AlgoSec security center
AlgoSec prioritizes the security of our products and solutions throughout their entire life cycle. We employ rigorous security practices during development using automatic and manual procedures. These practices include comprehensive threat and risk analysis, adherence to security standards, and regular testing to identify and address vulnerabilities.
Our applications undergo complete penetration testing by reputable third-party vendors to ensure their security.
Data security and security practices
Product security
Security is a core part of our product development activity. During the development of a new product or feature, we conduct a comprehensive threat and risk analysis, and create a specific security requirement for the product/feature and its integration into a complete solution. During the design phase and before release, we ensure product security by comprehensive testing (vulnerability assessment and penetration tests) using OWASP security standards. All security updates, patches or upgrades undergo the same rigorous tests, and are only deployed once they are proven to be secure. Pen Tests include:
We proactively scan our products using industry-standard tools for vulnerabilities on a nightly basis:
On-premises ASMS solution
SaaS services
AlgoSec website
AlgoSec Customer Portal
On-premises ASMS solution is scanned by three commercial vulnerability scanners
Dynamic web application scanning follows the OWASP methodology (DAST).
Our SaaS offerings are scanned continuously by AlgoSec Cloud and AlgoSec Prevasio
At AlgoSec, we are dedicated to adhering to regulatory compliance requirements and industry standards to ensure the utmost security.
We have implemented robust security measures and practices to mitigate risks and maintain the confidentiality, integrity, and availability of your data. We continually strive to stay at the forefront of security technologies and best practices to provide you with the highest level of protection.
Our security center is designed to provide you with comprehensive information and resources to understand our commitment to safeguarding your data and protecting your business.
Overview
Certifications
ISO/IEC 27001:2013 & ISO/IEC 27017:2015
SOC 2 Type II Report
AlgoSec has been certified following a SOC 2 Type II audit conducted by an independent service auditor. This audit evaluates the design, implementation, and effectiveness of the controls we have in place for our products. It ensures that our security practices align with the criteria of security, availability, processing integrity, confidentiality, and privacy. During the audit period, tests were performed on controls as they existed and were applied to those controls relating to in-scope trust services criteria. The audit covered all the controls pertaining to the confidentiality, integrity, and availability of AlgoSec.
A copy of the AlgoSec SOC 2 Security, Availability, Confidentiality & Privacy Report is available to customers, partners and evaluators here:
AlgoSec holds multiple certifications, demonstrating our firm commitment to top-tier security. We strive to comply with and maintain high-quality standards in line with globally recognized frameworks.
These include:
AlgoSec understands the importance of confidentiality and privacy in protecting customer data. We have established policies and procedures to ensure the privacy of your information and comply with applicable data protection regulations such as GDPR. AlgoSec has established policies and procedures to demonstrate GDPR compliance.
You can find detailed information about our privacy practices in our Privacy Notice.
Questions regarding our privacy may be addressed to privacy@algosec.com.
Privacy
Security advisories
List of CVEs published against AlgoSec products:
CVE-2023-46596
Improper input validation in FireFlow’s VisualFlow workflow editor
Reference:
Advisory
Severity:
5.1 Medium
Issue date:
2024-02-15
Updated on:
2024-02-15
CVE-2023-46595
Net-NTLM leak via HTML injection in FireFlow VisualFlow workflow editor
Reference:
Advisory
Severity:
5.9 Medium
Issue date:
2023-11-02
Updated on:
2023-11-16
CVE-2022-36783
AlgoSec–FireFlow Reflected Cross-Site-Scripting (RXSS)
Reference:
Severity:
5.4 Medium
Issue date:
2022-10-25
Updated on:
2022-10-27
CVE-2014-4164
Cross-site scripting (XSS) vulnerability in AlgoSec FireFlow 6.3-b230 allows remote attackers to inject arbitrary web script or HTML via a user signature to SelfService/Prefs.html.
Reference:
Severity:
4.3 Medium
Issue date:
2014-06-16
Updated on:
2015-12-04
CVE-2013-7318
Cross-site scripting (XSS) vulnerability in BusinessFlow/login in AlgoSec Firewall Analyzer 6.4 allows remote attackers to inject arbitrary web script or HTML via the message parameter.
