We firmly believe in “eating our own dog food.” Just as our customers use a variety of tools, processes and technologies to help secure and control their environment, we do the same. And at the center of our vulnerability intelligence is our own instance of Kenna. While Kenna serves as the center piece of our vulnerability intelligence, we recognize the need for a defensive in-depth approach to our overall security architecture. We were founded by a former CISO after all. Eating our own dog food is more than just a saying for a marketing document.

We understand the trust our customers place in our services and are committed to transparency in our controls.

Kenna Application Security

We employ a full suite of secure software development activities and controls. This starts with the design of our applications in a three-tiered Model View Controller architecture. We carefully segment each of these technology layers via network and access controls. Within the code itself, our development teams leverage as many of the security functions as are made available by the Rails framework. All of our developers utilize the OWASP secure coding guide, cheat sheets and relevant technology-specific guidelines such as the OWASP Rails Security Guide. Our code is tested via static analysis and black box scanning prior to being deployed to our production environment. In addition to our secure development activities, Kenna deploys a number of controls to protect the confidentiality and integrity of our customers and their data. Some of these controls include but are not limited to:

  • Data at rest encrypted using AES-256
  • User passwords stored in one-way salted hash
  • Centralized logging and alerting
  • All network traffic encrypted
  • All application traffic over TLS
  • Three-tiered architecture compartmentalized & firewalled

Data Center Operations: Physical and Environmental Controls

Our data center operations provider maintains a SOC 2 certification which we can provide on request. This detailed report provides insights into the physical and environmental controls within the data center. All customer data is stored within this facility.


Kenna Design and Development

At Kenna we take the security and privacy of your data very seriously. We make every effort to help ensure that your data stays protected whenever you use our products or services. The summarized list shown below are some of the key ways that the Kenna Security Platform has been designed and developed to better protect your data.

Design

    • Defense in Depth design
    • Secure Defaults design
    • Reduced Attack Surface design
    • Non-repudiation design
    • Automated data protection for data at rest
    • Automated data protection for data in transit
    • Automated data expiration and availability

Testing

    • Self-code review using expert manual techniques and automated code analysis tools
    • Automated functional and security test suite to help ensure high code quality and prevent regressions

Maintenance

    • Regular vulnerability scanning using proprietary, commercial, and open-source tools
    • Full vulnerability management and remediation via Kenna instance
    • Regularly scheduled self-penetration testing

Deployment

    • Least privilege deployment for both front- and back-end services
    • Generic exception handling to help prevent information disclosure attacks
    • Built-in platform protection, in addition to implementation controls to reduce risk from common web-based threats, such as cross-site scripting attacks (XSS) and cross-site request forgery (CSRF attacks)
    • Automatic session expiration after a certain period of inactivity
    • Firewall that restricts network access to necessary ports
Development

    • Standard FIPS-approved encryption algorithms and implementations
    • AES 256-bit encryption for symmetric encryption processes
    • Variable-length RSA encryption for asymmetric encryption processes
    • SHA-512 for internal/core data integrity checking
    • Mandatory input validation for all untrusted inputs with a definable format, length, type, and range. Otherwise, we mitigate risk with additional remediation techniques (parameterized stored procedures, encoding, etc.), based on the level of risk (parameterized stored procedures, encoding, etc.)
    • Parameterized stored procedures for all calls to database backends
    • Data encoding for all untrusted inputs using standard libraries
    • Generic exception handling to help prevent information disclosure attacks
    • 100% managed code to reduce risk from common attacks associated with non-managed languages, such as buffer overflows
    • Anti-recovery techniques to help prevent malicious recovery of deleted data

Security Research and Disclosure Process

The Kenna bug bounty program is managed through Bugcrowd. To see the terms of the program and participate, visit https://bugcrowd.com/kennasecurity to register as a tester. You will need to accept the Kenna Security terms of service to engage in testing. If you have identified a vulnerability, please report it via Bugcrowd to be eligible for a reward.

Site Privacy Policy

As you browse Kenna, advertising cookies will be placed on your computer so that we can understand your interests. Our display advertising partners then enable us to present you with retargeting advertising on other sites based on your previous interaction with us. The techniques our partners employ do not collect personal information such as your name, email address, postal address or telephone number. You can turn off your cookies to prevent retargeting.