Organization Information

Legal company name: Invisible Software

Number of employees: 10

Describe the type(s) of services offered: Platform as a Service, primarily focused on Elixir applications.

Name/Title of Employee with Security Officer Role: Tim Knight, CTO

Is your organization GDPR compliant?: Yes

Detailed Security Assessment Q&A

  1. Customer Data and Source Code Backup Process

    1. Q: Is customer data encrypted at rest?
      A: Yes. All customer data is encrypted at rest.
    2. Q: How frequently is customer data backed up?
      A: Databases are backed up daily with 7 day retention.
      1. Q: Is customer backup encrypted?
        A: Backups are encrypted.
    3. Q: How frequently is the source code for your application backed up?
      A: The source code for gigalixir is housed in Github. We keep clones of the repos on external servers.
  2. Two-factor Authentication

    1. Q: Is MFA enabled for all Admin Accounts?
      A: Yes
    2. Q: Is MFA enabled for VPN Access?
      A: We do not employ VPNs, we utilize other forms of proxied (eg. SSH, cloud sql proxy) to ensure secure connections.
  3. Administrative Privileges

    1. Q: What % of Users have Administrative Rights to your infrastructure?
      A: It is a little hard to describe administrative rights, when we use the principle of least privilege. We have one user that has access to everything. They have strict password policies and 2FA wherever possible, regular rotation of passwords.
    2. Q: Do you employ the principle of least privilege within your org? Describe.
      A: We heavily use service accounts/IAM policies to limit app to app access to only what is necessary. Engineers in our staff are not granted carte blanche to systems, often times only getting access to staging environments
  4. New System Deployment Process

    1. Q: Are default passwords changed?
      A: Yes
    2. Q: How is the system image hardened?
      A: We regularly monitor for available dependency updates. System images are only created by a small security minded team.
  5. Software Development Lifecycle

    1. Q: How do you test new code before it is deployed?
      A: We have extensive unit tests and E2E test systems. Many of the tests are centered around security, authentication, and authorization.
    2. Q: Describe how the new source code is approved before being released.
      A: We have code reviews at the team level. Unit tests are performed. Where possible we have staging environments that code is deployed to and tested. The staging environments are not open to the public. E2E tests are run against staging environments when possible. After deploy E2E tests are conducted on production.
  6. Network Segmentation

    1. Q: Are production and staging environments separated?
      A: Yes. We have separate projects/environments for staging.
  7. Software and Hardware Inventory

    1. Q: Who manages software and hardware purchasing?
      A: The CTO
    2. Q: How are software and hardware inventoried?
      A: All of our “hardware” is in the cloud beyond personal workstations. Workstations of engineers run the latest LTS software and are updated regularly.
    3. Q: Do new software and hardware purchases require approval?
      A: Yes.
  8. Anti-malware Solution

    1. Q: Do you use a centrally managed anti-malware solution? Which one?
      A: No. Our engineers are all in linux and utilize open source solutions for this.
    2. Q: How often is the anti-malware signature updated?
      A: N/A
  9. Information Classification and Handling Policy

    1. Q: Do you maintain an information Classification and Handling Policy?
      A: No
  10. Man in the Middle Prevention

    1. Q: Do you prevent Man-in-the-Middle attacks? How?
      A: Yes. We use end to end encryption on all communications, 2FA where possible, and host identification keys.
  11. Patch Management

    1. Q: How are patches managed for open-source software utilized?
      A: We deploy updates to our open source software regularly. On workstations updates are performed regularly as well.
    2. Q: Describe how often you apply and verify high-risk security patches.
      A: Patches are applied at least monthly, usually more often.
  12. Email Protection

    1. Q: Do you disable email client plugins?
      A: Yes.
    2. Q: Do you sandbox email attachments?
      A: No.
    3. Q: Do you block unnecessary files in email?
      A: No.
  13. Security Awareness Training Program

