Application security
The VMS is 100% API driven and cyber security is focused on API cyber security in the first place.
Secure API.
We have 3 levels of API with different levels of security:
Level 3 requires an SSL key/cert pair for authentication. This is the most secure API and can be
used for creating “license keys” that can be associated with customers or users. Designed for
cloud-to-cloud (service-to-service) calls.Level 2 requires a “license key” for authentication; this API can be used for adding/removing
cameras and associated resources, and each new camera receives a “camera access token”. Designed
for back-end calls.Level 1 requires the “camera access token” for authentication, this API is used to control the
corresponding camera and access its data (live, recorded, events, archive, etc.). Designed for
front-end calls.
Input validation and rate limiting
In addition to tools provided by cloud infrastructure providers, Cloud VMS uses call rate limitation for invalid API calls as a countermeasure to DDoS attacks.
In the case of AWS, we also use AWS Shield for protection from DDoS attacks.
Secure development life cycle (SDLC)
VXG runs vulnerability tests on the test VMS deployment at the end of each development cycle.
Vulnerability tests (pentests)
The VMS has passed professional penetration tests. The tests were carried out as a grey box penetration tests.
Methodology.
We ensure to use only current technologies, and tools and follow best practices for penetration testing. For that we use professional pentest tools from the leading cybersecurity providers All tests are guided and inspired by the OWASP Testing Guide and Open Source Security Testing Methodology Manual (OSSTMM) to reach the highest standards.
Reports
The list of tools and reports are available upon request. These reports include
Network Vulnerability Scanner
API Vulnerability Scanner
Web Vulnerability Scanner