Security

Application Security

  • Applications are developed with industry best practices in mind. All code developed for production environments undergoes a rigorous in-house security audit resembling OWASP screening standards.
  • Applications are hardened at the regions common to security breach and against attacks.
  • All forms of injection (SQL, OS, etc.) are protected against by treating all application input as "tainted".
  • Applications are tested and protected against Cross Site Scripting and Cross-Site Request Forgery.
  • Devpost undergoes regular application Penetration testing.

Data Security

  • Connections to the Devpost applications are encrypted using HTTPS.
  • All HTTP traffic is redirected over 443 HTTPS.
  • Bcrypt is used for hashing passwords at rest.
  • All sensitive data is scrubbed from application log files and plain text rendering.
  • Customer data is encrypted at rest and in transit.
  • Data is stored in PostgreSQL & MySQL hosted and managed by AWS, Engine Yard, and Heroku.
  • Fully encrypted database backups are created periodically.
  • Authorization and access to systems is provided on a need-to-know basis and based on the principle of least privilege.
  • PFS and HSTS are enabled.

Software Development Life Cycle (SDLC)

  • Application code changes follow a documented SDLC process.
  • Code reviews are mandatory for code changes. A series of tests including unit tests must pass before a change can be accepted.
  • The production environment used by customers is isolated from environments used for development, testing, and staging. Customer data does not leave the production environment.
  • Devpost application staging environments mirror production in terms of installed operating systems, software, and third-party software packages.
  • Patches and updates that are applied to production environments dictate when updates and patches are to be applied to staging and development environments. For more information please see the sections titled Third-Party Software and Technology Stack.

Technology Stack

  • Devpost applications are developed with and deployed on a standardized technology stack using AWS configured by Engineyard and Heroku.
  • The technology stack utilized by Devpost includes actively monitored, updated and patched installations of Gentoo Linux, Ubuntu Linux, MySQL, Postgres, Ruby on Rails, and the nginx web server.
  • Devpost periodically applies the latest security patches for each technological component within the stack.
  • Devpost has full administrative privileges to alter any and all configuration settings.

Responsible Disclosure

If you have any concerns or discover a security issue, please email us at security@devpost.com