apty recognizes clients’ needs to protect user and business data and is compliant with the industry security standards.
apty physical infrastructure is hosted and managed within Heroku in Amazon’s secure data centers and utilizes Amazon Web Service (AWS) technology. The following section highlights the security features of apty and AWS.
Third party security testing of the front and back-end elements of apty is performed by independent and trusted security consulting firms.
- Penetration testing includes but is not limited to SQL injection, cross-site scripting, server response splitting, etc. These regular assessments are done on top of the independent tests which are routinely performed by AWS as an integral part of their security standards.
- Additionally, as other means of identifying potential security flaws, periodic static code scanning with Veracode is performed using automatic static, automatic dynamic and / or manual security analysis for assessing vulnerability, analyze application and code, and confirm that security and code quality is compliant with current standards. Code analysis techniques are combined to inspect executables on the detailed level and decrease the amount of false negative test results.
Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.
Host-based firewalls restrict customer applications from establishing localhost connections over the loopback network interface to further isolate customer applications. Host-based firewalls also provide the ability to further limit inbound and outbound connections as needed.
Our infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. We work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed.
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. apty utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
Port scanning is prohibited and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped and access is blocked.
Each application on the platform runs within its own isolated environment and cannot interact with other applications or areas of the system. This restrictive operating environment is designed to prevent security and stability issues. These self-contained environments isolate processes, memory, and the file system using LXC while host-based firewalls restrict applications from establishing local network connections.
Customer data is stored in separate access-controlled databases per application. Each database requires a unique username and password that is only valid for that specific database and is unique to a single application. Customers with multiple applications and databases are assigned separate databases and accounts per application to mitigate the risk of unauthorized access between applications.
Customer connections to Postgres databases require SSL encryption to ensure a high level of security and privacy. When deploying applications, we encourage customers to take advantage of encrypted database connections.
The collected data is:
- transmitted only through Secure channels (HTTPS default for apty), and
- stored in secure database with standard AES-256 encryption (Heroku standard).
For more information on data collection, refer to: What data is captyred by apty?