ISMS Compliance
CyFun BasicDetect

DE.CM-4: Malicious code detection

Malicious code is detected

DETECTDE.CM-4Key Measure

Requirement

Anti-virus, anti-spyware, and other anti-malware programs shall be installed and updated.

Our Implementation

Malicious code detection is addressed through multiple layers:

  • Vulnerability scanning: Aikido provides continuous security scanning including static application security testing (SAST) and software composition analysis (SCA), monitoring application code and dependencies for known vulnerabilities
  • Dependency monitoring: All application dependencies are tracked for CVEs through Aikido's automated scanning pipeline
  • Managed service security: Cloud providers (Supabase, Vercel, Modal, Cloudflare) operate their own malware detection and prevention on their infrastructure
  • Source code security: GitHub provides secret scanning and dependency alerts (Dependabot) on repositories

Gaps / Planned improvements:

  • No dynamic application security testing (DAST) — planned before onboarding enterprise customers (NEX-350)
  • Endpoint anti-malware under evaluation (NEX-372) — mitigated by cloud-native architecture and provider-managed infrastructure security
  • No penetration testing conducted to date (NEX-350)

Evidence

ImplementedL2 — Repeatable

DE.CM-3: Personnel activity monitoring

Personnel activity is monitored to detect potential cybersecurity events

Respond

Incident response capabilities

On this page

RequirementOur ImplementationEvidence