Bridgecrew Security and Compliance

As a company helping teams adopt the most efficient and modern security practices, security and compliance are top priorities for us at Bridgecrew.

Bridgecrew is committed to securing application data, eliminating systems vulnerability, and ensuring continuity of access.

Bridgecrew uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. All Bridgecrew employees undergo a background screening before employment and are periodically trained to adhere to our security practices.

Security is directed by Bridgecrew’s Chief Technology Officer and maintained by Bridgecrew Engineering.

1. COMPLIANCE AND CERTIFICATION

SOC-2

Bridgecrew has received its SOC 2 Type II compliance certification.

Contact us to obtain the report.

2. VULNERABILITY DISCLOSURE

If you would like to report a vulnerability or have any security concerns with a Bridgecrew product, please reach out to security@bridgecrew.io.

When reaching out, include a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are received, we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.

3. INFRASTRUCTURE AND NETWORK SECURITY

Physical Access Control

Bridgecrew is hosted in AWS. AWS data centers feature a layered security model, including extensive safeguards such as:

  • Custom-designed electronic access cards
  • Alarms
  • Vehicle access barriers
  • Perimeter fencing
  • Metal detectors
  • Biometrics

According to the AWS overview of security processes whitepaper: “AWS data centers are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in facilities that are not branded as AWS facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, their access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.”

Bridgecrew employees do not have physical access to AWS data centers, servers, network equipment, or storage.

Logical Access Control

Bridgecrew is the assigned administrator of its infrastructure on AWS. Only designated and authorized Bridgecrew team members have access to configure infrastructure on an as-needed basis behind a two-factor authenticated virtual private network. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.

Penetration Testing

Bridgecrew undergoes black box penetration testing conducted by an independent, third-party agency on an annual basis. For black-box testing, Bridgecrew provides the agency with an isolated clone of bridgecrew.cloud and a high-level diagram of application architecture.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. Bridgecrew will provide a summary of penetration test findings upon request to Enterprise customers.

Third-Party Audit

AWS undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. Bridgecrew undergoes regular third-party independent audits on a regular basis and can provide its SOC-2 type II report upon request.

Intrusion Detection and Prevention

Unusual network patterns or suspicious behavior are among Bridgecrew’s most significant concerns for infrastructure hosting and management. Bridgecrew intrusion detection and prevention systems (IDS/IPS) rely on both signature-based security and algorithm-based security to identify traffic patterns that are similar to known attack methods.

IDS/IPS involves tightly controlling the size and make-up of the attack surface, employing intelligent detection controls at data entry points, and developing and deploying technologies that automatically remedy dangerous situations, as well as preventing known threats from accessing the system in the first place.

Bridgecrew does not provide direct access to security event forensics but does provide access to the engineering and customer support teams during and after any unscheduled downtime.

4. BUSINESS CONTINUITY AND DISASTER RECOVERY

Availability

Production environments are fully managed in AWS and monitored using tools provided by AWS as well as internally developed monitoring utilities. Bridgecrew solution architects monitor the application-layer. Bridgecrew has implemented the operations management controls to manage and execute production operations. Bridgecrew uses a Content Delivery Network (CDN) and Load Balancers to control the traffic distribution and resource allocation.

Business Continuity

Bridgecrew has developed a Business Continuity Plan to enable the company to continue to provide critical services in case of a disaster. Bridgecrew maintains a backup server’s infrastructure at a separate region within its AWS organization. Backup infrastructure has been designed to provide customers with business-critical services until the disaster has been resolved, and the primary system is fully restored. The alternative processing environment is wholly managed by appropriate Bridgecrew personnel, as is the case with the primary production environment.

Backup

Databases are hosted in AWS. A backup system automatically generates a daily, weekly, and monthly backup, including adequate logs. Access to the backup and database storage is restricted to authorized individuals. Weekly full-system and daily incremental backups are performed using an automated system. Data is retained for 30 days.

Restoration

Backup data is captured as part of daily, weekly, and monthly procedures and automatically restores it into a separate environment to determine the integrity of data and potential data recovery issues. A log of the restoration process is generated and monitored by the CTO. Bridgecrew has developed a Disaster Recovery Plan to continue providing critical services in the event of a disaster.

5. DATA FLOW

Data through System

Data is sent securely to Bridgecrew via TLS to an HTTPS endpoint. All data flows use AWS KMS at rest and HTTPS in transit. Bridgecrew aggregates events and contextual data related to the user’s environment, preceding events, and the release and deployment changeset.

Data out of System

Once the event is processed, it can then be accessed via Bridgecrew’s user interface and REST APIs. Bridgecrew integrates with a variety of third-party tools so developers can combine error data from Bridgecrew with data from other systems, manage workflows efficiently, and be alerted of errors through notification and chat tools, in addition to email and SMS.

