# Threat Management

NTT Data securely builds software by following the DevSecOps Software Development Life Cycle based on the following principles:

* Teams involved in the coding are trained on application security and secure coding practices at least annually, which includes
* NTT Data EMEAL and NTT group cybersecurity team are involved in the development to support Eva's teams in security and vulnerability detection.
* eva’s code has been developed using secure software development lifecycle (SSDLC) best practices; in particular, eva’s team follows OWASP methodology; Security controls of the following areas are covered: 1) Information gathering; 2) Data validation; 3) Configuration Management; 4) Error handling; 5) Identity Administration; 6) Cryptography; 7) Authentication tests; 8) Business logic; 9) Authorization Tests; 10) Client tests; 11) Session Management; 12) Web services.

### Penetration Testing <a href="#penetration-testing" id="penetration-testing"></a>

On at least an annual basis, eva undergoes professional penetration testing based on OWASP Top 10. Management addresses all vulnerabilities identified within defined timeframes based on severity level, which is determined using the Common Vulnerability Scoring System (CVSS).

### Vulnerability Scanning <a href="#vulnerability-scanning" id="vulnerability-scanning"></a>

On at least a monthly basis, eva executes a vulnerability scan to detect vulnerabilities in eva components and libraries. Infrastructure is also scanned and analyzed in real-time with vulnerability management tools.

Static code analysis and Dynamic scans are performed along with manual security testing whenever there are code changes. Our dedicated Security engineers continuously work with engineering teams to remediate the identified security issues.

Different Dynamic and Static Application Security Testing (DAST and SAST) tools are used to conduct these scans. **These tools may vary over time.**

All docker images under support are periodically analysed to validate vulnerabilities with the dependencies that may appear. New images will be generated when critical vulnerabilities for the product are detected.

#### Dynamic Application Security Testing (DAST) <a href="#dynamic-application-security-testing-dast" id="dynamic-application-security-testing-dast"></a>

A summary of the DAST test report can be provided under NDA.

#### Static Application Security Testing (SAST) <a href="#static-application-security-testing-sast" id="static-application-security-testing-sast"></a>

A summary of the SAST test report can be provided under NDA.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.conversational-ai.syntphony.com/user-guide/security-and-compliance/threat-management.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.