    1. Q: Do you have a Security Awareness Program (e.g., on the OWASP Top 10)?
      A: No.
    2. Q: How is Security Awareness Training completed?
  14. DNS Filtering

    1. Q: Do you employ DNS Filtering (describe)?
      A: No.
  15. Workstation Configuration

    1. Q: Is Removable Media Disabled for Developer Machines?
      A: No.
    2. Q: Is Auto-Run configuration disabled?
      A: No.
  16. Authentication Log Management

    1. Q: Do you log admin access to production systems?
      A: Yes.
    2. Q: Do you log unsuccessful login attempts?
      A: Yes.
  17. Vulnerability Disclosure Program

    1. Q: Do you have a Vulnerability Disclosure Program?
      A: No.
  18. Incident Response Plan

    1. Q: Do you have an Incident Response Plan?
      A: We have one in the works, but not a complete plan as of yet.
    2. Q: When was the plan last tested (tabletop exercise)?
  19. Configuration Deployment (Ansible / Chef / etc)

    1. Q: How is a new server configuration deployment managed?
      A: Terraform.
  20. Network Exposure

    1. Q: Frequency of Port or Vulnerability Scans
      A: N/A
    2. Q: Do you utilize intrusion detection/prevention systems?
      A: Yes.
    3. Q: Do you require a strength of at least AES 256 or TLS 1.2 or greater?
      A: Yes.
  21. Data Loss Prevention

    1. Q: Do you have a Data Loss Prevention Policy?
      A: No.
  22. Penetration Testing

    1. Q: When was the last Pen Test performed?
      A: No.
  23. Security Incident Management Plan

    1. Q: Do you maintain a Security Incident Management Plan?
      A: No.
    2. Q: Do you test incident reporting, analysis, and remediation?
      A: No.
  24. Host Hardening

    1. Q: Do you maintain a host hardening policy for VMs and containers (describe)?
      A: Vms and containers updates are performed regularly. They are given least privilege to outside resources. Firewalls are configured for least access, generally requiring a proxied connection to access them.
  25. Disaster Recovery Testing

    1. Q: Do you maintain a procedure for disaster recovery (describe)?
      A: Not at the present
    2. Q: How often do you test your disaster recovery process?
  26. Event Logging

    1. Q: Do you maintain a system for logging security events (describe)?
      A: We are standing up a SIEM, but at the moment we do not have a system solely dedicated to logging security events.
    2. Q: Do you maintain a system for logging exceptions or other application errors (describe)?
      A: Yes. We use exception loggers like rollbar, application logging in Google Cloud, and various other metrics.

General Questions:

Is the database encrypted at rest?
Our standard tier databases are encrypted at rest. The free tier databases are not, as they are not intended to be used for production purposes.

Is the environment multitenant with your other customers within a single VPC?
Yes, it is as you describe. We have had some customers inquire about dedicated resources/VPC, but no one has been willing to pay the extra cost for it.

Is the environment protected by a web application firewall?
Not by default. Some customers set up a WAF in front of their applications.

We’re in the process of preparing for a SOC 2 audit. Do you have any other customers that have undergone a SOC 2 audit?
Unfortunately, SOC2 reports/audits are prohibitively expensive for a company of our size.

In the past decade, we’ve set up conference calls to share the security measures we take both technically and personally with the other companies that requested a SOC2 report to help satisfy that requirement for either a security audit or bureaucratic paperwork hurdle.

Those discussions allowed multiple companies in the Fortune 50 to sign off on our security procedures and processes and integrate Gigalixir into their most secure environments.

We’re trying to get ahead of any objections the auditor may have around using a third-party PaaS. Does Gigalixir have a SOC 2 (or similar) certification?
For our Privacy policy and data protection, please find that on our website here. We can also provide a signed DPA if you would like, if you need data processor agreements for your records.

As we get further along in our SOC 2 audit, any critical partner (such as Gigalixir) that is not SOC 2 audited will need to fill out a security questionnaire. Have you completed these in the past?
Yes. Just send it along when they send it to you and give me a little time to tackle it.