Skip to content
English
Customer portal
Contact us
  • There are no suggestions because the search field is empty.

How Secure is SimpleRisk?

SimpleRisk was written by Josh Sokol, a seasoned professional with a robust background in Information Security. His extensive expertise is further highlighted by his tenure as a Board member of the OWASP Foundation from January 1, 2014, to December 31, 2017. During this time, he contributed significantly to advancing the field of application security, a community he has been actively involved in for over a decade. Recognizing the need for effective security management tools, Josh developed SimpleRisk initially for his personal use while overseeing the Security Program at National Instruments. He crafted the software to meet his high security standards, ensuring that it effectively addresses the challenges faced in risk management and compliance within various organizational environments. This hands-on experience not only shaped the tool’s functionalities but also ensured that it remained aligned with industry best practices and user requirements.

Transparency

Since its inception, SimpleRisk has been hyper-focused on doing security right. We understand that no organization will ever achieve perfection in its security measures; however, we firmly believe that by embedding security into the very foundation of our operations, we can create a robust framework that minimizes risks and maximizes trust. Our commitment to transparency means that we have nothing to hide. To further demonstrate our dedication to security, we provide our customers with comprehensive security documentation under a Non-Disclosure Agreement (NDA). This includes everything from our internal security policies and incident response plans to detailed reports of our penetration testing results, which evaluate our systems against potential threats. We believe that an informed customer is a confident customer, and as such, we encourage an open dialogue with both our current customers and prospective clients. We are always available to discuss the specific measures SimpleRisk implements to safeguard your data and ensure its integrity. Your security is our top priority, and we are here to answer any questions you may have.

 

Third-Party Certifications and Attestations

  • As of October, 2024, SimpleRisk has passed its ISO 27001 certification audit.
  • SimpleRisk receives an "A" rating on Security Scorecard

 

Secure Application Development

Here are some of the things that we do in order to ensure the security of the code we are writing:

  • Input Validation: This is the process of using regular expressions and static type casting to ensure that inputs coming from the user are appropriate and do not cause bugs or security issues.
  • HTML Output Encoding: This ensures that data rendered into the user's browser is treated as text on the page and not code to be executed.
  • Parameterized Database Queries: This ensures that the application is validating the length and type of content that is being passed into SQL queries in order to prevent SQL injection (SQLi) attacks.
  • Hashed and Salted Passwords: We do not store clear-text passwords in the SimpleRisk database and use unique "salts" to prevent rainbow table attacks if the password database is ever stolen.
  • Cross-Site Request Forgery (CSRF) Nonces: Random parameters are inserted into GET and POST requests in order to prevent attackers from being able to force users to make requests on their behalf.

 

Security Validation

SimpleRisk operates a private Bug Bounty program in collaboration with HackerOne. Although we do not directly manage the testing cycles for identifying vulnerabilities in our code, we actively utilize this valuable resource for ongoing security assessments. Additionally, we maintain a public Responsible Disclosure Policy that encourages responsible reporting of any issues discovered by others in SimpleRisk. To further enhance our security measures, we employ static analysis tools to detect vulnerabilities within our code and engage various companies and individuals for regular testing. For instance, if you visit our demo site, you will observe numerous unsuccessful attempts at XSS and SQL injection attacks on the application.

 

Past Security Issues

So far, we have only encountered one CVE related to our product, which occurred during the initial rollout of a new feature. Since that time, we have taken extensive measures to ensure that such an issue does not arise again.