Imageous Security Philosophy and Practices

Imageous’ customers entrust us with their information and data and we take their security seriously. Our core value of putting our customers first powers all the decisions we make, including how we manage and protect the data of our customers. We follow industry standards and best practices to ensure our customers information and data is safe, and their businesses are protected.

Data Center & Network Security

  • Third-party Hosting ProviderAll Imageous applications are managed on AWS Facilities which comply with over 50 data security certifications, regulations, and frameworks. Physical security is managed by AWS, with facilities monitored by video surveillance, and intrusion detection systems.
  • Network Vulnerability ScanningNetwork security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
  • DDoS MitigationWe use AWS Shield, a managed Distributed Denial of Service (DDoS) protection service that safeguards all our Imageous applications. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
  • Logical Access Access Management in AWS IAM is restricted by an explicit need-to-know basis, utilizes least privilege, and is frequently audited and monitored. Employees accessing our AWS accounts, or any internal tools are required to use multi factor authentication.
  • Security ArchitectureImageous follows AWS best practices for security architecture. Proxy servers secure access to the Imageous applications by providing a single point to filter attacks through IP blacklisting and connection rate limiting.
  • Encryption in Transit For web applications, data in transit is encrypted and secured from the user's browser to the Imageous applications via TLS. For our IoT device, data in transit is encrypted and secured from the device to the Imageous applications via TLS.
  • Encryption at RestApplication sensitive data stored locally is encrypted and secured using AES encryption.
  • Secure Credential Storage & EncryptionImageous uses Auth0, a third party service to securely store and manage credentials. Auth0 never stores passwords as clear text - they are always hashed (and salted) securely using bcrypt. Both data at rest and in motion is encrypted - all network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualsys' SSL Labs scored Auth0's SSL implementation as "A+" on their SSL Server test.
  • UptimeThe Imageous applications are hosted in a variety of different AWS data centers across the globe.
  • RedundancyImageous employs a Cloud-based distributed backup framework for Imageous-hosted customer servers
  • Disaster Recovery Imageous’ Disaster Recovery program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing.

Application Security

  • Security TrainingAt least annually, all Imageous engineers participate in secure code training covering OWASP Top 10 security flaws, and common attack vectors.
  • Security ControlsImageous uses AWS WAF, a web application firewall that helps detect and block malicious web requests targeted at Imageous applications. AWS WAF allows us to create rules that can help protect against common web exploits like SQL injection and cross-site scripting.
  • Code ReviewAt Imageous, code is peer reviewed before being committed to the master code branch of the Imageous application. Functional and unit tests are performed using automated tools.
  • Code Development Code development is done through a documented SDLC process which includes guidance on how code is tested, reviewed, and promoted to production.
  • Separate EnvironmentsTesting and staging environments are separated physically and logically from the Production environment. No actual Service Data is used in the development or test environments.
  • Dynamic Vulnerability ScanningImageous uses AWS Inspector, an automated security assessment service that helps improve the security and compliance of Imageous applications. AWS Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, AWS Inspector produces a detailed list of security findings prioritized by level of severity.
  • Static Code AnalysisThe source code repositories for Imageous are continuously scanned for security issues via our integrated static analysis tooling in the built process.

Product Security Features

  • Authentication OptionsSign-ins and Authentications are handled by Auth0.
  • Single sign-on (SSO)Single sign-on (SSO) allows Imageous customers to authenticate users in their own systems without requiring them to enter additional login credentials.
  • API Security & AuthenticationThe Imageous API is SSL-only and Imageous customers must be verify themselves to make API requests. Imageous customers can authorize against the API using either basic authentication with their username and password, or with a username and API token.

Additional Security Methodologies and Information

  • Background ChecksNew contractors and employees are required to pass a background check and sign confidentiality agreements.
  • Security Awareness EducationImageous’ new-hires complete security training as part of the entry into the organization. Employees receive routine security awareness training and confirm adherence to Imageous’ security policies.
  • Information Security OfficerBen Ries, CTO oversees all aspects of Roby security program. You may contact him at security@imageous.io.
Send a Message