Application Security

Data: Kraken is a multi-tenancy application with the data logically separated between accounts. Data from one account cannot be accessed from another account, nor can it be shared. Access to the data is only available by users with an appropriate role in the account. Encryption: All data is encrypted at rest using AWS Key Management System (“AWS KMS”). This uses AES-256 encryption standard. Authentication: All passwords are salted and encrypted before being stored in the DB. We are unable to see what a password is, so if a password is forgotten it will need to be reset by the user. Audit Log: The application has an audit log that can be used for both security and compliance. Static Analysis: All code undergoes static analysis at each check-in to the repository. Penetration Tests: Penetration tests (Pen tests) are run annually. Identified issues are fixed based on the test risk assessment and the pen test re-done to confirm the issues have been fixed. DKIM/DMARC/SPF: All emails sent from the Big Squid domain are signed using both DKIM and SPF. DMARC record is also available for receiving mail servers. Separation of Environments: Production, staging, and development environments are physically and logically separate. The staging environment is a replica of the production environment but is physically isolated from the production environment. Development is carried out on local machines. QA & Tests: Both automated Quality Assurance (“QA”) and manual QA. The automated QA consists of unit, integration and acceptance tests. These are run on each deploy. Manual QA is carried out on every bug fix and new feature prior to being merged into a release.