Ensuring trust: Navan's secure approach

To ensure the continued security of its applications, Navan’s comprehensive Application Security program is intricately involved and integrated with its Secure Software Development Life Cycle (SDLC) process. The security team collaborates closely with the development team to incorporate security measures at every step of the SDLC, including annual penetration testing and regular application security testing as part of the CI/CD pipeline. Navan's website, microservices, and Application Programming Interfaces (APIs) regularly undergo vulnerability and penetration testing, security scans, threat detection, and security assessment testing conducted by cybersecurity professionals.

Navan's detection and response team is dedicated to threat-detection engineering, vulnerability management, incident response, and crisis communication management. Navan vigilantly monitors its production environments to identify and address any vulnerabilities that might compromise data security. Our comprehensive incident response plans and playbook ensure that security events are managed promptly and effectively, minimising impact and allowing business operations to return to normal swiftly. 

Navan's platform and applications are hosted in AWS cloud data centres located across multiple regional availability zones. Our strategy for securing customer data leverages robust AWS security features, including Virtual Private Clouds (VPCs), Security Groups, the AWS Key Management Service (KMS), and more. AWS data centre facilities employ innovative secure architectural engineering methodologies, which are directly incorporated into the Navan platform and infrastructure.

Navan has established detailed operating policies, procedures, and processes designed to manage the overall quality and integrity of our environment effectively. We actively monitor network activity for anomalies 24/7 and respond to security events within minutes. In addition, we've implemented proactive security measures, including perimeter defence and network intrusion prevention systems (IPSs). These IPSs monitor critical network segments for atypical network patterns in the customer environment, as well as traffic between different service tiers.

We consider our employees to be our first line and strongest defence against cyber threats. Our team receives regular training and updates on security education and best practices to drive awareness, reduce risk, and remain vigilant against potential threats. Ongoing application security training is mandatory for our developers, and Navan adheres to a multitude of industry best practices and recommendations, including those from the Open Web Application Security Project (OWASP) and other industry-standard control systems.

Navan transfers clients' data using multi-layered security mechanisms, fortified networks, and Transport Layer Security (TLS) encryption for data 'in transit'. For sensitive data 'at rest' in storage, we utilise Advanced Encryption Standard (AES), the current industry standard for modern commercial business applications. We regularly review and update our encryption protocols, ensuring they continue to meet industry standards and effectively counter the latest encryption-breaking tactics.