Does ABBYY perform Penetration Tests (Vulnerability Assessments) of FlexiCapture on a regular basis? Are there any certifications and reports available? If there are any vulnerabilities found, how they are addressed?
ABBYY FlexiCapture development team follows standard practices of secure development (security requirements, bug and task tracking, periodic static code analysis, penetration testing, incident response plans, etc.). There are coding guidelines, implemented in ABBYY at a company level, that prevent developers from using unsafe functions, direct memory control, static arrays, etc. Developers rely on trusted libraries and standard protocols to provide secure communication between system components and storing of users’ data.
Internal security testing is performed on a regular basis (including automated testing). Penetration testing is conducted by an external agency (NCC Group) without a set period. The reports from NCC Group can be shared after signing the NDA.
FlexiCapture Cloud (which is FlexiCapture Distributed that runs on our servers) also passes SOC.
There are also instances when the customers run similar tests by themselves and share them with us, which we also investigate and address appropriately.
If a security vulnerability is found in the current release, the vulnerability itself may be addressed in the next release or with the patch to the current release, depending on its severity. The information about found and addressed vulnerability can be found in the Release Notes.