Security Measures

NOTE

If you have any questions about Sana’s security measures or suggestions, or if you think you have found some vulnerability in our product, please contact us by email responsibledisclosure@sana-commerce.com.

All websites that are storing sensitive data, like personal and payment information of the clients, are attractive targets to hackers. A compromised website can have the long-term consequences for both, customers and merchants.

Security maintenance is essential for Sana Commerce. Thus, we keep security quality of the Sana Commerce product on the highest level. Although, there is no single solution to eliminate all security risks, there are many precautions which you can take to safeguard your web store from potential threats.

While no system can be 100% invulnerable to every threat, we made the Sana Commerce solution as safe as possible. We implemented a variety of security measures to maintain the safety of your customers' personal information and access to the Sana Commerce solution. A Sana web store and Sana Admin are protected by multiple layers of security to prevent unauthorized access.

Sana Commerce security was analyzed using various automated and manual techniques, including analysis of OS Command Injection, SQL Injection, Untrusted Initialization, CRLF Injection, Cross-Site Scripting, Cryptographic Issues, Directory Traversal, Insufficient Input Validation, Code Quality and Information Leakage.

System integrity, reliability and precaution increases consumers' confidence when handling online sales. The coding standards used by our developers follow best practices to maximize the software efficiency and provide secure online sales. Sana Commerce takes precautions to safeguard a web store from potential threats and ensures:

  • Online sales integrity.

  • Robust and checked for integrity payment gateway. All guidelines provided by the gateway providers are observed and applied.

  • Subjected to security checks web store and Sana Admin. Adequate precautions are taken to ensure that the code structure of the web store and Sana Admin is not vulnerable to code injections (like HTML and SQL injections).

Which security measures does Sana take?

At Sana, we have a dedicated security team that continuously monitors, tests and improves Sana's security measures:

  • Keeping our data and application infrastructure safe within Microsoft Azure.
  • Compliance with the latest security standards and recommendations (OWASP).
  • Using SonarQube for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities.
  • Regularly monitor and test our application with the following security tools:
    • Vulnerability scan and assessment (Burp Suite, OWASP ZAP and Kali Linux Toolkit).
    • Security Code Scan is a static code analyzer for .NET (extension for Microsoft Visual Studio). Detects various security vulnerability patterns: SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), XML eXternal Entity Injection (XXE), etc.
    • Audit.NET is a Microsoft Visual Studio extension that highlights NuGet package dependencies with security vulnerabilities.
    • dotnet-retire is a dotnet CLI extension to check a project for known vulnerabilities in the NuGet package dependencies.
    • Npm-audit is the audit command that submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities.
  • Proactive testing of our application by a qualified and specialized third party.