At Nucleus we believe in strong and accurate security measures. Due to our founders’ backgrounds working in vulnerability management for large data-sensitive organization, security is a priority for the Nucleus team. We thought it would be irresponsible to build an insecure security product which is meant to help make the lives of security practitioners easier. We understand how important it is for our customers to trust our services and are committed to transparency in the controls we use to secure our entire infrastructure. To achieve the highest levels of security, we utilize a variety of tools, processes, and technologies to help control the environment. At the center of everything, we utilize Nucleus to help us manage our workflows and analysis, and due to this we are very confident in the security posture of our organization and all our instances.
We utilize a full suite of secure software development activities and controls. All of our developers utilize secure coding practices, and we leverage as many security functions as are available within the development frameworks we use. We have secure coding practices mandated in our Development Style Guide, which provides guidance to all developers on implementing secure code from the beginning of the development lifecycle through to deployment of the application release. Because we have access to a variety of scanning tools through our partners, all of our code is tested with multiple SAST, SCA, and DAST tools regularly. We combine the findings from all of these tools within Nucleus to leverage as many of the strengths of the individual tools as possible. All of our applications are scanned prior to a new release being pushed out to production. We have a team of users responsible for fixing any issues discovered in the vulnerability scans, and track finding status through the Nucleus platform. Additionally, Nucleus Security has completed the SOC-2 compliance process for Nucleus itself. We also conduct regular and scheduled 3rd party penetration tests and audits in order to ensure that we have been tested adequately against sophisticated attacks. Tests include: regular and continuous phishing. In addition to the secure development activities we employ, we utilize numerous controls to protect our client data. Some of, but not all of, the controls are as follows:
- Encrypted Data at rest using industry best practices
- Passwords stored in a salted hash
- Encryption of all network traffic with TLS
- Central logging and alerting
- Locked down and hardened Nucleus instances with specific controls in place to minimize attack surface
The data centers we use maintains a multitude of certifications which we can provide when requested. These certifications include but are not limited to:
- FedRAMP (Available only in US regions)
- AICPA SOC-I & II
All customer data is stored within a facility which meets these standards. Additionally, for overseas clients, we work with you to determine which region of the world you would like your data center to be based, so that you can meet local compliance requirements as well. Additionally, we have extra common-sense security controls on top of the compliance frameworks in use in order to minimize attack surface. We conduct nightly vulnerability scanning of our network infrastructure with a variety of Network Security tools. We combine the findings from all of these tools within Nucleus to leverage as many of the strengths of the individual tools as possible. Similar to the application vulnerabilities, we have a team of users responsible for fixing any issues discovered in the vulnerability scans, and track finding status through the Nucleus platform. The compliance certifications which our data centers meet also applies to physical security controls.
See for Yourself
Don’t just take our word for it. The proof is in the pudding, as they say. We have a couple of ways that you can easily see that we take security seriously. We even went through the trouble of making the regular website secure. There are multiple websites that will do a quick analysis of your url for free, which we would recommend that you take a look at:
- The first is: https://securityheaders.com/. Enter in the url of your trial instance or client instance and take a look to see how we are doing.
- The second resource is ssl labs, provided by Qualys, which can be found here: https://www.ssllabs.com/ssltest/. Enter the url of your nucleus instance or a trial instance and see how we are doing! If you see something that you don’t like, feel free to reach out to us.