Security Program at Moesif
Moesif has implemented robust security procedures throughout the platform and organization. Moesif maintains an active SOC 2 Type 2 attestation available in the Moesif Trust Center and is a big believer in zero-knowledge and multi-layer security for protection of your data. The founding team are engineers that have worked on CPU architecture and sensitive microcode patches at Intel to handling sensitive payment data at Microsoft for XBox Live and MSN.
Moesif also acknowledges that no environment can guarantee absolute security. Moesif recommends either masking sensitive data such as ePHI (electronic Protected Health Information) or PCI DSS (Payment Card Industry Data Security Standard) using our SDKs mask function or leveraging Moesif's client-side encryption feature to meet compliance requirements for sensitive data like financial and healthcare.
API Tokens
All Collector API tokens for data ingestion are write only tokens that are signed using HMAC SHA-256. Publishable Application Ids are safe to put in untrusted apps such as javascript running in a browser. Secret Application Ids should not be placed in untrusted apps.
Management API tokens are also signed using the HMAC SHA-256 algorithm and can be limited to specific resource scopes and can have a specified token expiration date. Please follow the principle of least privilege and add only the minimum scopes that you need for the access token. If you need a short lived token to perform certain maintenance tasks, create a token that expires in hours or days.
Moesif creates unique keys for each use case. Those keys are not reused for unrelated purposes.
SSL
The Collection API, Management API, and moesif.com web portal all use SSL using Transport Layer Security (TLS) 1.2 or higher and the latest SHA-256 algorithm for encrypting all network traffic. Moesif's SSL implementation received an "A+" on Qualsys' SSL Labs. All of our open source SDKs and agents are configured to use HTTPS. The moesif.com domain also has HSTS enabled.
Encryption at Rest
Moesif encrypts customer data while at rest of both production data and backups using 256-bit AES encryption with encryption keys stored in Azure Key Vault. Data is stored only in the cloud in ISO/IEC 27001 and ISO/IEC 27017 compliant data centers in Microsoft Azure which further provides fault-tolerance and strong access control to physical machines. However, we don't simply rely on Azure for security and implement our own access control.
To keep sensitive data private to your organization, Moesif provides client-side encryption via the secure proxy appliance for enterprise customers which enables zero-knowledge security with customer-managed encryption key.
Backups
Snapshots of customer data are made multiple times per day and redundantly archived in Azure Blob Storage geographically separate from live data. These backups are regularly tested. Moesif also backs up all streaming data via continuous replication to ensure a Recovery Point Objective (RPO) of almost zero.
Data Storage Location
Moesif customer data at rest currently resides in the United States of America.
Server Infrastructure
The Moesif platform runs on hardened hosts with tightened security groups, role-based access controls, and isolated virtual networks on the Microsoft Azure platform. A business reason and approval must exist before employees or management is granted to a portion of the production infrastructure. Development environments do not have access to production data stores or virtual networks. Employees engaged in customer service can access a web portal with access to customer data similar in structure to the Moesif end user portal. Access to this system is logged.
Moesif infrastructure uses Azure Active Directory for RBAC with 2FA required. Moesif disables SSH authentication via passwords for production Linux machines.
User Authentication
Moesif offers Single Sign-On (i.e SAML and Okta) and role-based authorization control for enterprise plans. Moesif also offers the ability to enforce a specific social identity provider (i.e. Google or GitHub) for all paid plans. Moesif provides guidance for new users when choosing a password and will alert your team members when a reused password was leaked even on other websites. Moesif uses Auth0 service for user authentication which never stores passwords in plaintext and ensures all passwords are hashed and salted via bcrypt. More information on Auth0's security can be found here
Monitoring
Moesif continuously monitors access to its infrastructure. Automated vulnerability scans and penetration testing are regularly performed.
Workstations
Moesif has security policies and tooling in place for company workstations which enforces Full Disk Encryption and auto lock when left unattended. Bring Your Own Devices are protected with Mobile Device Management (MDM).
To prevent phishing scams or other cyber attacks, Moesif has deployed DMARC which builds on existing mechanisms like DKIM and SPF to detect and prevent email spoofing. Moesif also keeps logs on such spoofing attempts.
Vendor Passwords
Moesif's critical accounts (AWS, Azure, Google, GitHub, Chargebee, Slack, etc) enforce mandatory 2FA for all employees or Single Sign-On when available. If allowed by a service, Moesif makes SMS based 2FA disabled as SMS is considered insecure for 2FA. Moesif employees are encouraged to use the company provided password manager and never share passwords across accounts.
Payment Information
Credit card and payment information is held by our payment providers, Stripe and Chargebee. Moesif does not store any payment information. If you signed up via a partnership program that integrates billing such as Heroku or AWS, your payment information may be held at that partner instead of our own payment providers.
