Product Security

Overview

The topics covered in the following sections focus on the administrative and technical safeguards that FusionFabric.cloud leverages to protect the data stored or processed on the platform.

Finastra may update these safeguards to reflect changes in FusionFabric.cloud security posture. These changes do not reduce the level of security described herein, but aim at enhancing security, privacy, and compliance wherever possible.

All safeguards aim to provide reasonably designed controls to protect the confidentiality, integrity, and availability of all the data stored or processed on the platform.

Build Pipeline

FusionFabric.cloud implements automated security testing as part of the continuous integration and the continuous delivery (CI/CD) process. This process helps with the rate we provide a high performance fintech API platform, while maintaining adequate security posture with every product feature iteration.

This rapid development also allows FusionFabric.cloud to continuously assess and maintain relevant security and privacy principles. The process aims to ensure that no critical or high-risk findings are pushed to production environments.

Automated Security Testing

Based on the critical function of the FusionFabric.cloud platform, the underlying software goes through reviews and testing, such as: design reviews, business risk evaluations, threat modeling assessments, security architecture reviews, static application security testing (SAST), dynamic application security testing (DAST), penetration testing assessments, and active bug bounty engagements.

SAST involves the use of static code analysis tools. Static testing is designed to evaluate the entire code base of the tested release. The purpose of this testing is to find security vulnerabilities in the application source code earlier in the software development life cycle.

DAST makes use of dynamic analysis tools. Dynamic testing covers pre- and post-authentication functionality. The purpose of this testing is to find security vulnerabilities and weaknesses in a running application.

The outcome of these reviews and tests is captured and delivered through reports or defect tracking management systems.

Bug Bounty

Finastra organizes bug bounty programs to expand security testing and defect reporting.

Reporting Vulnerabilities

FusionFabric.cloud is subject to regular penetration testing by Finastra’s security professionals, and third party specialists.

In addition, Finastra continuously runs a Responsible Disclosure Program. Within this program, anyone that believes they have found a vulnerability within Finastra’s systems is actively encouraged to report the issue to us. Any reported issue is investigated and potentially rewarded.

Find out more about the program at FusionFabric.cloud Responsible Disclosure.

Penetration Testing

The software developed by Finastra is subject to penetration testing. The testing is performed internally by Finastra’s product and data security staff, and/or externally, by an approved external vendor.

These tests aim to ensure that issues uncovered during previous assurance activities - such automated testing, and the outcome of security engineering activities - such as threat modeling and business risk analysis, are adequately addressed. They also provide assurance that the security requirements engineering activities are embedded into the product during its development.