Certus logoCERTUSBY OCTAVE-X
Pilot
Docs / Security model

Security model

How Certus protects evidence integrity, enforces tenant isolation, and prevents common attack vectors.

Threat model

Key threats we design against and corresponding mitigations.

Evidence tampering

Every evidence pack is signed with SHA-256 HMAC. Signatures are verified on retrieval. Any byte-level change causes verification failure.

Cross-org data access

All database queries are scoped by org_id at the query layer. API keys are org-scoped. Session-based access resolves org from the authenticated user record.

Session hijacking

Session cookies are HTTP-only, Secure (TLS-only in production), SameSite=Lax. No tokens in localStorage or client-side JavaScript. Canonical domain enforcement prevents cookie scoping leaks.

API key compromise

Keys are SHA-256 hashed before storage — Certus cannot recover a lost key. Timing-safe comparison prevents side-channel attacks. Keys can be instantly regenerated, invalidating the previous key.

Supply chain injection

The SBOM scanner generates SPDX and CycloneDX manifests. SLSA provenance is attached to evidence packs. Dependency changes are tracked across scans via drift detection.

Credential exposure in scans

The secrets scanner runs regex patterns and entropy analysis against repository contents. Findings are flagged as critical. Source code is never uploaded — only scan metadata.

Network edge

  • TLS 1.2+ on all connections, HSTS enforced (1-year max-age)
  • Canonical domain redirect: getcertus.cloud → www.getcertus.cloud (308) before session creation
  • CORS restricted to www.getcertus.cloud origin

Authentication

  • Auth0 handles all identity — no passwords stored by Certus
  • Enterprise SSO via SAML 2.0 and OIDC
  • Dual auth: session (dashboard) + API key (CLI/CI)
  • API key org-scoping prevents cross-tenant access

Data layer

  • AES-256 encryption at rest (managed keys or BYOK)
  • Org-scoped queries at the database layer — no global data access
  • Immutable audit trail for all state-mutating operations
  • Evidence packs signed with SHA-256 HMAC

CLI / CI

  • Source code never leaves the local machine or CI runner
  • Only scan metadata, findings summary, and signed hashes are transmitted
  • API sync over HTTPS with Bearer token authentication
  • Local history stored in .certus/history/ for offline access

Compliance control mapping

How Certus platform security maps to industry framework controls.

Access control
SOC 2 CC-6.1, ISO 27001 A.9, NIST AC-2

Auth0 SSO, org-scoped RBAC, API key isolation

Audit logging
SOC 2 CC-7.2, HIPAA 164.312(b), NIST AU-2

Immutable audit trail, actor/action/resource/timestamp

Encryption
SOC 2 CC-6.7, PCI-DSS 3.4, NIST SC-28

TLS 1.2+ in transit, AES-256 at rest, HMAC evidence signing

Change management
SOC 2 CC-8.1, ISO 27001 A.14, NIST CM-3

Evidence packs attached to every merge, drift detection between scans

Vulnerability mgmt
SOC 2 CC-7.1, PCI-DSS 6.1, NIST SI-2

5-scanner pipeline (SAST, SBOM, IaC, secrets, test coverage)

Incident response
SOC 2 CC-7.3, HIPAA 164.308(a)(6)

Responsible disclosure program, 24h triage SLA, PagerDuty escalation

Back to docsSecurity overviewResponsible disclosure