00
Overview
At AlgoSec, we are dedicated to adhering to regulatory compliance requirements and industry standards to ensure the utmost security.
We have implemented robust security measures and practices to mitigate risks and maintain the confidentiality, integrity, and availability of your data. We continually strive to stay at the forefront of security technologies and best practices to provide you with the highest level of protection.
Our security center is designed to provide you with comprehensive information and resources to understand our commitment to safeguarding your data and protecting your business.
Certifications
AlgoSec holds multiple certifications, demonstrating our firm commitment to top-tier security. We strive to comply with and maintain high-quality standards in line with globally recognized frameworks.
These include:
ISO/IEC 27001:2013 & ISO/IEC 27017:2015
AlgoSec is certified for the ISO/IEC 27001 standard which outlines the best practices for information security management systems.
Download ISO 27001 Certificate
SOC 2 Type II Report
AlgoSec has been certified following a SOC 2 Type II audit conducted by an independent service auditor. This audit evaluates the design, implementation, and effectiveness of the controls we have in place for our products. It ensures that our security practices align with the criteria of security, availability, processing integrity, confidentiality, and privacy. During the audit period, tests of controls were performed on controls as they existed and were applied to those controls relating to in-scope trust services criteria. The audit covered all the controls pertaining to the confidentiality, integrity, and availability of AlgoSec.
A copy of the AlgoSec SOC 2 Security, Availability, Confidentiality & Privacy Report is available to customers, partners and evaluators from the AlgoSec Portal.
Privacy
AlgoSec understands the importance of confidentiality and privacy in protecting customers’ data. We have established policies and procedures to ensure the privacy of your information and comply with applicable data protection regulations such as GDPR. AlgoSec has established policies and procedures to demonstrate GDPR compliance.
You can find detailed information about our privacy practices in our Privacy Notice.
Questions regarding our privacy may be addressed at [email protected].
Data security and security practices
AlgoSec prioritizes the security of our products and solutions throughout their entire life cycle. We employ rigorous security practices during development using automatic and manual procedures. These practices include comprehensive threat and risk analysis, adherence to security standards, and regular testing to identify and address vulnerabilities.
Our applications undergo complete penetration testing by reputable third-party vendors to ensure their security.
See AlgoSec SaaS Services – Security Practices.
Product security
Security is a core part of our product development activity. During the development of a new product or feature, we conduct a comprehensive threat and risk analysis, and create a specific security requirement for the product/feature and its integration into a complete solution. During the design phase and before release, we ensure product security by comprehensive testing (vulnerability assessment and penetration tests) using OWASP security standards. All security updates, patches or upgrades undergo the same rigorous tests, and are only deployed once they are proven to be secure. Pen Tests include:
- On-premises ASMS solution
- SaaS services
- AlgoSec website
- AlgoSec Customer Portal
We proactively scan our products using industry-standard tools for vulnerabilities on a nightly basis:
- On-premises ASMS solution is scanned by three commercial vulnerability scanners
- Dynamic web application scanning follows the OWASP methodology (DAST).
- Our SaaS offerings are scanned continuously by AlgoSec CloudFlow and AlgoSec Prevasio
Security advisories
List of CVEs published against AlgoSec products:
| CVE | Reference | Description | Severity | Issue Date | Updated on |
|---|---|---|---|---|---|
| CVE-2023-46596 | Improper input validation in FireFlow’s VisualFlow workflow editor | 5.1 Medium | 2024-02-15 | 2024-02-15 | |
| CVE-2023-46595 |
Net-NTLM leak via HTML injection in FireFlow VisualFlow workflow editor | 5.9 Medium | 2023-11-02 | ||
| CVE-2022-36783 |
|
AlgoSec–FireFlow Reflected Cross-Site-Scripting (RXSS) | 5.4 Medium | 2022-10-25 | 2022-10-27 |
| CVE-2014-4164 | Cross-site scripting (XSS) vulnerability in AlgoSec FireFlow 6.3-b230 allows remote attackers to inject arbitrary web script or HTML via a user signature to SelfService/Prefs.html. | 4.3 Medium | 2014-06-16 | 2015-12-04 | |
| CVE-2013-7318 | Cross-site scripting (XSS) vulnerability in BusinessFlow/login in AlgoSec Firewall Analyzer 6.4 allows remote attackers to inject arbitrary web script or HTML via the message parameter. | 4.3 Medium | 2014-01-29 | 2014-08-06 | |
| CVE-2013-5092 | Cross-site scripting (XSS) vulnerability in afa/php/Login.php in AlgoSec Firewall Analyzer 6.1-b86 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. | 4.3 Medium | 2014-01-29 | 2014-08-06 |
Reporting vulnerabilities to AlgoSec
If you discover a security vulnerability in our systems, we encourage you to responsibly disclose it to us through the provided reporting process. Your efforts play a crucial role in our ongoing commitment to prioritize the security of our products and solutions throughout their entire life cycle. AlgoSec takes security concerns seriously and works diligently to resolve reported issues with utmost urgency.