Reference:
Severity:
4.3 Medium
Issue date:
2014-01-29
Updated on:
2014-08-06
CVE-2013-5092
Cross-site scripting (XSS) vulnerability in afa/php/Login.php in AlgoSec Firewall Analyzer 6.1-b86 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
Reference:
Severity:
4.3 Medium
Issue date:
2014-01-29
Updated on:
2014-08-06
Reporting vulnerabilities to AlgoSec
If you discover a security vulnerability in our systems, we encourage you to responsibly disclose it to us through the provided reporting process. Your efforts play a crucial role in our ongoing commitment to prioritize the security of our products and solutions throughout their entire life cycle. AlgoSec takes security concerns seriously and works diligently to resolve reported issues with utmost urgency.
On-prem Security:
FAQs
Device credentials are stored on AlgoSec Appliances for operational purposes using AES 256-bit encryption, with a randomly generated master key and per-password random salt.
Local user credentials stored on AlgoSec Appliances are encrypted using PBKDF2 algorithm with salts and 27,500 hash iterations.
How does AlgoSec secure sensitive data at rest?
Data in transit: TLS 1.2.
How does AlgoSec secure data in transit?
You can configure ASMS to encrypt your backup files based on a password you provide. Encryption uses GPG.
Are backup files encrypted?
-
Data remains in your estate (environment) and is not accessible to AlgoSec. Therefore, data retention is your choice.
-
Data that is provided to AlgoSec as part of handling your technical support cases is kept for 90 days or until the case is resolved.
What is the data retention policy?
Yes. See our Product Security section
Does AlgoSec run pen tests on the on-premises product?
Yes. Please report any findings to us using the process outlined in the ‘Reporting Vulnerabilities to AlgoSec’ section.
Can I conduct a penetration test against AlgoSec products?
SaaS Security:
AlgoSec Cloud and Prevasio products collect network, configuration, access information, and usage information from the customer's cloud environment. AlgoSec Cloud can also be connected your on-premises ASMS.
AlgoSec AppViz and ObjectFlow products rely on ASMS to collect data about your on-premises filtering technologies and configuration.
What data is used by AlgoSec?
Yes. AlgoSec SaaS supports SSO via SAML 2.0 (for example, Azure Active Directory (AAD), Okta, etc.).
For customers who don’t want to use SSO, AlgoSec SaaS uses the Cognito AWS service to manage users.
Does AlgoSec support Single-Sign-On (SSO)?
All AlgoSec SaaS-based products use Role-Based Access Control (RBAC).
How is access control handled?
It is currently not possible to restrict access to the tenant only from company IP addresses.
Is it possible to restrict access to come only from the company's IP range?
Yes. Both human-triggered actions (from the browser) and programmatic actions (from an API call) require authentication and use a token.
Does AlgoSec SaaS perform authentication of all calls and authorization to control access to functionalities via tokens?
Data in transit: TLS 1.2.
Data at rest: RDS and S3 buckets are encrypted using AWS disk encryption technology (AES-256).
Does AlgoSec SaaS use encryption mechanisms in transit and at rest based on secure ciphers/protocols?
Yes.
Do activity and audit logs provide sufficient information for legal and audit purposes of all actions performed by administrators and users, in order to meet e-discovery orders?
Yes. Audit logs may be exported.
Does the system allow the sending of logs and security audit trails to SIEM platforms?
No.
Do AlgoSec SaaS products have known vulnerabilities that were not fixed in the latest version?
Yes.
Does AlgoSec have a Business Continuity plan?
AlgoSec SaaS uses separate databases and S3 buckets for each tenant.
Will the data be stored in a repository shared with other companies?
Data is retained as long as it is not deleted by the customer.
Is there a data retention policy for SaaS products?
A small number of designated site-reliability engineers (SREs) and tier-4 support engineers may have access to customer tenants for operational maintenance and technical support activities.
Do AlgoSec employees have access to customer data?
Yes. See our ‘Product Security’ section.
Does AlgoSec run pen tests on the SaaS product?
This requires prior approval from AlgoSec to avoid service disruptions. Please report any findings to us using the process outlined in the ‘Reporting Vulnerabilities to AlgoSec’ section.
Can I conduct a penetration test against AlgoSec SaaS products?
Certifications
Overview
Privacy
Data security and security practices
Product security
Security advisories
Reporting vulnerabilities to AlgoSec
FAQs