Security Is Not Optional
Enterprise software handles sensitive data — employee records, financial transactions, medical information, customer PII. At Nexis Limited, security is built into every layer of our applications, not bolted on after development is complete.
Secure Development Practices
Code-Level Security
Nexis engineers follow secure coding practices by default:
- Input validation — all user input is validated and sanitized. We use Zod schemas for TypeScript and Go's strong typing to enforce data shapes at the boundary
- Parameterized queries — all database queries use parameterized statements, eliminating SQL injection vulnerabilities
- Output encoding — all rendered content is properly encoded to prevent XSS attacks
- Dependency scanning — automated vulnerability scanning of all dependencies in CI pipeline using Trivy and GitHub Dependabot
Authentication & Session Management
- OAuth 2.0 / OpenID Connect — industry-standard authentication protocols for all applications
- JWT with short expiry — access tokens with 15-minute lifespans, refresh tokens with secure rotation
- Multi-factor authentication — TOTP-based MFA available for all enterprise accounts
- Session invalidation — server-side session tracking enables instant revocation when needed
Data Protection
- Encryption at rest — TDE for databases, encrypted volumes for file storage
- Encryption in transit — TLS 1.3 for all communications, including service-to-service calls
- Key management — AWS KMS or HashiCorp Vault for cryptographic key management
- Data masking — sensitive fields are masked in logs, error reports, and non-production environments
Infrastructure Security
Security extends beyond application code to the infrastructure layer:
- Network segmentation — databases and internal services are not exposed to the internet. VPC peering for service communication
- Container security — minimal base images, non-root users, read-only filesystems where possible
- Secrets management — no secrets in code or environment variables. Kubernetes Secrets + external secret stores
- Image scanning — container images scanned for vulnerabilities before deployment
Security Testing
Nexis performs multiple layers of security testing:
- Static analysis (SAST) — automated code scanning for security anti-patterns
- Dynamic analysis (DAST) — runtime security testing against deployed applications
- Dependency auditing — continuous monitoring for known vulnerabilities in third-party packages
- Penetration testing — periodic manual security assessment for critical applications
Compliance Considerations
For clients in regulated industries, Nexis implements additional controls:
- Audit logging — immutable audit trails for all data access and modifications
- Data residency — geographical constraints on data storage location
- Access reviews — periodic review of user permissions and access patterns
- Data retention policies — automated data lifecycle management with configurable retention periods
Incident Response
Despite best efforts, security incidents can occur. Nexis maintains an incident response plan covering:
- Initial detection and containment
- Impact assessment and stakeholder notification
- Forensic investigation and root cause analysis
- Remediation and recovery
- Post-incident review and process improvement
Building security-sensitive software? Discuss your security requirements with the Nexis engineering team.