Trust / Security
Security at HackerRank
We at HackerRank understand the critical importance of maintaining
enterprise-grade protection for our customers and the information
security policies and procedures. HackerRank is committed to
maintaining the levels of security and control to ensure the
confidentiality, integrity, and availability of our customer's data at
all times.
Architecture
HackerRank's entire architecture is cloud based that takes advantage of elastic scale, geo-redundancy, and failure options across the globe to improve latency, manage redundancy, and expand as needed. Our infrastructure is designed to meet the product performance and reliability standards that our global customers need.
Reliable foundation
HackerRank's computing infrastructure is provided by Amazon Web Services, a secure cloud services platform. Amazon’s physical infrastructure has been accredited under ISO 27001, SOC 1/SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley.
Application Vulnerability Assessment
Our security team performs automated and manual application security testing on a regular basis to identify and patch potential security vulnerabilities and bugs. We also work with third-party security specialists, like we use AppSec Lab's application vulnerability assessment annually, Qually SSL Server Test is conducted at least once a month and a overall rating of A- is maintained, SecurityScoreCard is used of continuous risk monitoring for all HackerRank properties and third-part applications that we leverage, Detectify is used to provide weekly security report of our web app.
We're continuously improving our process to improve our reporting procedures, reduce the impact of incidents, decrease the amount of time it takes to resolve it, and most importantly avoid the chance of repeat incidents.
Encryption
We secure our cloud-based SaaS services and apps with End-to-End Encryption for all customer data. All communications are encrypted with 128-bit SSL encryption. All user passwords are securely hashed; passwords are never stored in plain text. All data access is protected by a role-based access-control mechanism, which only lets users view data for which they have permission.
Scalable Storage Solutions
HackerRank leverages Amazon Relational Database Service (RDS) and Amazon S3 Object storage to store data and designed for high availability with a tiered architecture across sub-regions and subnets to initiate outbound traffic to the Internet, but prevent our instances from receiving inbound traffic initiated by someone on the Internet. Each tier has its own ACL with a ruleset to allow secure communications among tiers and the internet. VPC endpoint used for all S3 Access from EC2 instance within VPC (secured based on IAM roles). All access is done utilizing a software VPN with certificate-based authentication maintained with CRL.
Information security
HackerRank has established an information security management framework describing the purpose, direction, principles, and basic rules for how we maintain trust. We regularly review and update security policies, provide security training, perform application and network security testing (including penetration testing), monitor compliance with security policies, and conduct internal and external risk assessments.
Access control
Our internal policies require employees accessing production and corporate environments to adhere to best practices for the creation and storage of SSH private keys. Remote access requires the use of VPN protected with two-factor authentication, and any special access is reviewed and vetted by the security team.
Change management
A formal Change Management Policy has been defined by our Engineering team to ensure that all application changes have been authorized prior to implementation into the production environments. All changes are stored in a version control system and are required to go through automated Quality Assurance (QA) testing procedures to verify that security requirements are met.
Our software development lifecycle (SDLC) requires adherence to secure coding guidelines, as well as screening of code changes for potential security issues via our QA and manual review processes. The HackerRank Security team is responsible for maintaining infrastructure security and ensuring that server, firewall, and other security-related configurations are kept up-to-date with industry standards.
Network security
HackerRank diligently maintains the security of our back-end network. HackerRank identifies and mitigates risks via regular application, network, and other security testing and auditing by both dedicated internal security teams and third-party security specialists.
Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We employ industry-standard protection techniques, including firewalls, network security monitoring, and intrusion detection systems to ensure only eligible traffic is able to reach our infrastructure. Access to the production environment is restricted to only authorized IP addresses, which are reviewed on a quarterly basis to ensure a secure production environment.
Backups
Need more information about data backups.
Community
Responsible Disclosure Policy
HackerRank believes that no technology is perfect. We welcome and value Technical Reports of Vulnerabilities that could affect the Confidentiality or Integrity of user data on HackerRank Products. If you believe that you have discovered a vulnerability, please report it at security@hackerrank.com The HackerRank Security Team will work with you to investigate, resolve the issue promptly and reward the first reporter of a vulnerability.