Skip to content

Latest commit

 

History

History
76 lines (59 loc) · 4.6 KB

betta_security_report.md

File metadata and controls

76 lines (59 loc) · 4.6 KB

Security & Trust

When the app is used live, we have considered various security features
to ensure that users can interact with the app safely.

Each user will need to have their own account which will be made secure by using a password that only the user knows.
These passwords will be stored securely in our database using hashing.

This means that only a user can access their account and prevent other users from impersonating them.

All traffic will be end-to-end encrypted.
And we have automatic logout feature to keep users safe when their accounts seem to be unattended.

When the app is hosted using Render, all of the security features below will be constantly monitored..

  1. Secure Infrastructure
  2. Encryption
  3. Continuous Security
  4. IT Controls
  5. Vulnerability Disclosure Program
  6. DDoS Protection
  7. Penetration Tests
  8. Render Security Features
  9. Physical Security
  10. GDPR

At Acebook, we take security seriously and believe in a holistic approach across many different areas.
Below, we have highlighted a number of the areas where Render has focused their time and are constantly monitoring.

  1. Secure Infrastructure Render's platform is built with security at top of mind to reduce the amount of toil we would typically have to shoulder if we were instead using an Infrastructure as a Service (IaaS) solution.
    Render will be continuously monitoring and validating our infrastructure against best practices to ensure that we are continuously meeting our security and reliability requirements.

  2. Encryption
    Render encrypts all sensitive data, both at rest and in transit. The underlying services automatically use industry standard AES-256 encryption for storage.
    All endpoints support TLS 1.2 and above for encryption in transit with an A+ grade from SSL Labs.

  3. Continuous Security
    Render focuses on continuous maintenance and monitoring of their security posture from code development through to production deployment.
    Render implements multiple security controls including source code review, vulnerability scanning of libraries,
    source code and infrastructure and continuous monitoring of all cloud providers and assets.

  4. IT Controls
    Render relies on Google Workspace Business Apps for email, documents,
    and calendaring and they have implemented industry-standard practices including enforcing multi-factor authentication (MFA).
    Render uses MFA to protect all accounts on internal applications and third-party services such as cloud providers.
    Before Render adopts any new service or vendor, they vet them for security using a documented approval process.
    Render maintains key IT policies and baseline standards to ensure that all IT devices and services meet their security standards at deployment time,
    and remain tracked and secure throughout their service life.

  5. Vulnerability Disclosure Program
    Render has partnered with HackerOne to maintain a private vulnerability disclosure program. All reports are triaged by HackerOne and are then forwarded on to the Render team as appropriate.

SUBMIT REPORT with HackerOne
https://hackerone.com/bde6ea21-8984-4f4c-89ca-55cc309228d2/embedded_submissions/new

  1. DDoS Protection
    Render has partnered with Cloudflare for DDoS protection. "Cloudflare's 142 Tbps network blocks an average of 117 billion threats per day,
    including some of the largest DDoS attacks in history."

  2. Penetration Tests
    Render undergoes annual third party application and network penetration tests with top tier independent firms. Their tests cover the primary services that Render deploys and as they host Render services on Render, they can guarantee that our customers will gain from all improvements that we make.

  3. Render Security Features
    Render has built in a number of security features that they encourage their customers to take advantage of including Acebook.
    From multi factor authentication to private URLs to automatically redirecting HTTP requests to HTTPS requests,
    render has built in core features that we believe are table stakes for a PaaS provider.

  4. Physical Security
    Render has partnered with multiple underlying cloud providers that take physical security seriously and have the attestation to back it up.
    All vendors are reviewed for their commitment to security from their physical to their virtual controls.

  5. GDPR
    We take security seriously. Render offers a standard data processing agreement that meets international privacy requirements, including GDPR.
    They're happy to share more about how their data is processed on Render.]()