Security

The measures we take to ensure your data is safe and secure.

We firmly believe in “eating our own dog food.” Just as our customers use a variety of tools, processes and technologies to help secure and control their environment, we're doing much of the same here. Of course at the center of our vulnerability intelligence is our own instance of Risk I/O. While Risk I/O serves as the center piece of our vulnerability intelligence, we recognize the need for a defensive in-depth approach to our overall security architecture. We were founded by a former CISO after all.

Eating our own dog food is more than just a saying for a marketing document. Not only do we use Risk I/O to manage our vulnerabilities, we give our clients read access to our account. We understand the trust our customers place in our services and are committed to transparency in our controls.

Illustration-high-security

Illustration-computer

Risk I/O Application Security

We employ a full suite of secure software development activities and controls. This starts with the design of our applications in a three-tiered Model View Controller architecture.

We carefully segment each of these technology layers via network and access controls. Within the code itself, our development teams leverage as many of the security functions that are made available by the Rails framework. All of our developers utilize the OWASP secure coding guide, cheat sheets and relevant technology specific guidelines such as the OWASP Rails Security Guide. Our code is tested via static analysis and black box scanning prior to being deployed to our production environment.

In addition to our secure development activities, Risk I/O deploys a number of controls to protect the confidentiality and integrity of our customers and their data. Some of these controls include but are not limited to:

  • Data at rest encrypted using AES 256
  • User passwords stored in one way salted hash
  • Centralized logging & alerting
  • All-network traffic encrypted via SSL and SSH
  • All application traffic over SSL/TLS
  • Three-tiered architecture/ compartmentalized & firewalled

Data Center Operations: Physical and Environmental Controls

Our data center operations provider maintains a SOC 2 certification which we can provide on request. This detailed report provides our customers with insight into the physical and environmental controls within the data center. ALL CUSTOMER DATA IS STORED WITHIN THIS FACILITY.


Risk I/O Design and Development

At Risk I/O we take the security and privacy of your data very seriously. We make every effort to help ensure that your data stays protected whenever you use our products or services. The summarized list shown below are some of the key ways that our Risk I/O service has been designed and developed to better protect your data.

Design

  • Defense in Depth design
  • Secure Defaults design
  • Reduced Attack Surface design
  • Non-repudiation design
  • Automated data protection for data at rest
  • Automated data protection for data in transit
  • Automated data expiration and availability

Testing

  • Self-code review using expert manual techniques and automated code analysis tools
  • Automated functional and security test suite to help ensure high code quality and prevent regressions

Maintenance

  • Security patches deployed within 24-48 hours of public release and verification testing
  • Regularly vulnerability scanning using proprietary, commercial and open-source tools
  • Full vulnerability management and remediation via Risk I/O instance
  • Regularly scheduled self-penetration testing

Development

  • Standard FIPS-approved encryption algorithms and implementations
    • AES 256-bit for symmetric encryption processes
    • Variable-length RSA encryption for asymmetric encryption processes
    • SHA-512 for internal/core data integrity checking
  • Mandatory input validation for all untrusted inputs with a definable format, length, type and range. Otherwise, we mitigate risk with some other remediation depending on the risk (parameterized stored procedures, encoding, etc.)
  • Parameterized stored procedures for all calls to database backends
  • Data encoding for all untrusted inputs using standard libraries
  • Generic exception handling to help prevent information disclosure attacks
  • 100% managed code to reduce risk from common attacks associated with non-managed languages, such as buffer overflows
  • Anti-recovery techniques to help prevent malicious recovery of deleted data

Deployment

  • Least privilege deployment for both front and backend services
  • Generic exception handling to help prevent information disclosure attacks
  • Builtin platform protection, in addition to implementation controls to reduce risk from common web-based threats, such as cross-site scripting attacks (XSS) and cross-site request forgery (CSRF)
  • Automatic session expiration after a certain period of inactivity
  • Firewall that restricts network access to only the necessary ports


Security Research and Disclosure Process

The Risk I/O bug bounty program is managed through Bugcrowd. To see the terms of the program and participate, go to https://bugcrowd.com/portal/bounties/riskio and sign up as a tester. You will need to accept the Risk I/O terms of service to engage in testing. If you have identified a vulnerability, please report it via Bugcrowd to be eligible for a reward.