Platform Security Update: April 24, 2024
A summary of platform security updates and improvements
We are excited to share with you the significant progress and strategic plans of our recently established Security and Trust function. Over the past two months, we have made substantial strides in fortifying our security posture, and we believe now is the opportune moment to provide you with insights into our work and future initiatives.
Strategic Hiring: We are thrilled to welcome Aaron B (not on discord yet) as our new Head of Platform and Security Engineering. With over a decade of software engineering experience spanning startups, financial institutions, and web3 projects, Aaron brings invaluable expertise to our team. Under his leadership, we will be elevating our infrastructure architecture to ensure our products operate on an institutional-grade foundation. Additionally, Aaron will serve as our primary engineering resource for cybersecurity matters, further strengthening our defenses. Aaron will be working alongside @bus our Chief Information Officer to ensure platform security is an ongoing priority.
Acquisition of Key Security Solutions: As part of our strategic moves, we have acquired and integrated several essential security solutions into our ecosystem:
Aikido Security (https://aikido.dev/) - Provides a comprehensive suite of capabilities to secure our code and cloud environments.
Vanta (https://www.vanta.com/) - A security compliance automation platform that enables us to achieve compliance requirements systematically.
Bitwarden (https://bitwarden.com/) - A reputable password and secret management tool.
Dependabot (https://github.com/dependabot) - Offered by GitHub to enhance our secret scanning capabilities, ensuring no hard-coded credentials exist in our codebase.
Cloudflare (https://www.cloudflare.com/) - A Web Application Security Suite offering bot protection, DDoS mitigation, and Web Application Firewall.
Furthermore, we are currently testing and procuring additional solutions to bolster our security architecture, including Datadog Cloud SIEM, Curricula, AWS Secrets Manager, and Cloudflare Zero Trust.
Our Plan and Strategy: As we continue to build trust with our investors, we are committed to adhering to the following principles:
Invest Intelligently and Cautiously
Maintain Openness and Transparency
Prioritize High-Risk Areas
Value Integrations and Unified Solutions
This approach allows us to operate with agility as a startup while ensuring a robust and efficient security architecture tailored to our needs.
Trust Center: We are diligently working on a Trust Center that will centralize all information and documents related to Security and Trust, leveraging Vanta's feature. We welcome your suggestions regarding the content of the Trust Center and will provide an update next month.
Compliance Target: With a formalized roadmap and Vanta's compliance automation solution, we are well-positioned to achieve PCI DSS Level 3 compliance by the end of the year. Unlike most PCI DSS Level 3/4 compliant companies, we will not settle for a mere self-assessment. Instead, we plan to engage an independent Qualified Security Assessor (QSA) to perform an Attestation of Compliance (AOC), providing an additional layer of assurance to the compliance assessment. The AOC will be shared with investors, similar to our arrangement with the Moore Audit. We are currently in the process of selecting the right auditor for this critical task.
Looking ahead, our next target will be SOC1 and SOC2 compliance, which we expect to initiate in Q4 2024 / Q1 2025. More information on this will be shared in the coming months. We are excited about the progress we have made thusfar and the robust security roadmap we have in place. Your trust and confidence in Gray Digital are of utmost importance to us, and we remain committed to maintaining the highest standards of security and transparency.
Last updated