Canvas is tested for security vulnerabilities on a regular basis, this is carried out monthly, unless there is an application update or known CVE that needs to be patched.

Any releases of Canvas are sent into our dedicated staging environment first and then security tested; any mitigation needed is carried out before the release is sent to production. Once in production the test is run again.

We use the AppCheck platform to conduct deep security scans of the system. AppCheck is a software security vendor based in the UK, that offers a leading security scanning platform which automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure.

AppCheck enables scanning of the application infrastructure for security weaknesses at any given point rather than the traditional method of applications being scanned once on an annual basis. This method of approach ensures that Canvas is as secure as possible and that clients can be assured that their data is kept protected at all times.  AppCheck is used by some of the world's leading brands including Microsoft (Office 365) NHS, National Rail, Pret A Manger, Age UK and UK Sport.

Using this advanced, automated and dedicated security testing platform leverages proprietary technology that has been developed by penetration testers that can scan API-specific security issues and removes any risk of human intervention or error.

Example of testing features;

• Discovers zero days, plus 100,000+ known security flaws (CVEs), plus full OWASP vulnerability coverage including injection, XSS, RCE and more.

• Intelligent and versatile configuration means we can launch scans in seconds.

• Saves time with a practical workflow management system and ensures a robust audit trial is maintained.

• Thoroughly scans and tests APIs including WSDL, Swagger and GraphQL end points for security flaws.

• Conducts checks throughout the application life cycle, from development to production.

• Crawls modern complex applications such as SPAs.

• Flex key user journeys and complete multi-stage authentication via a scriptable browser interface.

With the Canvas application being deployed into a Microsoft Azure environment, the entire Kubernetes cluster and Azure resources are covered by Microsoft Defender for Cloud. This enables real time monitoring and reporting of threats/weaknesses with remediation steps automatically included. The Kubernetes cluster is monitored and automated alerting is configured throughout the deployed resources.

The application has been deployed using Microsoft documentation and industry best practice for securing web-based applications. 

Least privilege principles have been used throughout the deployment and access only given to those who need to access the admin backend resources. This is further backed up with admin staff only able to access the backend cluster via restricted virtual network access.

We have deployed FIPS 140-2 key vaults for database credential and certificate storage, the KV’s have no public interface access.

Databases are encrypted at rest with AES256 level encryption enabled, password hashing is also in use.

For portal and survey pages TLS is enforced.

Further information on Kubernetes security capabilities can be found here:

Azure Kubernetes Service (AKS) documentation | Microsoft Learn

SUB-PROCESSORS

A list of sub-processors used for Canvas can be found on our website here:

https://my-canvas.io/subprocessors