Do you practices safe SECS?
In a world where mobile apps, social media and the military community converge, the gravity of proper security design is paramount. The rise of cyber threats and ignorant use of technology are merely natural extensions of human nature. Luckily we, the Red White and Blue, have THE BEST security engineers and security architects in the world. These men and women work for our government and public/private organizations such as Amazon, Google, Endgame and the United States Cyber Command. They expend immense resources keeping our nation and the rest of the world safe on a massively global scale. Sandboxx is one of these organizations.
Before we get into details, a little acronym’ing for those new to these terms. For you seasoned SECs’ers, scroll down to Sandboxx’s Security below.
PII — As defined by Title 44 of the United States Code: “Personally identifiable information is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.”
Example: Your name and credit card on the restaurant’s receipt from Tuesday’s lunch.
OPSEC — As defined by Defense Technical Information Center: “Operations security is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.”
Example: Your route to Tuesday’s lunch.
PERSEC — Personal Security — Focuses on protecting information such as PII.
Example: Refraining from publishing a selfie with your location on Twitter.
INFOSEC — As defined by Title 44 of the United States Code: — “Information security, sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take.”
Example: Tuesday’s lunch crowd, typically…
Most non-technical folks think PII and security vulnerabilities/failures live within remote mountain server locations or involve hackers at your local coffee shop out to steal your credit card information. As much as a good conspiracy captures our minds, the majority of problems are actually caused by ourselves.
As a nation, we have come a long way with technology and education to mitigate these risks. Nonetheless, humans are prone to making mistakes and operate under faulty assumptions about information, the platforms we use, and how data is stored and used. We must think ahead about how our actions and information may affect us in the future. Practice prudent, safe SECs!
Sandboxx’s Security Priorities
We are vigilant in hardening all software components to protect our users from attacks and threats. Sandboxx’s security infrastructure is built with many risks in mind, including those made by human error. The following are our top priorities:
M1 — Weak server side controls
M2 — Insecure data storage
M3 — Insufficient transport layer protection
M4 — Unintended data leakage
M5 — Poor authorization and authentication
M6 — Broken cryptography
M7 — Client side injection
M8 — Security decisions via untrusted inputs
M9 — Improper session handling
M10 — Lack of binary protections
APP SECURITY
Device is lost/stolen?
- Data at-rest is encrypted and obfuscated using military grade encryption algorithms
Packet Sniffing
- Device connects to the cloud using TLS (Data link connection)
Man In The Middle Attacks
- Packets are not attributable — Instead of user’s email, we use a long user id (GUID)
Identity Theft
- All data integration with other services happens on the backend
- All payment information is stored on third party gateway (Stripe/PayPal — PII and PCI compliant)
APP PRIVACY
Private By Default
- All user data, posts, likes and comments are private by default
Self-Policing
- User can view another user’s profile only after they connect, which requires a two way handshake
Data Masking
- User addresses are masked to protect them from location specific information
Location Agnostic
- All geotags are removed from pictures posted on the app
Content Moderation
- Inappropriate content can be reported which will be removed from the system after verification
PCI Compliance
- Stripe/PayPal have been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.
API/Database
Data is securely uploaded/downloaded to our servers via SSL endpoints using the HTTPS protocol.
Only object owners have access to data resources.
We use Server Side Encryption (SSE) to encrypt data stored-at-rest. Our server provides the encryption technology for both SSE and SSE-C.
Our servers are SSAE-16 cloud security certified.
Our servers have built in protection agains Query Injection, Cross Site Scripting and Cross Site Request Forgery.