Reporting an Issue
If you believe you’ve discovered a bug in Moesif’s security, please get in touch at security@moesif.com and we will get back to you within 72 hours, and usually earlier. You will find our PGP key in case you need to encrypt communications with us. We request that you not publicly disclose the issue until we have had a chance to address it.
Please include:
- A summary of the problem
- A severity rating of 1 - 5 (1 being least severe, 5 being most ie. you can easily hijack, impersonate or access any other account or data)
- A PoC or breakdown of how to replicate the issue.
- The operating system name and version as well as the web browsers name and version that you used to replicate the issue
PGP
If you plan to include tokens or any sensitive information, please kindly use PGP to encrypt your email.-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFo4cdcBEADfkSRrTdrtt1GWvs5HNtN/mVAiw5Oopue2n1pq9HN3h00BZGzY nKJQzpxo/p/swTfrTzw8XA3BhZ5pgAm8rFZ3MYsYcC7oCbYrpniORdu9URx/4FGh q4aVHSt5ZVjA0c4hVs7TwdSCS/Zh7uZiII9IXxJAMXmkJ6ilgUN95IJy7ZujRyEJ 2xQiQJza6evvW3O3pLlvY1cqM6EtgqGH225j1pwIBMXBNvkd0RbpPgJP8oiJwjLH I5fgXTP8Q5phjb8gW6RJCOO9LLD33i+VXaATwEbof8lPwwJRaMQzRXoHucIxbWFH AMK8wmByH6BTahmd4rYgkpf/ZLcbHtggljWMBqavYmqH3wcP+Be68lPX146WXx12 igGdDtiGNO18NQwTUojACKNkRy/nAVXBThyufsKSDKm6fERmU5GAQtHC1naTThVN YX7y1z1YyIl+wDnbERjHZGpbyAcWAdVEq+DRKKGeho2Jh5A67SmFS0smFKAjC1CJ 1m1aRKEIjxtqtlBzLj1Mqz4w1eH8749RUPA4T0EiGibcNUTh2utAxMrpO8x8PU7X jND+z/dbR7C4ybcbwzHJP9UI3N6oxxYa9BwGPwP8enkriQM4yHeVawweOhX3g8vd R5i8ciWIaCNQJ5rJr2E4fMlvHqHiFJM5jMrOzDzhaM0WNvDhKU/PIKznHwARAQAB tCVNb2VzaWYgU2VjdXJpdHkgPHNlY3VyaXR5QG1vZXNpZi5jb20+iQJUBBMBCgA+ FiEEe2ECxQ/sqy8csacJ0KRwmaM5xsIFAlo4cdcCGwMFCQeGH4AFCwkIBwMFFQoJ CAsFFgIDAQACHgECF4AACgkQ0KRwmaM5xsJ1exAA3r/A4gzwal5cSp+gDoCmWJTN xmihd9iPrOsgjDnfMwcCSUQpAklLWH54RlySn4qyZhSg3SDoNuKtM+Fz1M7c1WN3 MQpSN1YD8EDaq4Ww8+CtoF1VhEy4oPsllg7AzrzaaSqOvv43TOGSOG1ICXNH+GwZ KaC8WoOMsp/NNGovXx5Tepr9d7ve/Xp0RTz1M0WnX6703niWqs+ZOx5iOXcCYBJJ fI0PDmpMG0CmjVLQx3YkSFaR3oj+wfEOGgxveT4NlIDjuKxgHsjgGQWx4biUfwe+ K+/voc+/vb8LE1CxvBzmdPa3jIBVbyCdwXp3mFpHj7RIXC3ZAiXgwy8ofqJEGuLw S8LgqrKI/j9A1rZcf37aPaaoWZh433oixkcF82jQnYGQqbc9Ger9XfzYEznTiDac GSBtsx6a8reKKrl/I+Dh3WX/tgoBHWWs/u7o0MDCtfZtEa/llYKXBf6lPdO5UXnH MHZyI0x4pAYnQAIjO6MG5SAX7c0zOS16J6dty0JywQe5RzApvhegflnDzn43OGDj 95p1bZQ0FuIFrux7TyK2vLtb2ZEm26GUYxlYQt8j9I6Xz7pQ1qkP2VsfwSG1iHPY /pBOc8lDohP+MEbsj4io5vaj/oO6KtGW1R8nKAzSQxLKLwgHTlDeeHo4yNP7mKvB 5JwOebhWeGwIgfqi08S5Ag0EWjhx1wEQAPRJqyDE40uYGG9ZlGiN84k0NIUA0sCt tZ1jp5GR7m6oAzdbnq4zsX1S8DE2AmkiYAzzpI3IRvWJrWp9T077MER9k5CWG9Gl Rg/snaDg5KfIaQENL8FjjFJ/yAqIlVlA/KMUvPWTr+ISqjMZPRbgOZMwgPCnLvgc 0QOCD0Obm5Z2FmRm5zIWGouzOOIEhHA+kWJ90msR52xgFQE/xJ25bTVRNjqOqrSn 95VPkydYvC+quWmuWnwfIa8yPTI8smocYSJFkSSVM/6FNMK6s0Rb73YzdVgdFIBy 