Security

Security Is Built Into Our DNA - For Peace of Mind

As a software security provider, AttackForge is committed to providing highly secure and reliable software for our customers. Our SaaS platform (AttackForge.com) is built on Microsoft Azure (Azure) and MongoDB Cloud (Mongo) compute and storage ‘As-a-Service’ technologies, which are compliant with a wide variety of industry-accepted security standards.

Additionally, our engineers have security backgrounds and utilize proven security technologies and techniques in order to protect our systems, data, and information from unauthorized access in the best possible way.

We rely on a number of strict security controls built into our people, processes and technologies; as well as subject to third party assessments including penetration testing.Where is my data stored?

For data storage, analysis, and backups, AttackForge utilizes Azure and Mongo cloud services and therefore shares several Azure and Mongo standards and accreditations. All virtualized servers are run in the Australian region.

Amongst others, Azure is certified by the following security compliance standards:

  • ISO 27001, 27017, 27018

  • SOC 1, 2 and 3

  • FIPS 140-2

  • GDPR

Amongst others, Mongo is certified by the following security compliance standards:

  • ISO 27001

  • SOC 2 Type II

  • GDPR

  • HIPAA

  • PCI DSS

  • EU-US Privacy Shield

AttackForge does not store bank information or credit card data. All payments are handled and managed by our payment provider Square (squareup.com).Who has access to my data?

AttackForge does not share customer data with third parties.

Administrative access to customer data is restricted to a small number of closely managed AttackForge administrators.

Access to production systems and data follows the security standard of Least Privilege.How is my data protected? Network Security

  • All traffic to and from our service is encrypted using the TLS v1.2 protocol.

  • We enforce the usage of strong TLS cipher suites.

  • All systems are firewalled to a minimal number of access points.

Account Security

  • Multi-Factor Authentication (TOTP) is mandatory and enforced on all application and administrative interfaces.

  • We enforce a strong password policy.

  • Passwords are stored hashed and salted (bcrypt).

  • Role-Based-Access-Controls (RBAC) on a user-level and project-level are utilized to manage authorization to data.

  • Access to an account, including actions performed by the account, is logged, tracked, and audited.

  • Anti-automation controls are utilized to prevent brute-force login attempts.

  • Session monitoring & management is utilized to prevent authenticated abuse of the platform.

  • Email notifications for events such as new logins from different IP addresses are enabled.

System Security

  • All operating systems are managed, patched and maintained by Azure and Mongo.

  • Unnecessary users, services, and components are disabled.

  • All systems are constantly monitored.

Secure Data Storage

  • Data is stored on virtualized servers on Azure and Mongo.

  • All data is encrypted in-transit and at-rest.

  • Database backups are stored and transmitted encrypted at all times.

  • Vulnerability reports are generated in memory on request by user, and never stored.