Every Sitefinity release goes through at least one Veracode scan, including both static and dynamic code analysis. Veracode reports are not publicly available as per internal guidelines.
The entire cloud infrastructure is continuously monitored by the Sitefinity Security team. The main goal is to maintain the highest possible security level.
Customers are welcome to do their own security testing as well. In fact, considering how frequently Sitefinity is extended and customized, customers are strongly advised to perform continuous security checks of the entire project.
Sitefinity Cloud is based on Azure and Cloudflare services. The services are set up according to the best security practices, fully compliant with Azure CIS 1.1.0. Moreover, the setup is regularly monitored by the Azure Security Center and recommendations are rigorously addressed and applied. Sitefinity Cloud leverages Azure PaaS services that are directly patched and updated by Microsoft, making sure that all security updates are always applied in a timely manner.
More information on the setup of individual services can be found in the following article: https://www.cisecurity.org/benchmark/azure/. A suite of services are used in Cloudflare that actively monitor and prevent attacks, including WAF, DDoS Protection, Rate Limiting and Bot Management: https://www.cloudflare.com/en-au/security/.
In addition, the Sitefinity Web Security module is enabled on all Sitefinity Cloud projects, enforcing strict security headers for all requests: https://www.progress.com/documentation/sitefinity-cms/web-security-module