Image credit: www.bluecoat.com

In this article I would like to explain our security posture at Clause. We take the security of the personal and business information that you share with us extremely seriously and we work hard to earn your trust. We are far from complacent; in fact we verge on the paranoid! We know that only through continued investment in people, technology and processes can we ensure your information is safe.

First, let me introduce some terminology from the National Institute of Standards and Technology:

Information Assurance is defined as, “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.”Security Posture is defined as, “The security status of an enterprise’s networks, information, and systems based on IA resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.”

These terms are intentionally broad and cover all aspects of operations that could impact the security of your data. In the last quarter we’ve completed two important security related efforts that I would like to tell you about:

  1. We completed our first external Web Application Security Assessment
  2. We published our Vulnerability Disclosure Program

Web Application Security Assessment

Prior to rolling out the public beta of Clause we contracted Practical Security Services LLC to perform a Web Application Security Assessment. A Web Application Security Assessment is an in-depth analysis leveraging both manual inspection and automated scanning of the runtime environment and source code to find vulnerabilities that arise from programming and business logic. The purpose of the assessment was to identify functionality exposed by the application and underlying components that may be vulnerable to internal or external security threats, and to recommend strategies for mitigating the risks identified during the assessment.

All the security vulnerabilities discovered during the assessment have been fixed. We are very grateful to Tim Tomes from Practical Security Services for his expert advice and we look forward to working with him again in the future.

Vulnerability Disclosure Program

As part of our ongoing commitment to securing your data we have also published our vulnerability disclosure program, which sets out the terms under which we work with external security researchers and the bounties that we will pay for confirmed vulnerabilities.

Since starting the program we have made two payments to external security researchers.

If you are a responsible security researcher interested in testing Clause please refer to https://clause.io/security.

Conclusions

At Clause we are committed to safeguarding your information and we make decisions every day with the security of the platform and your data top of mind. These include our security culture, the people we hire, training, the processes we use internally to develop and deploy code, the vendors and tools we use, how we configure our systems, the encryption we use, how we authenticate users and a myriad of details that contribute to our goal of implementing security in-depth.

We will continue to improve and invest across all these areas because we value your trust above all else.