Blog

Lightbend achieves SOC 2 compliance

Written by Michael Nash | Nov 1, 2022 7:00:00 AM

In his recent blog, Jonas Bonér, CEO & CTO at Lightbend, discussed the new features, functionality and security updates in the Akka 22.10 release. He also highlighted that Akka is now being developed and maintained in a SOC 2-compliant environment.

In this blog, I will delve into what SOC 2 means for our customers as well as provide insight into the Information Security program that is actively in place ensuring our customers can rely, with confidence, on Lightbend’s entire software supply chain for security and compliance.

SOC 2 compliance means Lightbend customers can rely on Akka as a part of security-sensitive systems and in environments that require compliance throughout their whole supply chain. Highlights of this overall program include:

  • Each change to Akka now follows a change control process that ensures a review of each change for security impact, individually and in combination with all other changes.
  • We scan continuously for known vulnerabilities, and each vulnerability discovered must be addressed before the next release. If vulnerabilities are discovered after a release, a notification to all customers is sent to advise and supply mitigation, while we work to produce a new point release addressing the vulnerability.
  • We track and verify every dependency of Akka to provide a fully-vetted software bill-of-materials through every level of dependency.
  • Akka is scanned continuously for potential source-level patterns that could be a potential security issue, via the Fortify plugin that Lightbend authored, and any such patterns are immediately addressed if found.

On top of these technical procedures, our Information Security program also provides policies around access control. This includes:

  • Source code access
  • Use of third-party providers (e.g. Lightbend’s vendors)
  • Vetting and training of our team
  • Information handling procedures that ensure a complete environment that supports security, confidentiality, and availability

In addition to SOC 2, we are also compliant with the EU’s GDPR, as well as CCPA, and all major portions of ISO27001.

Lighbend has always taken our customers' security seriously. This is one of the many reasons we have been trusted by customers in the financial services industry for years, and we will continue to expand and evolve our InfoSec program to meet the changing needs of our customers.
View full post