We firmly believe in “eating our own dog food.” Just as our customers use a variety of tools, processes and technologies to help secure and control their environment, we’re doing much of the same here. Of course at the center of our vulnerability intelligence is our own instance of Kenna. While Kenna serves as the center piece of our vulnerability intelligence, we recognize the need for a defensive in-depth approach to our overall security architecture. We were founded by a former CISO after all.
Eating our own dog food is more than just a saying for a marketing document.

Not only do we use Kenna to manage our vulnerabilities, we give our clients read access to our account.

We understand the trust our customers place in our services and are committed to transparency in our controls.

Kenna Application Security

We employ a full suite of secure software development activities and controls. This starts with the design of our applications in a three-tiered Model View Controller architecture. We carefully segment each of these technology layers via network and access controls. Within the code itself, our development teams leverage as many of the security functions that are made available by the Rails framework. All of our developers utilize the OWASP secure coding guide, cheat sheets and relevant technology specific guidelines such as the OWASP Rails Security Guide. Our code is tested via static analysis and black box scanning prior to being deployed to our production environment. In addition to our secure development activities, Kenna deploys a number of controls to protect the confidentiality and integrity of our customers and their data. Some of these controls include but are not limited to:

  • Data at rest encrypted using AES 256
  • User passwords stored in one way salted hash
  • Centralized logging & alerting
  • All-network traffic encrypted via SSL and SSH
  • All application traffic over SSL/TLS
  • Three-tiered architecture/ compartmentalized & firewalled

Data Center Operations: Physical and Environmental Controls

Our data center operations provider maintains a SOC 2 certification which we can provide on request. This detailed report provides our customers with insight into the physical and environmental controls within the data center. ALL CUSTOMER DATA IS STORED WITHIN THIS FACILITY.

Kenna Design and Development

At Kenna we take the security and privacy of your data very seriously. We make every effort to help ensure that your data stays protected whenever you use our products or services. The summarized list shown below are some of the key ways that our Kenna service has been designed and developed to better protect your data.


  • Defense in Depth design
  • Secure Defaults design
  • Reduced Attack Surface design
  • Non-repudiation design
  • Automated data protection for data at rest
  • Automated data protection for data in transit
  • Automated data expiration and availability


  • Self-code review using expert manual techniques and automated code analysis tools
  • Automated functional and security test suite to help ensure high code quality and prevent regressions


  • Security patches deployed within 24-48 hours of public release and verification testing
  • Regularly vulnerability scanning using proprietary, commercial and open-source tools
  • Full vulnerability management and remediation via Kenna instance
  • Regularly scheduled self-penetration testing


  • Least privilege deployment for both front and backend services
  • Generic exception handling to help prevent information disclosure attacks
  • Builtin platform protection, in addition to implementation controls to reduce risk from common web-based threats, such as cross-site scripting attacks (XSS) and cross-site request forgery (CSRF)
  • Automatic session expiration after a certain period of inactivity
  • Firewall that restricts network access to only the necessary ports


  • Standard FIPS-approved encryption algorithms and implementations
    • AES 256-bit for symmetric encryption processes
    • Variable-length RSA encryption for asymmetric encryption processes
    • SHA-512 for internal/core data integrity checking
  • Mandatory input validation for all untrusted inputs with a definable format, length, type and range. Otherwise, we mitigate risk with some other remediation depending on the risk (parameterized stored procedures, encoding, etc.)
  • Parameterized stored procedures for all calls to database backends
  • Data encoding for all untrusted inputs using standard libraries
  • Generic exception handling to help prevent information disclosure attacks
  • 100% managed code to reduce risk from common attacks associated with non-managed languages, such as buffer overflows
  • Anti-recovery techniques to help prevent malicious recovery of deleted data

Security Research and Disclosure Process

The Kenna bug bounty program is managed through Bugcrowd. To see the terms of the program and participate, go to https://bugcrowd.com/kennasecurity and sign up as a tester. You will need to accept the Kenna terms of service to engage in testing. If you have identified a vulnerability, please report it via Bugcrowd to be eligible for a reward.

Site Privacy Policy

As you browse Kenna, advertising cookies will be placed on your computer so that we can understand your interests. Our display advertising partners then enable us to present you with retargeting advertising on other sites based on your previous interaction with us. The techniques our partners employ do not collect personal information such as your name, email address, postal address or telephone number. You can turn off your cookies to prevent retargeting.