47OL2dLsNoDVBUilLxSp2BtU64jPGcdimxzoeN+AfiRw5NV6cjHv3Ii2PtsmH8iZ yeolj5DmhTn+Fh/rrgxKls5m65aVJqyI/6nRGrSN3QfwTHe3lXnb1jSlp03E4yE9 O/+fGvXbCPeaR60gzlHez0towT+VCCSsBVekvVXoa3Rki4JR8KtF5IZNDleR31Ln me+yb5/hHMAZvisez5pdYIqKqJ5SFrW09LQo1nrashJagyoNKdbFJNYgIU2K4lf/ Zi37mFF0b/Ng+t99HTzDiXEdSd9wmDzoXCzIcuDAw5t1KuWCEoBY44L2vxYJl1ba lvlsqeQLQm1knB7vff7iTmwVgnou2naLSHc+XtyjkhBHEzCOijYmQ1xXXAYVpTro 4Vaddn/kB/bLABEBAAGJAjwEGAEKACYWIQR7YQLFD+yrLxyxpwnQpHCZoznGwgUC Wjhx1wIbDAUJB4YfgAAKCRDQpHCZoznGwp5vEACEFRL+9H8ocz360WJNaq6NBjWO bVl69F6Dwd+cSatLXvAmpkInFi8rrYDLsIefoLrKYHqOyC3WHspjxd3NUPXPlG4s EPMWn0tfPMnTwVREABy2g4qc15eBvTwVD3bipJ7Vh9Nyt3ZW4ffrnubLyqFwHtD3 3fnIszqRx/Wu0Ldbt7e5/fEIoj4enlJnoKUqEDL7yhWTEjznGf+ARY6YUxaPdB4t VFdYhiKjegV7/YcGsLmdoXW15tfTpfqsts0ZUO/NhVR5CwvvSZhNuBvWA9svXSBp UlkRhKCuUYNy0qGTZyslUsAcfEPTlDro74Cpk1eCN9dr4loeF+dSAciKC7g+DX9B Bjs6fkxQNYh6psSD04HvauVAdZ+FmVwdntXY328h2arbc0POdz+7SH9n+rp3OOg7 wMVIdLJ0q2PHYqzCwtZYp1FvkCHd7qaEvpzYbW+m8AZ5/VaBB5xnHygqQUZaMaRV 5WIdYpTs901xPKNq6WvE3goVs03FSZyCGZxz/cHPycI6MnoyS9+ThYd//RdiTBdg +r1FdVKz4qJy1xSkD9kHAk5dsTsxEBuvgk4D9jxuSg6C4YYsR+4nM3wwuXgRPWYL 1TVO8wjBkUOLkFJcs+RwMtgGbIh1ZFteKT6uz0ljbrf68O9bUYvxRKqY1Wi0nURJ mC/ocTK0naTWcOF84w== =nWda -----END PGP PUBLIC KEY BLOCK-----
Non-qualifying vulnerabilities
We will unlikely review and respond to the submissions of the following types:
- "Scanner output" or scanner-generated reports
- "Advisory" or "Informational" reports that do not include any Moesif-specific testing or context
- Denial of Service attacks
- Brute Force attacks
- CSV Injection
- Security issues in apps or services that are not operated by Moesif (including third-party services and websites operating on Moesif’s subdomains)
- Vulnerabilities requiring physical access to the victim's unlocked device
- Spam or Social Engineering techniques
- Issues relating to Password Policy
- Non-sensitive information disclosure (such as product version, path, etc.)
- CSRF in actions that are non-significant (e.g., logout) or do not require authentication (or a session) to exploit
- Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues (An exploitable clickjacking vulnerability requires a) a frame-able page that is b) used by an authenticated user and c) which has a state-changing action on it vulnerable to clickjacking/frame re-dressing)
- Self-XSS without demonstrating a real impact for users
- Lack of security mechanism or inconsistency with best practices without demonstrating a real security impact (e.g., lack of security headers)
- SSL/TLS issues from scans or known best practice issues
- Vulnerabilities that only affect users of outdated or unpatched browsers
- Insecure cookie settings for non-sensitive cookies
- Bugs that do not pose any security risk
- Publicly-released bugs in internet software within 3 days of their disclosure