Security

Data protection

Secrets which are used by Knovvu applications are centrally managed by HashiCorp Vault, ensuring secure storage and controlled access to sensitive information such as API keys, passwords, and encryption keys.

Data exchanged between the user's web browser and Knovvu products is secured using industry-standard TLS encryption.

By default, service-to-service in-cluster traffic is unencrypted. This is typically not a concern for most deployments, as all virtual machines are located in the same data center or even on the same physical hardware. For specific requirements like PCI DSS compliance, encryption for service-to-service communication can be enabled using a service mesh such as Istio. In this case, customers are expected to deploy and manage the service mesh.

When utilizing MinIO as an object storage solution, it's important to note that the contents are not encrypted. To ensure encrypted object storage, customers have the option to establish their own encrypted MinIO or Amazon S3 endpoints.

Security Scanning

In the Sestek CI/CD pipeline, the latest versions of Knovvu applications and their dependencies undergo automatic scanning for Common Vulnerabilities and Exposures (CVEs). The CVE system provides a reference method for publicly known information-security vulnerabilities and it is overseen by the MITRE corporation with funding from the U.S. Department of Homeland Security.

These security scans make sure the vulnerabilities are mitigated before Knovvu applications are deployed to customer environments. Trivy, an open-source vulnerability scanner is utilized for security scanning.

Disclaimer on Open CVEs

Open CVEs are vulnerabilities and exposures that remain unfixed by package maintainers, either because they haven't addressed them yet or do not deem them critical. Sestek cannot directly address open CVEs, as the responsibility for fixes lies with the maintainers of the respective packages.

Next topic: Scalability