Inigo Security

Last updated: March 17, 2017

Physical Security

Security at the Office

Inigo has appointed Pavel Kirillov, the co-founder, to be the information security officer.

At the moment all Inigo employees works from home. Each employee uses their own computer and a home office to accomplish their tasks.

Only 1 person in the company (Pavel the co-founder) has passwords and is authorized to access the production environment hosted on Microsoft Azure. Andrew the founder serves as emergency backup in case Pavel can’t perform his duties due to a force majeure. Andrew can obtain a new set of passwords for production environment and appoint a new information security officer.

All employees are required to have an up-to-date antivirus software and firewall installed on their machines. Inigo picks a recommended antivirus every year.

Employee computers are allowed to be used solely by the employees themselves - no family members / guests / shared machines.

Employees must immediately report theft or security concern to Inigo’s information security officer.

Home WiFi: workstations must disable automatic connection to available wireless networks to prevent accidentally connecting to other networks in range. Home Router must have a changed Admin password and username. Router must be configured to use Network Encryption with WPA2 and a Strong password different from the manufacturer sticker.

All internal communication is done using Slack App (paid and encrypted) and Google G Suite email. All employee accounts are managed in G Suite.

No Inigo documents should be stored on local drives - only Inigo’s G Suite.

Workstations must have a password protected OS log-in with 15 minutes lock-out timeout. Password complexity is required.

Developers only work with development environment and have no access to real production data.

Company can revoke access to any cloud asset / company file storage / company account.


Data Center Security

Inigo’s entire production environment is hosted on Microsoft Azure.

We chose Azure because it meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards like Australia IRAP, UK G-Cloud, and Singapore MTCS.

Rigorous third-party audits, such as by the British Standards Institute, verify Azure’s adherence to the strict security controls these standards mandate. As part of our commitment to transparency, you can verify our implementation of many security controls by requesting audit results from the certifying third parties.

When Microsoft verifies that their services meet compliance standards and demonstrates how they achieve compliance, that makes it easier for Inigo to secure compliance for the infrastructure and applications we run in Azure.

At the moment we’re using Geo-Replication inside USA only. Our data is Azure’s East, West coast data centers.


Infrastructure Security

Sensitive data: Inigo allows the users to add any kind of personal information into the system. The nature of business cards is that the information is meant to be shared with others.

We take extra steps to prevent web crawlers and hackers from scanning to discover our cards.

Network

We have clearly defined network guidelines. They are regularly reviewed and we require all employees to apply them to all appropriate networking devices.

Inigo requires all employees to have a Firewall installed and configured to monitor the inbound and outbound traffic to their workstations.

As mentioned above, WiFi encryption is required.

All internal traffic that potentially carries sensitive information including but not limited to passwords, emails, files, source code, management traffic is going through encrypted protocol.

G-Suite and Azure are configured to send alerts if suspicious activity is detected.

Servers

Since our entire infrastructure is hosted on Azure, we don’t have any servers to manage: not hardware and not virtual.

We do have a comprehensive logging in place which states all Azure management console sessions and audits all relevant services (databases, app service, blob storage etc.)

Access to production database service is limited to a list of static IPs assigned by information security officer.

Advanced Auditing and Thread detection is configured on Azure.

Azure security advisor is set to give recommendations that are checked and implemented on a regular basis.

Administrative Access

Access to Azure management console is only allowed to 1 person in the organization who is in charge of the Cloud infrastructure.

Inigo uses TeamViewer when information security officer needs administrative access to employee workstation in order to help with home office security configurations.

Backups

Backups are stored on Azure blob storage service in a secure, non public section.

Database is automatically backed up by Azure and can be restored to any minute of the last 60 days.

Logs are stored in Azure blob storage as well with longer data retention than is available in the database.

We have tested that we are able to restore the entire system from backups.


Clients (Workstation, Laptops, etc.)

As mentioned before, all of our employee workstation systems are located in home offices. In order to harden our security we have policies in place to secure our organization.

All operating systems must be modern, up-to-date versions supported by their manufacturers. Automatic updates must be enabled. Critical security patches recommended by manufacturer must be installed without postponing.

All employees are required to have an up-to-date antivirus software and firewall installed on their machines. Inigo picks a recommended antivirus every year.

Employee workstations are required to never be left on unattended. 15 minutes timer automatically locks the machine and requires a login password to unlock.

Systems are set to log security-relevant events, such as authentication, data access, etc

Users are local administrators on their machines.

Local Administrator/root accounts are disabled on all machines.

All company documents are stored in cloud systems and we prohibit making local copies.


Technical Security Testing

Inigo’s information security officer has an internal know-how and hands on experience to perform in-house security assessment in addition to 3rd party security expert advisor who have been helping us along the way.

Our software development team does often code reviews and web application penetration tests to avoid common software vulnerabilities like SQL injection, unauthorized access, query string manipulation, man in the middle etc.

User privacy and security is a major concern for Inigo. We are experienced and are well aware of the risks involved in making software solutions. Security expert always reviews the designs and system architecture to assess the security aspect of every feature and component. Nothing goes into development until approved from information security aspect.

Security Contact

For any security question and concern please contact pavel@inigoapp.com



Web Application Security

Application Metadata

The name of the application: Inigo App

A brief description: Inigo lets you create, exchange and update digital business cards on the fly, so you can share the marketing & contact information you want with new connections in any situation and track who viewed or saved it.

Inigo web application is a HTML5 application which works in most modern web browsers. Doesn’t require any frameworks, downloads and installations (like Silverlight).

Vulnerability Reporting and Management

We have a published support email contact which is a primary way to provide users ability to report security issues. Incoming reports are timely reviewed and triaged.

