Security

Security From The Ground Up

ChimpChange invests heavily in IT security to ensure the safety and security of our customers and company. Security has been very carefully considered and included throughout the development of ChimpChange’s application. We follow military-grade security to protect our servers and databases as well as encrypting all network communications between network devices.

Security Testing

ChimpChange follows the “hack yourself first” motto. We conduct on-going penetration testing against IT systems and applications as well as perform Red Team operations against our Company. This ensures that our systems are secure and we are always ready to defend our systems against IT threats.

Application Security

In addition to on-going security testing, we perform security source code reviews (both manual and automated) for all of our applications.

We also understand that Application Security is not just about security testing and security reviews, it’s about writing secure code from the outset. Our company has implemented fully-fledged secure software development practices whereby our developers are trained in application security which is present throughout the development lifecycle of our applications.

We aim to defend our applications against all of the vulnerabilities listed in the OWASP Top 10, as well as any atypical (and often awesome?) security bugs that our security team discovers.

Network and Infrastructure Security

Our servers are stripped of any piece of software other than what is required.

We harden the configuration of all our servers (accounts security, memory corruption protections, etc.) and the network services we deploy.

And after all that, even if hackers can penetrate the system, we employ strong intrusion detection and prevention practices and have an incident response team ready 24/7.

Bug Bounty and Open Source Security

To further ensure that we have top-notch security, we welcome feedback on security vulnerabilities. Those who notify us of a vulnerability, give us a reasonable time to respond to the issue before making any information about it public, and act in good faith not to degrade the performance of our services (including denial of service), are eligible to get paid for the vulnerabilities they discover.

We also strongly believe in open-source security and use many of the security tools developed by the IT-security-industry elites.

Encryption (Aka “I have SSL, I’m Secure”)

Yes, we use SSL and TLS throughout our network… But you already knew that network encryption practices don’t mean anything about “being secure”. Nonetheless, we thought we’d mention it for the security layperson 🙂