Security
Security Is Built Into Our DNA - For Peace of Mind
As a software security provider, AttackForge is committed to providing highly secure and reliable software for our customers. AttackForge Enterprise Cloud deployment option is built on Microsoft Azure (Azure) and MongoDB Cloud (Mongo) compute and storage ‘As-a-Service’ technologies, which are compliant with a wide variety of industry-accepted security standards, and hosted on dedicated single-tenant infrastructure in any Azure region of your choosing - worldwide.
If you prefer the On-Premises deployment option, AttackForge Enterprise is provided as a Dockerized solution that runs on a single Linux x64 server. It's designed to operate in air-gapped environment, and does not require any Internet connectivity or external dependancies. Installation package can also be run offline. All data persists on the server in Docker volumes. You can adjust the security of your on-premises AttackForge Enterprise tenant to your own security and risk requirements or appetite.
Additionally, our engineers have security backgrounds and utilize proven security technologies and techniques in order to protect our systems, data, and information from unauthorized access in the best possible way.
We rely on a number of strict security controls built into our people, processes and technologies; as well as subject to third party assessments including penetration testing.
Where is my data stored? (Private Cloud deployment)
For data storage, analysis, and backups, AttackForge utilizes Azure and Mongo cloud services and therefore shares several Azure and Mongo standards and accreditations.
All virtualized servers are run in the Azure region of your choice.
Amongst others, Azure is certified by the following security compliance standards:
ISO 27001, 27017, 27018
SOC 1, 2 and 3
FIPS 140-2
GDPR
Amongst others, Mongo is certified by the following security compliance standards:
ISO 27001
SOC 2 Type II
GDPR
HIPAA
PCI DSS
EU-US Privacy Shield
Where is my data stored? (On-Premises deployment)
All data persists on your own Linux server that you installed the application on, and is stored in Docker volumes.
Who has access to my data? (Private Cloud deployment)
AttackForge does not share customer data with third parties.
Administrative access to customer data for support purposes is restricted to a small number of closely managed AttackForge administrators.
Access to production systems and data follows the security standard of Least Privilege.
Who has access to my data? (On-Premises deployment)
AttackForge does not have any access to your data, whatsoever.
On-Premises deployment utilizes Docker for a containerized solution. There are two (2) containers which make up AttackForge Enterprise - Web Application Server and Database Server.
All data persists on your own Linux server that you installed the application on, and is stored in Docker volumes.
You control and manage all aspects of your tenant, including installation, operation and backups.
AttackForge will provide you with regular application updates via our online portal, that you can download and apply at your choosing.
How is my data protected? (Private Cloud deployment)
Network Security
All traffic to and from our service is encrypted using the TLS v1.2 protocol.
We enforce the usage of strong TLS cipher suites.
All systems are firewalled to a minimal number of access points.
Account Security
Multi-Factor Authentication (TOTP) is mandatory and enforced on all application and administrative interfaces.
We enforce a strong password policy.
Passwords are stored hashed and salted (bcrypt).
Role-Based-Access-Controls (RBAC) on a user-level and project-level are utilized to manage authorization to data.
Access to an account, including actions performed by the account, is logged, tracked, and audited.
Anti-automation controls are utilized to prevent brute-force login attempts.
Session monitoring & management is utilized to prevent authenticated abuse of the platform.
Email notifications for events such as new logins from different IP addresses are enabled.
System Security
All operating systems are managed, patched and maintained by Azure and Mongo.
Unnecessary users, services, and components are disabled.
All systems are constantly monitored.
Secure Data Storage
Data is stored on virtualized servers on Azure and Mongo.
All data is encrypted in-transit and at-rest.
Database backups are stored and transmitted encrypted at all times.
Vulnerability reports are generated in memory on request by user, and never stored.
Last updated