NowSecure has completed its annual SOC 2 (Type 2) security audit covering the NowSecure Platform for automated mobile app security testing. For the third year in a row, NowSecure remains the only enterprise-grade provider with a SOC 2 certified cloud platform for mobile application security testing (MAST).

As with prior audits, the report issued in June 2022 by Schellman & Company found no exceptions, and attests that NowSecure has controls which are suitably designed and effectively operated to meet our commitment to customer security.

NowSecure System Description

The SOC 2 report contains a detailed system description for the NowSecure Platform, including the purpose, architecture, people and security controls. The security controls must meet the criteria established by the American Institute of Certified Public Accountants (AICPA) in design and operation. The following is a brief summary of some important NowSecure controls described in the report. This list is not exhaustive; for further details or to request a copy of the SOC 2 Report please contact your account manager or submit a request here.

  • Access, Authentication and Authorization:  Clear policies follow the principle of least privilege and grant access only upon valid business need per job function, limited by role-based access controls (RBAC) and logged. The company uses centralized authentication with two-factor authentication and strong passwords.
  • Access Requests and Access Revocation: The company follows formal employee onboarding procedures to provision access to NowSecure personnel based on role. Formal procedures are followed to remove access for NowSecure personnel who depart or change roles within the Company. Upon separation from the Company, access accounts are deactivated within 24 hours. 
  • Employee Screening:The company conducts formal employee onboarding procedures including completion of background screening and the acceptance of non-disclosure agreements and the employee handbook.
  • Security Awareness: Employees must complete security awareness training upon hire and annually thereafter, to understand their obligations and responsibilities to comply with the corporate and business unit security policies and alignment with objectives.
  • Regular Access Reviews: NowSecure performs documented quarterly User Access Control (UAC) reviews for information systems, including the NowSecure Platform and its supporting infrastructure. 
  • Secure Access: Company secures access to infrastructure and systems and restricts it to authorized personnel with a legitimate need via VPN with two-factor authentication and highly complex non-memorized secrets stored in encrypted vaults. User access is limited only to the level required to perform job functions, and access to infrastructure components is logged.
  • Network Firewall Controls: AWS EC2 controls provide security for the environments maintained within AWS, including security groups and firewall rules to control incoming network traffic.
  • Security Monitoring: NowSecure uses Intrusion detection system (IDS) and Web application firewalls (WAF) to monitor for potential indicators of compromise and configures them to alert security personnel when suspected security events are detected.
  • Encryption At Rest and In Transit: Data in transit is encrypted using Hypertext Transfer Protocol Secure (HTTPS) with TLS protocols. Databases housing sensitive customer data are encrypted at rest (AES-256).
  • Change Management: NowSecure follows a formal change management process to ensure unauthorized changes are not made to production application systems. Software, system, and configuration changes, including major releases, minor updates, and hot fixes, are managed through a formal change and release management process.
  • Secure SDLC: Company’s secure SDLC Standards and Procedures establish a secure, agile, test-driven development process with dedicated DevSecOps responsibilities separate from development. Documented procedures and technical controls restrict access to deploy code or infrastructure changes to the NowSecure Platform. Wholly separate dev and staging environments contain no customer data from production.
  • Incident Response: NowSecure has documented incident response and escalations procedures for security incidents, including procedures for prompt notification to affected customers as required by law and customer contracts. 
  • External Pen Testing: NowSecure undergoes annual external penetration testing performed by a third-party vendor and implements remediation plans to remediate all critical and high vulnerabilities or findings.
  • Risk Management: NowSecure ensures that risks are evaluated and that controls are designed, implemented, and operated to address all areas, as appropriate, to detect, respond to, mitigate, and recover from security events based on the assessed risks.

“NowSecure remains the only enterprise-grade provider with a SOC 2 certified cloud platform for mobile application security testing (MAST).” – Ted Eull, Vice President of Risk and Privacy, NowSecure

About SOC 2

SOC 2 is a widely recognized standard for service providers to provide assurance to their customers based on an independent third-party audit. 

As defined by the American Institute of Certified Public Accountants (AICPA), System and Organization Controls (SOC) 2 reports “are designed to help service organizations build trust and confidence in the service performed and controls related to the services through a report by an independent CPA.”

NowSecure completed a SOC 2 Type 2 audit for the Security Criteria, which reviews the effectiveness of the controls related to the objectives. 

About NowSecure

NowSecure has been a leader in mobile app security for more than a dozen years. We are experts in mobile app security testing software, services and training, trusted by leading finance, high tech, retail and healthcare companies, government agencies and others to ensure their apps are secure and meet privacy and regulatory requirements. To continue to earn this trust, we implement strict internal security policies and procedures to safeguard customer data and protect the NowSecure Platform from threats to confidentiality, integrity and availability. 

For another year, NowSecure remains the only mobile application security testing vendor to achieve this critical SOC 2 Type 2 compliance. Request a NowSecure Platform demo to see it in action or contact us to learn more about our solutions and our security practices.

What to read next:
Ted Eull

Ted Eull

linkedin icon twitter icon

VP of Risk and Privacy at NowSecure

Ted directs company risk, privacy, and security initiatives to ensure success of the growing company and NowSecure mobile security platform.