Dradis = Security

Built by security professionals. Tested by security professionals. No access to your data.

Security questionnaire

As a collaboration and reporting tool for cybersecurity teams, we recognize the importance of excellent security practices for such critical infrastructure. While we are a small team, we take security very seriously.

General security practices

• Access to servers, source code, and third-party tools are secured with strong non-SMS two-factor authentication when possible.
• We allow you to do the same by supporting TOTP 2FA for Dradis (learn more).
• We use strong, randomly-generated passwords that are never re-used.
• We don't use external contractors.
• If we hired contractors they would be given the lowest level of access that would allow them to get their work done.

Secure Development Lifecycle (SDL)

• We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues, such as GitHub Advanced Security.
• We perform internal vulnerability scans as part of our Continuous Integration (CI) pipeline to monitor the status of our security efforts.
• We are aggressive about applying patches, keeping dependencies up-to-date, and releasing fixes quickly.
• Each release of Dradis is using the latest version of the underlying components whenever possible. This includes, but is not limited to:
  • Operating System.
  • Database Server.
  • Web server.
  • Application server and web framework.
• We prefer third-party tools with strong privacy and security postures that align with our goals.
• Every change made to the code is independently reviewed by a minimum of two people, with an emphasis in secure coding practices.
• Dradis is developed by the team that:
  • Wrote the UK's Centre for the Protection of National Infrastructure (CPNI) guide on Development and Implementation of Secure Web Applications.
  • Trained other security professionals on web application security at BlackHat USA.
• A lot of Dradis code is open source and available for inspection (and testing) on GitHub: /dradis/dradis-ce

Data Sovereignty

• Dradis is a self-hosted solution. We don't have access to your data.
• We do not need to receive, store, or process any of your Confidential or Sensitive information.

Infrastructure

• Dradis is not a cloud-based solution. It runs in your own infrastructure.
• Dradis doesn't need to be connected to the internet.
• Our company relies on internet giants for hosting and managing our source code:
  • Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:
    • ISO 27001
    • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
    • PCI Level 1
    • FISMA Moderate
    • Sarbanes-Oxley (SOX)
    • Authentication
  • GitHub is proud to put security at the core of everything they do, inspiring and enabling the community to secure the software users depend on. GitHub have been accredited under:
    • ISO 27001:2013
    • CSA Star Level 2
    • SOC 1
    • SOC 2
    • SOC 3
    • TISAX

Encryption

• The Dradis VM is full-disk encrypted.
• We enforce TLS (HTTPS) to protect sensitive data transmitted to and from applications i.e. data in-transit.
• Highly-sensitive data inside the application, such as OAuth tokens, is encrypted at-work using AES-256-GCM encryption.
• User passwords are securely hashed using industry-standard bcrypt, and all secrets are securely encrypted in-transit and at-rest. We never store passwords or secrets as plain text.

Payments

• Credit card and bank information is encrypted, stored, and processed by Stripe (not us) with AES-256 encryption. Full details are available on Stripe's security page.
• We store a transient token provided by Stripe to reference a customer's credit card through the Stripe API. Credit cards are not stored on our servers, nor do we have access to the card number or details. This information does not pass through our servers.
• All communication with Stripe is handled over an encrypted TLS connection.

Backups and recovery

• We don't have access to your (or anyone else's) data.
• Dradis users are responsible for setting up their own backup and recovery procedures.

FAQs

What user data do you collect?

By default none. We give the users the option to share with us limited telemetry data to help us improve the product. Learn about Usage analytics sharing.

More information on the type of data we collect on this website can be found in our Privacy Notice.

Will you fill out our security questionnaire?

Due to our small team size, we do not have the bandwidth to fill out security questionnaires for customers on our off-the-shelf plans. Please email us if you do not see one of your specific questions answered on this page and we can add it.

Do you maintain any security certifications such as SOC 2, ISO 27001, HIPAA or BAA?

While we'd eventually love to achieve these certifications, we don't hold them at this time. Please contact us if you'd like discuss working with us to get these certifications.

How do I report a potential vulnerability or security concern?

Please contact us through our Security Reports page.

If you have a discovery, please discreetly reach out to a member of the team for verification, vulnerability acceptance, and remediation timeline.

We believe in — and participate in — responsible disclosure. At this time we do not have a bug-bounty program in place.

How often is Dradis tested?

All of our users are security professionals and penetration testers. These users perform routine security assessments of the application as a part of their corporate security initiatives.

Review Security Reports page for the latest disclosures.

Any further questions?

Please contact us and we'll happily update this page.