Better Security, Better Communication: Prokeep Completes SOC 2 Type II Audit
Introduction
Ensuring the security and safety of our clients’ data is of paramount importance at Prokeep. We are continually striving to improve our security and data protection stack by utilizing improvements in policy, control, and digital security measures. In the spirit of meeting this continuously changing challenge, we are thrilled to announce that Prokeep has successfully completed our second annual SOC 2 Type II audit and certification process! We are very proud that we have earned a “clean sheet” SOC 2 audit report that had zero negative findings and that this certification shows off our commitment to continuous improvement and safe data policy and control. Let us tell you more about what SOC 2 certification is and how we plan to improve our security and data protection even further!
What is SOC 2?
The SOC 2 Type II certification is a rigorous third-party audit process that evaluates an organization's information security measures, focusing on the security, availability, processing integrity, confidentiality, and privacy of customer data. This certification goes beyond merely assessing the design of security processes; it also examines the operational effectiveness of these controls over a specific period. By achieving SOC 2 Type II certification, an organization demonstrates its commitment to maintaining high standards of data protection and operational integrity, providing assurance to clients and stakeholders that their sensitive information is handled with the utmost care and in compliance with industry best practices.
Security Overview
Big Picture
Prokeep’s overall security posture is largely governed by our internal security policies and controls. Our policies cover essential organizational security topics that include data protection, disaster recovery, passwords, system access control, and many more; our numerous controls are in place to ensure that all business operations are performed in adherence to the practices laid out in our policies. Our sets of policies and controls are reviewed regularly and work in tandem to ensure that Prokeep’s business goals are achieved in a way that safeguards important business assets, especially those of our customers.
Active Countermeasures
Prokeep’s offices, internal communications, and cloud-based system infrastructure are actively protected by a variety of countermeasures used to deter, identify, and mitigate threats. Some of the key practices we have in place include:
- Web application firewall - Prokeep’s production systems are safeguarded by a firewall with custom rules as a first line of defense for our application. This firewall actively protects Prokeep systems from malicious traffic and bad actors, ensuring that our services can remain secure and highly available.
- Encryption - Strong cryptographic practices are utilized across Prokeep’s business operations. In the context of our application, all customer data in Prokeep’s systems is always encrypted in transit and at rest using robust industry-standard encryption techniques.
- Intrusion detection systems - Prokeep employs intrusion detection systems to monitor all activity in our cloud infrastructure and report anomalous findings directly to our security personnel in a detailed report. This level of monitoring ensures a speedy response to any potentially malicious behavior and greatly reduces the chances of bad actors infiltrating our infrastructure.
- Continuous vulnerability scanning - We utilize powerful always-on vulnerability scanning tools to quickly identify vulnerabilities in our servers and provide detailed reports on findings. Security personnel have constant access to a live look at the current state of vulnerability findings in our servers and can quickly take action as needed.
- Live patching - All machines running production software are configured with live patching enabled, a method of applying updates and fixes on a server while the system is running and without the need for an interruption in uptime. This ensures that the systems responsible for running our application receive critical patches as soon as possible and without an impact on the customer experience.
Application Security
Prokeep has a variety of controls and systems in place governing the software development life cycle to ensure that all phases of our application’s development and deployment are performed safely and securely. Some of these measures include:
- Security training - All engineers hired by Prokeep must complete training about secure coding practices, including content published by OWASP, a long-standing international organization that focuses on providing up-to-date knowledge and resources regarding application security. Engineers are also given an annual stipend to pursue further training and ensure they are kept up to date with technical application security trends.
- Static Application Security Testing (SAST) - Static source code scanning is performed during all Prokeep software deployments. This involves the use of tools specially designed to scan source code in a variety of languages to check for vulnerabilities in the code. By running these tests before launching Prokeep updates we can minimize the chances of insecure code making it into a production environment.
- Dynamic Application Security Testing (DAST) - Prokeep also utilizes DAST tools for more comprehensive testing of our application. These tools simulate bad actors sending malicious traffic to our web application to test for common vulnerabilities, including flaws in application design and system configuration. Our security team leverages DAST tools to detect these vulnerabilities in the functionality of our web application and report them to be addressed by the development team.
- Penetration testing - Prokeep regularly utilizes both internal and third-party penetration testing, an approach that involves simulating attacks from bad actors against our web application and web API to test for flaws in our software or system configuration. We work with reputable professional penetration testing vendors to ensure these potential vulnerabilities are discovered and patched before cybercriminals have a chance to exploit them.
Looking Ahead
Security and data protection challenges are not going away anytime soon, and we plan to meet them head-on at Prokeep. We are and will continuously evaluate, test, measure, and implement new and better systems and technologies to protect and monitor our applications, networks, and infrastructure. On the policy and control front, we are working toward a 24*365 SOC 2 observation period goal to launch by the end of 2024. Embracing standards and certifications like SOC 2 is not just about meeting some regulatory requirement; it’s about setting a foundation for sustainable growth and innovation and more importantly, it’s also about gaining our client’s trust. Let us move forward with the commitment to uphold these critical standards, as they are essential pillars that will support us throughout our journey together.