Probely runs on Docker containers running on Shielded VMs. Shielded VMs are purpose-built for security, taking advantage of advanced security features such as secure boot, virtual trusted platform module (vTPM), UEFI firmware, and integrity monitoring. In addition to this, we run a Container Optimized OS. Container Optimized OS is a security-focused minimal Linux distribution with features like a read-only root file system, file system integrity checks, lock-down firewall, audit logging, and automatic updates. All these work to reduce the risk of compromise.
Security at Probely
Enterprise-grade security you can trust
Probely is built by security-minded people. When making design decisions, we will not compromise on security, or take an “easier” path if we are not comfortable with the level of security it provides. The principle of the least-privilege is also followed. Only the required staff to run the operations have access to the necessary systems. Administrative access requires Two-factor authentication and/or client certificates. Probely runs on a top Cloud Provider, using managed services whenever possible, ranging from Shielded virtual machines to Kubernetes clusters, to databases. By using fully managed hardened-by-default services, in addition to least-privilege policies, Probely is able to provide a secure and trusted infrastructure.
We follow a least-privilege policy. This means that all network access is denied by default, both ingress and egress, even inside the internal network. We leverage the Cloud Provider’s VPC Firewall and Kubernetes Network Policies to make sure that hosts and containers access only the minimum required services. For example, containers do not have access to instance metadata, which has been a known vector of security breaches in the past. Except for the required public services (web application, API, and a few others), there is no direct access from the Internet to our infrastructure. This means that infrastructure administrative access must be performed through a hardened bastion host. All communications use Transport Layer Security (TLS) to guarantee data confidentiality and integrity, using Lets Encrypt with automatic certificate renewal.
We use managed data services to ensure that all our data stores are properly secured and running, even under hardware and software failures. All data is encrypted by default.
Our Software Development Lifecycle includes a strong Security component, inspired on OWASP Secure Software Development Lifecycle Project. This includes daily scans of all web assets and weekly vulnerability scanning of the entire Web Application. A Yearly grey-box pentest is also performed.