HTTPS and Mixed-Content Risks

The web application is reachable exclusively over HTTPS. Even if the user manually edits the URL to start with http://, it will redirect to https://.

Only our URL shortening domain clickmy.info does not require http:// because system immediately redirects the user to https:// and no sensitive data passes over http://

Authentication and Authorization Basic Information

Our application requires regular users to log in. Most features aren't available without logging in.

In addition to an interface for regular users, our application provides an administration interface.

There is just 1 managerial role in the application

Common Web Vulnerabilities

The application uses a database back end that can be queried with SQL.

The application has an image upload feature

The application loads active content, such as scripts, applets, or style sheets, from third-party servers (i.e., any server that is not under your direct control).

The application processes or manipulates JSON

The application uses cryptography to encrypt data or protect its integrity.

Cross-Site Scripting

We use a system that automatically escapes all user input before redisplaying it.

User Input is validated on client and then on the server.

We are Entity Framework and AngularJS to protect against XSS.

The application does not deal with user-provided HTML that needs to be displayed to the user.

In addition to applying the strategies, the application set a valid and appropriate content type and character set for each page (in the Content-Type HTTP header)?

We know about DOM-based XSS, and we take specific steps to protect against this kind of vulnerability by not relying on client side validation. Everything is evaluated on server to see that the user is authorized to perform the action it requested.

Testing, QA, and Monitoring

Unit Testing: Inigo developers use tests to confirm that the basic building blocks of the application work as expected. Inigo uses unit tests to also check for security features. For example, to confirm that requests fail without a valid tokens; that authentication is required to access user data; or that unexpected HTML tags can't get through input filters or escaping routines.

Release testing: Before a new version of a product is released, human testers go through the application, try the new features, and make sure previous features still work correctly (regression testing). Security testing is included in this process as well. For example, we verify that user A cannot access the data of user B.

Monitoring: Once the application is deployed, the focus shifts from testing to monitoring. We watch out for unexpected spikes in error rates, sandbox violations, and other flaky or inexplicable behavior (including intermittent failures) — and before we dismiss an anomaly, it is checked by our security team.

Post-Launch Monitoring

Inigo has robust procedures in place to log and monitor for unexpected crashes, exceptions, and other error conditions. If something looks suspicious, a security-conscious engineer evaluates it.

After the major releases are stabilized we manually analyze error reports on a monthly basis looking for edge scenarios we didn’t catch during testing and QA.

In addition to that we employ Azure Application Insights and Telemetry to analyze and alert the team about spikes and changes in application behaviour. This tool has proven to be very effective and has saved us in past identifying issues minutes after they started to happen and allowing the team to respond on time and with minimal customer impact.


Security and Privacy Programs

Security and Privacy

Inigo has an established security program, and the scope of the program touches all aspects of doing our business.

Security Controls

A privacy policy available to the public, users and customers, describing how we protect the security and privacy of data.

Internal policies and guidelines for the safe handling and protection of data.

Internal reviews of the security and privacy policies with 3rd party advisors. Advisors help to evaluate and improve the security and privacy program.

A review process to ensure that our service providers and subcontractors are capable of taking appropriate steps to protect data and systems

Unfortunately, security incidents are no longer a matter of "if," but "when." Therefore Inigo has the know-how and training in place to ensure that incidents are quickly contained, investigated, communicated to affected customers. Most importantly we have a lesson learned practice that is communicated to all company to raise awareness and prevent it from happening in the future and mitigate the risks of having similar incident in the future.

Inigo has a change management process to ensure that all changes to systems are appropriately reviewed and deployed. Information security officer has to approve all design changes and review the architecture from a security perspective.


Security and Privacy Policies

Information classification. Employees have access only to information they have a business need to be exposed to. All employees sign a Non-disclosure agreement with Inigo

New employees go through the security training by information security officer. Requirements and policies are explained in discussed.

Physical security requirements must be met before the employee can start working with company materials. Information security officer needs to connect and assess the workstation is safe and meets company requirements.

Workstation security is implemented and verified by information security officer.

Access control. Since all company files and documents are hosted in cloud systems, Inigo assigns permissions to assets that are critical. No blanket permissions are given without exceptions.

Authorized/unauthorized use and disclosure of data

Software development. Source code is stored in the cloud with a local development copy on developer machine. We make sure repository is clean on any production connection strings and there is no way for a developer to connect to production environments.

Incident management and response procedures for security and privacy incidents

Internal Assessments

An internal information security and privacy review is performed every year in February.

Information Security Officer receives training on the subject and visits professional meetups at least once every 3 months to stay informed and relevant to the changes in the industry.

The scope of the internal assessment includes the entire security and privacy program, as well as all operations, services, and systems that involve access to the customer data

Partner Security Program

Inigo selects suppliers to meet and exceed the industry standard. As a small company we have made a strategic decision to work with proven technologies by tech giants that have the means and budgets to get certifications and pass extensive audits to serve any government or military.

The information security officer gets training to understand how to implement vendor’s platform for use by Inigo from a security standpoint.

Personnel Security

Inigo has written job descriptions for employees with access to confidential or sensitive information.

We have processes in place to ensure that access to data is granted solely on a "business need-to-know" basis, in accordance with the job descriptions and responsibilities.

We have a disciplinary process in place for handling policy violations. Mistakes happen, but regular offenders have no place in Inigo as they possess an existential threat to our company

Inigo revokes all access when an employee, intern, vendor, contractor, or other associate leaves the company or a contract ends.

Upon hire, and at least once per year we all employees receive training and refresh on data security.