Policies and legal docs

We take security very seriously — isn't that what everybody is saying? It's our business to keep your business online. Security is a crucial part of this. But this is not only about what we do. It's also about you. Since — we are in it together!

The source of this document is here: github.com/fortrabbit/legal/blob/master/security-measures.md.

Security measures of fortrabbit

last reviewed on June 1st, 2018

It's our duty to keep the infrastructure secure. While we don’t like to expose too much detail — as secrecy is part of security — the following technical and organizational measures may give you some confidence:

Service scope

fortrabbit provides a hosting self-service, granting clients access to technical systems to store and process code via PHP. Clients can store data on a file system and in databases. Think of fortrabbit as a meta-hosting service, or something like a middleware.

Data centers

fortrabbit's physical infrastructure is hosted and managed within Amazon’s secure data centers on Amazon Web Service (AWS) technology. These data centers are certified under a number of security standards, including:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

AWS enforces a high level of physical security to safeguard their data center with military grade perimeter controls and security staff at all points of ingress. As for environmental protection, AWS has sophisticated fire detection and suppression equipment, fully redundant power infrastructure with integrated UPS units and high-end climate control systems to guarantee an optimal working environment for the hardware. For a more in-depth view, we refer you to the AWS Security Center.

SysOps

A multi-tier security strategy is employed. On the inside, each Node is built around a hardened Linux kernel, which enforces strong privilege and resource separation mechanisms at OS level. All operating systems and software components are kept up-to-date.

At the next tier, each Node exists within isolated virtual containers, which guarantee complete logical separation of Apps. Each App runs within its own isolated environment and cannot interact with other applications or areas of the system. In addition, the container technology allows hard resource capping, which reduces the bad neighbor effect of shared environments to a bare minimum. The setup is designed in a flexible manner to isolate or boost resources quickly.

Penetration testing

Third party security testing is performed by independent security researchers at irregular intervals. Findings from each vulnerability assessment are reviewed with the assessors, risk ranked and resolved swiftly.

Abuse monitoring

User and system activity is monitored for signs of abuse — by algorithms and humans.

Firewalling

On the outside, network firewalling and hardened TCP/IP stacks to mitigate resource exhaustion attempts are utilized. Sniffing and spoofing attacks are prevented through the underlying infrastructure.

By default all outgoing traffic on all ports, except for standard ones, is blocked. Clients can request to whitelist a port range.

Dashboard

All communication with the Dashboard is encrypted via TLS. By default users are going to get logged out after some time of inactivity. For "dangerous actions" re-authentication is required. 2FA is available.

Credit card security

A PCI Level 1 compliant provider for processing credit card payments is used. Security policy reviews are executed on a regular basis.

Internal protocols

All employees are trained in safety aspects and best security practices, including how to identify social engineering, phishing scams, and hackers. All employees undergo criminal history and credit background checks prior to employment. All employees agree to privacy safeguard policies outlining their responsibility in protecting client data.

Binding internal security policies that are evaluated on a regular basis are in place. It is regularly checked whether all responsibilities have been clearly assigned and that they are practicable. There are documented rules and contingency plans.

The computer systems of employees are secured by encrypted file systems and password authentication.

Access control

All server accesses are equipped with individual minimum rights and are transmitted in encrypted form. SSH access for clients is "jailed" with outbreak prevention. Access by the contractor's employees will only be via key-pair authentication and where possible through multi-factor authentication. All connections to the server are via encrypted channels and protocols.

Cryptography

All sensible access data is stored "hashed + salted". Asymmetric encryption and AES (Advanced Encryption Standard) encryption are used.

Supplier relationships

All subcontractors are tested for privacy and security suitability. There are appropriate terms in place.

Print and download a PDF of this

Do you like our policies, or wonder about changes, or found a typo? See the fortrabbit legal repo on GitHub.

Your duties

You are liable for the code you write and use. Please consider:

Secure your code

Make sure to follow common security guidelines. It's good practice to perform a security check against the most common attack vectors before going live. Also mind the OWASP Cheat Sheets to negate attacks before they can start.

Stay up-to-date

Frequently update third party libararies in use. It is your responsibility to apply patches for security vulnerabilities on the software you install and use. Having an outdated framework or CMS installation puts your project at great risk of being hacked. Composer makes updating easy for modern frameworks.

Our advice

Don't expose secrets

Best practice for security and portability is to store secrets like database password not with code but with our App Secrets or ENV vars (as long as they are not exposed as well).

Encrypt secrets

Don't store any sensible informations in plain text in the database, use ciphertext.

Use safe passwords

The password to login with the fortrabbit Dashboard is a master password. Use a password manager or a pass-phrase. Don't share your Account password, use collaboration features instead.

Enable 2FA

Enable two-factor authentication (2FA) with your fortrabbit Account. You can so do in the Dashboard. You'll need an extra device such as a smart phone and an extra 2FA software to generate your TOTP.

Access code securely

Don't use username/password authentication, store your public SSH key with your fortrabbit Accoun.

Rotate passwords

You can reset the fortrabbit service passwords for MySQL and Object Storage in the Dashboard with your Apps. It is recommended to reset those passwords periodically and when a Company member leaves for each App. Also revisit your list of SSH keys from time to time and keep it as short as possible. Only keep those keys you are really using.