We do not use state-of-the-art, but potentially unstable technologies that can create additional problems due to undetected and not eliminated shortcomings.
- We are implementing a secure process of developing our software, which is called CI/CD (Continuous Integration / Continuous Delivery), within which a long development flow is implemented, which involves both the development and testing itself, as well as the deployment and updating of our code. Editing by developers in production is impossible, that is, all the code that they write and refine is checked through QA for the absence of bugs in it or minimizing their number, and a separate DevOps team is engaged in the deployment of software and infrastructure. At each stage of this process, all employees use personal accounts, whose powers are limited only to what is necessary for the employee to perform his official duties.
- Our system does not store user passwords in plain text, that is, there is no way to enter the database and see what password a particular user has. To do this, we use password hashing and salting. This is a technology that allows you to ensure an irreversible process of password conversion when it is stored in a database.
- Our system has an integration API that complies with the OpenAPI standard. On the one hand, it is open (we publish documentation on our integration API so that clients can independently develop integration mechanisms), on the other hand, it is secure, because special tokens are issued to clients to access our integration API, which provide access protection. Thus, an attacker will not be able to use our integration API, because he does not own the corresponding token. The token is transferred only to authorized employees of the Customer.