CTO Daniel Bondurant on Wiredrive’s Security Practices
On April 7, 2014 the Heartbleed OpenSSL bug was announced and the Wiredrive ops team had all servers patched within hours. This is one of the most serious security related problems we have ever seen. Wiredrive relies on SSL to encrypt traffic between a browser or application and our servers. The encryption is necessary so any server in-between cannot decode the information if it is intercepted.
Wiredrive uses the best possible level of encryption called Perfect Forward Secrecy (PFS) which ensure that a session key derived from a set of long-term keys will not be compromised if one of the long-term keys is compromised in the future. This prevents being able to decode a recorded data stream if the private key is ever compromised. The EFF has a more technical description of PFS and why it is important that is worth reading.
Security is a journey, not a destination. Over the past few years we have been focusing on security in the application and across the entire business. We are always looking for ways to improve our software development life cycle and infrastructure. We have fixed numerous bugs, brought on outside security vendors, invested in secure coding, training for all staff on phishing, identifying malware, and started to prepare for a SSAE 16 Type II audit. Some of these requests have come directly from clients, others are best practices that we have decided to adopt. We are completely committed to security across the entire organization and will not waver from that focus.
Security Focused Software Development Life Cycle
No code is perfect, and it’s impossible to validate for all known security vulnerabilities all the time. Admitting this fact, we complete independent 3rd party static code scans during development. It’s extremely important to catch these vulnerabilities as soon as possible so that they can be removed well before going to the production servers. Please see the case study published with our vendor Checkmarx.
Some of our clients require us to complete 3rd party quarterly penetration tests. These point-in-time scans will not detect any problems introduced between scans. We do not feel this is often enough, so we have the scans run continuously. We try our best to not introduce any new issues (and haven’t since we started scanning), but if any do slip through, we want to know about them right away.
Our Own Infrastructure
We have decided to host all of Wiredrive on our own infrastructure instead of using cloud providers. In addition to substantial performance gains, a large part of this decision is around security. By hosting and securing customer’s files ourselves, we control the full technology stack, when the OS is patched, physical security, and network access. We also control our own IP block which eliminates potential bad neighbors which might occur when using cloud providers. Our data centers are housed in SSAE16 teleco grade facilities.
FreeBSD and ZFS
We are huge fans of FreeBSD and ZFS. FreeBSD lets us get as much performance out of our servers as possible while providing advanced debugging tools. Hardening FreeBSD is easy to do and one of the main reasons we rely on it for most of our infrastructure. ZFS gives protection against dataloss, and extremely flexible OS snapshot abilities.
The front end application servers are mounted on a read-only memory backed filesystem. If a vulnerability were to happen, the exploit would try to write to the file system and fail. Also, none of the files are allowed to be executable, so the exploit would not be able to do anything. Rebooting a machine automatically re-syncs with a version controlled file server and the most recent build of the code.
Passwords are stored using modern cryptography (NOT MD5 or SHA-1). The passwords are stored in a separate database with different credentials from the main application. Resetting the password is done out of band with the main application.
Over that past 6 months, we have been monitoring available versions of SSL ciphers in customer browsers, and have successfully ramped down old exploitable schemes like RC4. We have also enabled strict transport headers. All pages in Wiredrive are forced to use SSL, which helps to prevent session hijacking and man-in-the-middle attacks. Qualys, an independent SSL audit authority currently gives Wiredrive a rating of A+.
New Generation Firewalls
Next generation firewall vendor Palo Alto recently did an audit of Wiredrive, and rated the application with a risk level of 1, which is their best score. We encourage all customers to get a NextGen firewall in their corporate and remote offices to help protect their network. Palo Alto has made integrating Wiredrive with their firewall extremely easy.
I would invite you to reach out to me to discuss Wiredrive’s security practices and policies. As mentioned previously, security is a journey, not a destination. And while technological changes will continuously affect the landscape of data security, Wiredrive’s commitment to it will not.