Get answers to your questions around security, reliability, privacy, and compliance.
Protego collects application behavior metadata only. Nonetheless, even this metadata can potentially contain sensitive information, especially about the topology and operation of the customers’ application, therefore all data is encrypted both in transit and at rest.
No customer data leaves the customer sub-account. However, Protego does collect anonymous behavioral statistics to help tune detection models across accounts. We take several steps to ensure that we collect data that is related to the application behavior, without collecting end-customer data or sensitive information.
Protego requires several permissions in order to be able to provide protection for the account. However, we do not require permission on all the resources. A complete list of required permissions is detailed in our Cross-Account Permissions document.
By default no. However, if you would like Protego to apply automatic fixes for security bugs in your code, all you have to do is provide the necessary permissions and request the fix via the dashboard plugin or through API.
No, the static analysis executes within the confines of the customer account. Customer code and intellectual property never leave the customer account and is not accessible in the Protego backend at any given time.
No, the code is not reported, only the detected behavior. The analysis process only sends general information, including:
- List of 3rd party libraries the function includes
- Cloud provider resources that are accessed by the function and the actions taken upon those resources
- A list of code behaviors such as whether the code accesses SQL or NoSQL databases, whether the code processes HTML, etc.
- A list of risky code behaviors detected in the function, such as usage of text-to-code conversions such as eval or exec
Protego Labs uses Amazon Web Services which are SAS70 and PCI compliant. All data is encrypted in transport and at rest. In addition, Protego Labs conducts annual penetration tests performed by a certified 3rd party and adheres to the highest information security industry standards.
Data is retained according to an account retention policy. Basic accounts typically store data for 30 days. Paid accounts store data for 1 year unless otherwise mutually agreed with customers. Data retention is implemented using S3 and DynamoDB TTL settings. Additionally, a periodic housekeeping operation is implemented to ensure data has been erased according to policy.
All data is encrypted in transport via TLSv1.2. Data at rest is encrypted using Amazon KMS cryptography with an HSA Backing Key which is stored encrypted under the AWS Domain Keys. All encryption keys are rotated regularly.
As a security company, we are security oriented and we make sure our releases are impregnable to malicious attacks. Each release cycle is accompanied by a barrage of manual and automatic QA tests (as detailed in the Product Testing E2E and Unittest Test Plans, available with NDA) to ensure no security breach is present in any official release. Additionally, once a year a full and comprehensive penetration test is conducted by a certified 3rd party to ensure there are no security vulnerabilities.
The primary source for vulnerabilities we use is the NIST database and updates are automatically processed daily via the CVE-Modified data-feed API. Additionally, our research group will trigger more frequent updates as necessary if some specific high-risk vulnerabilities become known.
For selected customers, Protego can be deployed in a sub-account inside the customers cloud account. This can help simplify compliance with internal and external regulation. In this case, Protego will create a cross-account role that enable management and upgrade of this sub-account, but be assured at no time will data leave the customer account to Protego’s account.