR’s primary Open-Source Management tool offers Open-Source Vulnerability scanning and Open- Source License compliance functionality, which are embedded in SNCR development team’s CI/CD pipeline. This ensures all 3rd party jars and libraries used in any application under review are both vulnerability free and compliant with all necessary license requirements & statutes.

Web, Mobile & API Application Penetration Tests are performed on a regular basis for all qualifying applications. We perform comprehensive Pen Testing for all applicable applications utilizing both in-house Pen Testers and external 3rd party security service providers. SNCR in-house Pen Testers are trained and certified. The product/application security team leverages the latest open source and paid penetration testing tools at their disposal, including Burp Suite Professional, Metasploit Pro, Nessus, NMAP, and Kali Linux distro. App Pen Tests are performed in close compliance with the Penetration Testing Execution Standard (PTES) and OWASP Pen Testing guides which would cover at the least, the following: Parameter Fuzzing, Horizontal Privilege Escalation, URL Redirection, Code Reviews/Read through and SQL Injection. Our external providers are vetted, approved and added to our approved vendors list after a rigorous supplier evaluation process.