Steps to report an issue
- If you have a support contract, open a support ticket and share your findings.
- If you are an independent researcher, kindly include sufficient information to reproduce the problem to ensure a swift resolution. Please follow these steps:
-
- Download the provided Excel file, here.
- Enter your information and describe the issue.
- Compose a new email message and attach the Excel file along with any supporting evidence.
- Send your findings to [email protected].
- Please do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
- Please coordinate any public disclosures of the detected vulnerability with AlgoSec.
- Please do not use attacks on physical security, social engineering, distributed denial of service, spam, etc.
Frequently asked questions
On-prem Security:
How does AlgoSec secure sensitive data at rest?
- Device credentials are stored on AlgoSec Appliances for operational purposes using AES 256-bit encryption, with a randomly generated master key and per-password random salt.
- Local user credentials stored on AlgoSec Appliances are encrypted using PBKDF2 algorithm with salts and 27,500 hash iterations.
How does AlgoSec secure data in transit?
Data in transit: TLS 1.2.
Are backup files encrypted?
- You can configure ASMS to encrypt your backup files based on a password you provide. Backup encryption uses AES256.
What is the data retention policy?
- Data remains in your estate (environment) and is not accessible to AlgoSec. Therefore, data retention is your choice.
- Data provided to AlgoSec for handling technical support cases is retained for 90 days following the closure of the support case.
Does AlgoSec run pen tests on the on-premises product?
- Yes. See our PRODUCT SECURITY section.
Can I conduct a penetration test against AlgoSec products?
- Yes. Please report any findings to us using the process outlined in the REPORTING VULNERABILITIES TO ALGOSEC section.
SaaS Security:
What data is used by AlgoSec?
- AlgoSec CloudFlow and Prevasio products collect network, configuration, access information, and usage information from the customer’s cloud environment. CloudFlow can also be connected your on-premises ASMS.
- AlgoSec AppViz and ObjectFlow products rely on ASMS to collect data about your on-premises filtering technologies and configuration.
Does AlgoSec support Single-Sign-On (SSO)?
- Yes. AlgoSec SaaS supports SSO via SAML 2.0 (for example, Azure Active Directory (AAD), Okta, etc.).
- For customers who don’t want to use SSO, AlgoSec SaaS uses the Cognito AWS service to manage users.
How is access control handled?
- All AlgoSec SaaS-based products use Role-Based Access Control (RBAC).
Is it possible to restrict access to come only from the company’s IP range?
- It is currently not possible to restrict access to the tenant only from company IP addresses.
Does AlgoSec SaaS perform authentication of all calls and authorization to control access to functionalities via tokens?
- Yes. Both human-triggered actions (from the browser) and programmatic actions (from an API call) require authentication and use a token.
Does AlgoSec SaaS use encryption mechanisms in transit and at rest based on secure ciphers/protocols?
- Data in transit: TLS 1.2.
- Data at rest: RDS and S3 buckets are encrypted using AWS disk encryption technology (AES-256).
Do activity and audit logs provide sufficient information for legal and audit purposes of all actions performed by administrators and users, in order to meet e-discovery orders?
- Yes
Does the system allow the sending of logs and security audit trails to SIEM platforms?
- Yes. Audit logs may be exported.
Do AlgoSec SaaS products have known vulnerabilities that were not fixed in the latest version?
- No
Does AlgoSec have a Business Continuity plan?
- Yes
Will the data be stored in a repository shared with other companies?
- AlgoSec SaaS uses separate databases and S3 buckets for each tenant.
Is there a data retention policy for SaaS products?
- Data is retained as long as it is not deleted by the customer.
Do AlgoSec employees have access to customer data?
- A small number of designated site-reliability engineers (SREs) and tier-4 support engineers may have access to customer tenants for operational maintenance and technical support activities.
Does AlgoSec run pen tests on the SaaS product?
- Yes. See our PRODUCT SECURITY section.
Can I conduct a penetration test against AlgoSec SaaS products?
- This requires prior approval from AlgoSec to avoid service disruptions. Please report any findings to us using the process outlined in the REPORTING VULNERABILITIES TO ALGOSEC section.
