Randori Live Briefing on CVE-2021-3064

SECURITY AT RANDORI

Security

Randori is an offensive attack surface management platform. As leaders in the security space, we make our own security a top priority. We go to great lengths to both help our customers secure their environments, as well as protect and maintain the integrity of our platform. Meanwhile, Randori is the only ASM company to have achieved both ISO 27001 and SOC 2 Type 2 compliance. Randori has created a security program that is designed to protect our resources from both internal and external security threats. Our program is broadly designed around twelve categories:
  • Business Continuity
  • Change Management
  • Data Protection
  • Identity and Access Management
  • Incident Response
  • IT & Operations
  • Physical & Logical Security
  • Risk Management
  • Software Development Lifecycle
  • Security Awareness
  • Security Governance
  • Third Party Management
Each category includes multiple detective, preventative, and corrective controls across our business, including our corporate, development & production environments. We continuously measure our security maturity, enhancing our ability to reduce risk over time. In addition to using industry tools to identify vulnerabilities, we ‘dogfood’ by utilizing the Randori Platform to monitor and reduce our own attack surface. We’re our own customer.

Customer Data

We classify all customer data as strictly confidential, regardless of whether it has been obtained publicly or privately. This is our highest level of classification, and requires us to enforce specific security controls to ensure that appropriate protections are in place for use, storage and transmission. We limit access to customer data to those personnel who have a business need for access in support of our service.

Compliance

We maintain industry-accepted certifications and comply with current industry standards and regulations so you can feel confident that your company and customer data remain secure.

We understand the thoughtfulness organizations must take when choosing a third-party security vendor. Certifications such as SOC 2 Type 2 and ISO 27001 provide an independent attestation that a vendor has controls in place which are operating effectively. Having these certifications enables us to demonstrate this commitment to our customers.

Audit and Compliance

SOC 2

The SOC 2 report provides assurance to our customers and our own team that the organization has designed and implemented effective security controls as defined in the SOC 2 standards set forth by the American Institute of Certified Public Accountants (AICPA).

A copy of our SOC 2 report is available upon request. Please contact your sales representative or account team.

ISO 27001

The ISO 27001 certification demonstrates that Randori has met rigorous international standards in information security and confirms that its products, services, and business operations meet user needs with an effective information security management system. The International Organization for Standardization (ISO) is an independent, international organization that sets globally recognized standards, including security and safety standards. In particular, the ISO 27001 certification ensures an organization operates industry-standard practices for information security.

GDPR

Randori is committed to data privacy and security, including complying with and, where applicable, helping our customers and users comply with the EU General Data Protection Regulation (GDPR). 

GDPR is the comprehensive EU-wide data privacy law that went into effect on May 25, 2018. Besides strengthening and standardizing user data privacy across the EU, it introduced new or additional obligations on all organizations that handle EU residents’ personal data, regardless of where the organizations are located.

Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

Privacy

Randori is committed  to maintaining the privacy of customer data.  Our policies, controls and processes ensure that our practices are aligned with the expectations of our customers and global privacy laws.

Randori has established a Privacy Policy that describes the purpose(s) for which personally identifiable information (PII) is collected, used, retained, maintained, and shared. Our Privacy Policy is available at: https://www.randori.com/privacy-policy/

Randori complies with applicable law with respect to international transfers of personal data. Where a customer determines that its use of Randori’s services requires the transfer of personal data to a location outside the European Economic Area, Randoir will execute a Data Processing Addendum(DPA) with the customer which includes Standard Contractual Clauses (also commonly referred to as EU Model Clauses). A copy of the Randori DPA is available to prospective and existing customers.

For any privacy related questions, including Data Subject Requests, please email: privacy@randori.com

Vulnerability Reporting

We appreciate efforts to discover and coordinate the disclosure of security vulnerabilities. Randori operates a SaaS service for enterprise customers, and does not currently operate a public bug bounty program or offer monetary rewards for vulnerability reports. If you would like to report a vulnerability in our service, or have security concerns regarding Randori assets or resources, please email: security@randori.com We take all vulnerability reports very seriously and will respond and verify the vulnerability before taking the necessary steps to address it. After an initial reply to your disclosure, we will update you periodically with our response and remediation status. To support a timely and effective response to your report, please include any of the following:
  • Your name and contact information
  • Type of issue (XSS, vulnerable service, etc..)
  • Affected Randori resource
  • Potential impact of the vulnerability (i.e. what data can be accessed or modified). Please do not provide us with your calculation of a CVSS score.
  • Step-by-step instructions to reproduce the issue

Public Disclosure

Randori follows coordinated vulnerability disclosure practices and requests that anyone reporting a vulnerability to us does the same.

Out-of-scope Vulnerabilities

Randori will assess all submissions, but considers the following vulnerabilities out-of-scope:
  • 2FA exploits
  • Absence or misconfiguration of HTTP headers
  • Account/email enumeration using brute-force attacks
  • Clickjacking on pages that only contain static content
  • DDoS vulnerabilities
  • Lack of SSL or Mixed content
  • Low impact issues related to session management
  • Missing Cookie flags
  • Missing security-related attributes on non-sensitive cookies
  • Social Engineering
  • Third party components in our corporate website, such as marketing forms
  • URL Redirection
  • Vulnerabilities affecting users of outdated browsers, plugins or platforms
  • Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
  • Vulnerabilities that require the user/victim to perform improbable actions (i.e., Self-XSS)
  • Vulnerabilities in components that the upstream developer/packager deems not-fixable or not applicable.
  • Vulnerabilities that are identified but connect to a honeypot
  • Vulnerabilities identified by an automated scanner such as Nessus, Nexpose, etc..
  • Spoofed email due to SPF/DKIM/DMARC values