Nullstone

Security

Nullstone is a developer platform that helps businesses launch their applications in a collaborative and streamlined manner while also delivering the security and compliance of an enterprise.

Our Dedication To Security

At Nullstone, security and compliance are top priorities for our platform and our processes. It is our mission to provide this level of excellence for Nullstone and our customers.

Continue reading for a deeper dive into how Nullstone takes a proactive approach to provide a reliable platform to launch applications.

Please email security@nullstone.io for disclosing security vulnerabilities.

How Nullstone Protects Your Data

Backups

All data stored by the Nullstone system is backed up in order to ensure no data is ever lost. Your data is also replicated to provide reliability and uptime. Should a database ever experience an outage, the data is deployed across multiple data centers and data is restored from backups.

Data Retention Policy

All your data stored by Nullstone is held for as long as you desire. In accordance with our internal data retention policy, we will delete your data only by request.

You are the owner of your data and can request a full copy of your data at any time.

Encrypted Data - At Rest, In Transit

All Nullstone datastore modules are configured to use encryption at rest where possible. For example, data in your database is encrypted on disk. This provides an extra layer of protection should an attacker gain access to your network.

All Nullstone datastore modules are configured to use in-transit encryption where possible. Connections to your datastore require SSL to maintain a high level of security and privacy. This ensures your data is protected as it is transmitted to and from your applications.

Secure Applications via HTTPS

All Nullstone application modules are configured to keep your applications protected behind private networks. Only when you configure a domain for your application will it be accessible to the public. All Nullstone domain modules have a default configuration requiring https. We recommend that all of your public applications require https in order to protect data from unauthorized parties and to keep your data free from manipulation.

Access to Customer Data

Nullstone does not have access to your customer’s data. All of the infrastructure created using Nullstone is provisioned in your cloud accounts.

Nullstone only holds the infrastructure metadata, infrastructure state, and configuration. Nullstone employees are not granted access to this data unless explicitly granted by the customer for support purposes.

Data Centers

All of the infrastructure for the Nullstone platform is hosted on AWS. This provides the Nullstone platform a reliable foundation and allows us to focus on delivering the best possible developer platform.

Incident Response

Nullstone continually looks for any indicators of security threats and has implemented tools to help detect and notify our incident response team. Should an event occur, Nullstone maintains a response plan that includes steps to notify customers and escalate internally. This response plan also includes steps for incident reporting and disaster recovery.

Disaster Recovery

Nullstone maintains a disaster recovery plan that is tested on a regular basis. All of the data, code, and assets within the Nullstone platform are backed up regularly across multiple data centers for redundancy and resiliency.

How Nullstone Maintains and Secures Code

Code Review

All Nullstone platform code as well as Nullstone module code must go through a pull request (PR) review process. Once a developed feature is ready for review, it must be reviewed by other members of the development team. As a part of the PR review criteria, tests must be included to verify functionality and to prevent regression from any future changes.

Quality Assurance (QA)

Once a PR has been reviewed by peers and approved, the code is deployed to a staging environment. At Nullstone, we have a staging environment to test infrastructure modules as well as platform code. The staging environment is a scaled down version of the production environment but does not contain any production data. This duplicate environment allows us to perform a full set of tests and know that it will work the same in production.

Secure By Default

When developing infrastructure modules, Nullstone has a policy of “secure by default”. If there is a choice that a developer has to make with regards to a default setting for a module, the starting point is to choose the most secure. If the implications are significant, will we enact a special review process to weigh the benefits vs risk. Any setting or feature that doesn’t adhere to the highest standards must be documented.

How Nullstone Delivers Reliability

Uptime

Nullstone strives to have the most resilient platform possible, however, in the unfortunate event of an outage, we will communicate with you in the following ways:

Users will be notified by email of the outage and updated with expectations for restoration
The Nullstone status page is always available to check and see if all systems are operational

‍Nullstone Status Page
‍
‍NOTE: If the Nullstone platform does have an outage, your running applications are not affected.

Microservices

The Nullstone platform is divided into a number of different microservices in order to simplify and isolate different parts of the system. This architecture also provides an additional layer of reliability because if any one of the platform’s services has any downtime, the other parts of the system may be unaffected.

Redundancy

In order to provide maximum uptime, each Nullstone platform service is deployed on multiple instances. If any one of the instances becomes unhealthy, the instance is destroyed and replaced with a new one. The other instances remain online and users don’t experience any downtime.

Zero Downtime Deploys

Nullstone maintains an internal policy for software deployments that includes “zero downtime”. Unless notified of a maintenance event, deployments of any new software will not cause an outage. In many cases, we will split up a feature release into multiple phases in order to maintain this level of service.

How You Protect Your Data

Environment Variables and Secrets

The Nullstone platform provides a centralized mechanism to manage your environment variables. Storing your environment variables separate from your source code is encouraged as a best practice to provide one additional layer of protection against attackers. All of the Nullstone application modules are configured to automatically inject your environment variables.

When manually adding environment variables in Nullstone, you can specify whether or not the value is a secret. Secrets can only be seen by the users who have been granted access. By limiting who can access secrets, the scope of any attack is greatly reduced.

All secrets are provisioned by Nullstone via Terraform modules. This includes things like database passwords, secret tokens, and encryption keys. The values are stored in a vault such as AWS Secrets Manager and never leave your cloud account. Any secrets that are needed by your applications are injected at runtime to ensure the upmost security.

Roles and Permissions

Nullstone brings together your entire development organization with one collaborative developer platform. To ensure that each user only has access to the content they are required, we highly encourage all customers to take advantage of the role-based access controls (RBAC) in Nullstone to enforce a Least Privilege Access system.

In the case of a user’s credentials being compromised, this will also limit the scope of access and limit the damage an attacker can cause.

Datastore Modules

All the datastore modules provided by Nullstone are configured with backups and redundancy by default. This enables your applications to have high availability and failover support out of the box.

If you decide to customize or extend using your own Terraform modules, make sure you consider backups, redundancy, encryption at rest, encryption in transit, and compliance.

How You Achieve Compliance

Terraform Modules

The modules that Nullstone provides out-of-the-box are run through a series of checks in order to ensure they meet compliance requirements. Any time changes are made to these modules, automated checks are run to ensure adherence to compliance frameworks. The list of compliance checks are:

While not all of the Nullstone modules have been certified with these compliance checks, the list is growing and we have a goal to achieve 100% compliance across all modules.

All Nullstone modules are open-source and can be viewed in entirety from the GitHub repo for each. Each module’s compliance certifications are listed in the README for the module.

Utilizing the compliant Nullstone modules won’t automatically make your own applications compliant; however, it will greatly increase your security posture and will have you on your way to achieving compliance.

If you extend Nullstone by bringing your own modules or customize the Nullstone modules, we highly recommend you also perform compliance checks on your modules to catch issues that are often overlooked. Just as you wouldn’t release code that hasn’t been tested, you shouldn’t release infrastructure that hasn’t been certified either.

Contact Us

To contact our security officers or to report any vulnerabilities, please email us at security@nullstone.io.