Security at Signal HQ

At Signal HQ, security is our top priority. Our customers expect the application to be continuously available and properly performing while protecting their data and keeping it private.

Security is something that requires many layers of protection throughout the application environment. It starts with team policies and procedures and touches continuous security monitoring tooling and automation built into the software development lifecycle. It extends to our partners and trained third-party security professionals that provide guidance, ensure compliance, and validate security across all areas of the organization.

Below are some of the most relevant areas of security that our team focuses and continues to expand upon:

Signal HQ has contracted an independent security firm for the purposes of performing application penetration tests twice per year. As part of our application penetration tests, a series of automated security tools are used to scan and find vulnerabilities across the application. Should vulnerabilities be found, our policies and procedures emphasize immediate action to reduce risk.

Our third party security vendor continuously performs a series of security tests targeted at our team to validate the strength of our policies and procedures across the organization using social engineering tactics.

We’ve implemented a system to continuously alert us of security vulnerabilities in application dependencies monitor our source code’s security using trusted open source tools. These tools are integrated into our continuous delivery pipeline to help prevent security flaws from being released into production, alerting us to any new issues that need to be addressed.

Signal HQ’s Web Application is fully hosted within Amazon AWS which offers a comprehensive set of security benefits. We apply AWS best practices for minimizing access on public endpoints and managing internal access for our team. For more information on AWS Security, please visit https://aws.amazon.com/security/.

VPC -
All Services are hosted within a Virtual Private Cloud exposing only the limited hosts/port mappings required for public API and internal access. All services within the VPC are partitioned into various Security Groups to restrict ingress/egress between services and the outside world.

Firewall - The Signal HQ Web Application’s external endpoints are each protected by an AWS Web Application Firewall (WAF). This protects the application from common web exploits that could affect availability and security.

DDoS Protection - Signal HQ leverages the Amazon AWS Shield, defending against the most common, frequently occurring network and transport layer DDoS attacks that target websites and applications.

Signal HQ has implemented common security tools and best practices within our infrastructure including:

Intrusion Detection - Our team has setup and configured an agent on all nodes within our application hosting environment to provide for Intrusion Detection that is integrated with our various monitoring and alerting tools. This provides real-time alerts for compliance requirements and monitoring of anomalous behavior.

File Integrity Monitoring - An agent is installed on all nodes within the application production environment to continuously perform File Integrity Monitoring with real-time notifications in the event an untrusted system modification is detected.

Security Monitoring - Our team has setup and configured tools to continuously monitor the AWS hosting environment. Configurations are continuously tested for compliance with AWS Best Practices. Additionally, Signal HQ has contracted a 3rd party security firm to continually monitors user and process behavior and is setup to detect anomalous file activity.

The Signal HQ team has years of experience building secure applications hosted in the cloud. We’ve leveraged this expertise towards building a secure application from the ground up, applying best practices at every step. This includes how code is handled, how sensitive keys are stored in the database, where our log files are stored, and what information gets logged.

Encryption - All traffic to our application endpoints are encrypted using TLS over HTTPS.

Password Policy - A default strong password policy is enforced for all organizations in the product. This helps ensure safety for all of our users who otherwise would put themselves at risk unintentionally.

Brute Force Password Protection - The system is designed to automatically detect and lock out a series of unsuccessful login attempts to prevent scripts / bots from being written to guess a user’s password. The system will put a 5 minutes block on any user with 5 failed login attempts.

Additional Considerations - In addition to the above application security concerns, the engineering team also gives consideration towards OWASP top 10, CORS, CSRF protection, XSS, hashed passwords with salts, JWT tokens, etc. while developing and reviewing new features.

Information security policies and procedures are communicated to our staff on their first day of employment and training sessions to ensure compliance and general security and privacy of our customer data.

Background Checks - All employees undergo background checks from an independent 3rd party firm before they are hired.

Password Management - All employees are required to use a password management application setup across the Signal HQ organization and maintained by our staff for all Signal HQ related passwords.

Security Incident Response - Signal HQ has a documented incident response plan for all urgent issues that impact the production system. Additionally, we have a Security Incident Response Plan for handling security incidents properly within the organization from containment to notification of impacted users within a specific timeframe.

If you have any further security questions or concerns, please reach out to us at: security@signal-hq.com