3rd Party Penetration Testing
Wiredrive uses a top tier web security company to complete manual penetration testing of the entire Wiredrive application, starting in October 2013. The same company also tests when new features are released that could potentially cause security related regressions. They also run continuous automated tests of the entire application. Quarterly reports are available to customers upon request. In addition, several Wiredrive clients have run their own 3rd party tests as part of their evaluation process.
Static Code Scans
As part of the SDLC (Software Development Life Cycle), Wiredrive runs a static code scan daily. This help identify potential vulnerabilities long before the code is pushed to the production environment. Please see the case study published with our vendor Checkmarx.
Hosting and Cloud Providers
The entire core Wiredrive application is run in our co-located SSAE 16 Type II compliant data centers. This includes the web application, API, and asset storage. Wiredrive does not use any cloud providers for the core application.
All passwords are encrypted and stored in the database using modern cryptography according to OWASP best practices.
Reliance On 3rd Party Services
Wiredrive operates and owns all of our own server hardware in our co-location facilities. Cloud servers are used for select parts of our service. This is limited to URL shortening offered by bit.ly and mail relay provided by Mandrill. Billing, support, monitoring, and content delivery are also handled by third party vendors.
The main Wiredrive datacenter is located in a teleco grade facility in Los Angeles operated by Equinix. The DR facility is at a different teleco grade facility also operated by Equinix. Both locations are SSAE 16 Type II compliant. Wiredrive uses multiple tier-1 ISPs and has a direct private link between the data centers.
Supported SSL Encryption Level
Top priority is given to modern encryption implementations of AES 256 and 128-bit ciphers. Fallback is provided for situations where a browser supporting the latest features is unavailable. We have full coverage for Forward Secrecy on browsers which support it.
Logs for web servers and application access are kept for at least one year. Logs are collected in Splunk, a central log management server for indexing and reporting. The application is logging user access to the internal authentication service and every part of the site. Reports based on the logs are audited for security access as well as performance and business intelligence.