6. DATA SECURITY AND PRIVACY

Data Encryption

  • Data in transit: All traffic between customers and the Bridgecrew platform is encrypted through TLS using the most secure algorithms available. Encryption between customers and the Bridgecrew platform, as well as between engineers and Bridgecrew AWS resources, are all enabled using an authenticated TLS tunnel. Customer sessions and interactions with the Web application are encrypted using 256bit SSL V3/TLS HTTPS. Bridgecrew uses encryption to supplement other measures to protect data at rest when such protections are deemed appropriate based on assessed risk. Processes are in place to protect encryption keys during generation, storage, use, and destruction.
  • Data at rest: Data is encrypted based on AWS data at rest encryption policies, which include several layers of encryption to protect customer data at rest in AWS products. Data stored in AWS is encrypted at the storage level using KMS. Memory storage of Bridgecrew’s operational devices (i.e., workstations and laptops) is encrypted by automated software to ensure the safety of sensitive information. Access, exchange, and the extraction of memory storage are allowed only to registered and authorized company devices (31). All customer telemetry is stored at rest is encrypted, without any action required from the customer, using one or more encryption mechanisms. Stored data is split into chunks, and each piece is encrypted with a unique data encryption key. AWS Key Management Service is redundant and globally distributed. Because this common library is widely accessible, only a small team of cryptographers must properly implement and maintain this tightly controlled and reviewed code.

Data Removal

All customer data stored on Bridgecrew servers is eradicated upon a customer’s termination of service and deletion of account after a 24-hour waiting period to prevent accidental cancellation.

7. APPLICATION SECURITY

Single Sign-On / SAML 2.0

Bridgecrew’s single sign-on (SSO) implementation prioritizes security. We aggressively monitor linked accounts and disable them with any reasonable sign that the account’s access has been revoked. SSO also improves user experience by streamlining login and improving access from trusted domains.

To facilitate user authentication through the web browser and improve identity management, Bridgecrew offers assertion markup language (SAML)-based SSO as a standard feature to customers on its Enterprise plan. SAML 2.0 enhances user-based security and streamlines signups and logins from trusted portals to enhance user experience, access management, and auditability.

Bridgecrew integrates with SAML 2.0 providers, including OneLogin and Okta.

REST API Authentication (API Key)

Bridgecrew’s REST API uses an auth token or API key for authentication. Authentication tokens are passed using the auth header and are used to authenticate a user account with the API.

Audit Controls

We know user administration is central to security and management, and auditing user logs is often the first step in both an emergency response plan and policy compliance requirements. Bridgecrew customers get admin controls for governing identity, access, and usage for their accounts, to keep their respective data safe, secure, and centrally managed.

User roles dictate access within an organization and apply to all the accounts linked to that user.

  • Auditor can view Incidents
  • Member can view and take action on Incidents, and view dashboards and statistics
  • Admin can add new accounts, invite users, and assign them to accounts. You can have multiple Admins. Admins can be restricted to specific Accounts.
  • Owner is the user who created the initial account for your organization. The Owner has access to all functions on all Accounts and is the only user who sees Billing information.

Secure Application Development (Application Development Lifecycle)

Bridgecrew practices continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in a rapid sequence. A continuous delivery methodology, complemented by pull request, continuous integration (CI), and automated error tracking, significantly decreases the likelihood of a security issue and improves the response time to and the effective eradication of bugs and vulnerabilities. Release notes and details for the Bridgecrew changelog.

8. CORPORATE SECURITY

Malware Protection

At Bridgecrew, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities. All company-provided workstations include an inventory management agent, which enables and enforces full-disk encryption, screen lock, and other security features, and a security endpoint agent for detecting malware.

Security Policies

Bridgecrew maintains internal docs of security policies, which are updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to Bridgecrew Enterprise customers upon request:

  • Information Security
  • Risk Management
  • Security Incident Response
  • Vulnerability Management
  • Policy Management and Maintenance
  • Change Management
  • System Access

Security Training

All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training.

All engineers review security policies as part of onboarding and are encouraged to review and contribute to them via internal documentation. Any change to policy affecting the product is communicated as a pull request, such that all engineers can review and contribute before internal publication. Major updates are communicated via slack to all Bridgecrew employees.

Disclosure Policy

Bridgecrew follows the incident handling and response process recommended by AWS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. Bridgecrew notifies customers of any data breaches as soon as possible via email, followed by multiple periodic updates throughout each day addressing progress and impact. Bridgecrew Enterprise plans include a dedicated customer success manager who holds responsibility for customer communication and regular check-ins and escalations.

For additional information about Bridgecrew’s security practices and policies, feel free to reach out to security@bridgecrew.io.