We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
Please report (suspected) security vulnerabilities to security@netskope.com. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
When we receive a security bug report, we will:
- Confirm the problem and determine the affected versions.
- Audit code to find any potential similar problems.
- Prepare fixes for all still-supported versions.
- Release new versions of all supported packages.
- Announce the problem on our security mailing list.
If you have suggestions on how this process could be improved, please submit a pull request.
- Never commit API keys to source control
- Rotate API keys regularly
- Use environment variables for sensitive data
- Implement key expiration
- Monitor key usage
Example:
// Bad
const API_KEY = "sk_live_123...";
// Good
const API_KEY = process.env.NETSKOPE_API_KEY;
if (!API_KEY) {
throw new Error("NETSKOPE_API_KEY environment variable is required");
}- Validate all input parameters
- Use TypeScript types and Zod schemas
- Sanitize user input
- Implement request rate limiting
- Add request size limits
Example:
import { z } from "zod";
const PublisherSchema = z.object({
name: z.string()
.min(1)
.max(64)
.regex(/^[a-zA-Z0-9-_]+$/),
description: z.string().optional(),
enabled: z.boolean().default(true)
});
type Publisher = z.infer<typeof PublisherSchema>;- Don't expose internal errors
- Log security events
- Implement proper error responses
- Use custom error types
- Add error tracking
Example:
class SecurityError extends Error {
constructor(
message: string,
public code: string,
public statusCode: number = 403
) {
super(message);
this.name = "SecurityError";
}
}
try {
// Operation that might fail
} catch (error) {
if (error instanceof SecurityError) {
logger.error("Security violation", {
code: error.code,
message: error.message
});
// Handle security error
}
// Handle other errors
}- Use secure session management
- Implement proper access controls
- Add request signing
- Use secure headers
- Enable audit logging
Example:
async function validateRequest(req: Request) {
const apiKey = req.headers["x-api-key"];
if (!apiKey) {
throw new SecurityError(
"Missing API key",
"MISSING_API_KEY"
);
}
const signature = req.headers["x-signature"];
if (!signature) {
throw new SecurityError(
"Missing request signature",
"MISSING_SIGNATURE"
);
}
if (!validateSignature(req.body, signature)) {
throw new SecurityError(
"Invalid request signature",
"INVALID_SIGNATURE"
);
}
}- Use HTTPS for all requests
- Implement proper data encryption
- Add secure headers
- Enable audit logging
- Implement data retention policies
Example:
import { createHash } from "crypto";
function hashSensitiveData(data: string): string {
return createHash("sha256")
.update(data)
.digest("hex");
}
const sensitiveData = "user-data";
const hashedData = hashSensitiveData(sensitiveData);- Use HTTPS
- Enable CORS properly
- Set secure headers
- Implement rate limiting
- Add IP filtering
Example:
import helmet from "helmet";
import rateLimit from "express-rate-limit";
app.use(helmet());
app.use(rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
}));- Keep dependencies updated
- Use dependency scanning
- Implement lockfiles
- Review security advisories
- Use trusted packages
Example:
{
"scripts": {
"audit": "npm audit",
"outdated": "npm outdated",
"update": "npm update",
"security-check": "npm run audit && npm run outdated"
}
}- Use TypeScript with strict mode
- Implement proper error handling
- Add input validation
- Use secure dependencies
- Enable linting rules
- Validate API keys
- Implement rate limiting
- Add request signing
- Use HTTPS
- Enable CORS properly
- Encrypt sensitive data
- Implement access controls
- Add audit logging
- Use secure headers
- Set up monitoring
- Add security tests
- Test error cases
- Validate input handling
- Check rate limiting
- Test authentication
Please contact us at security@netskope.com for any security-related questions or concerns.