Skip to main content

Public Information Security Bulletin

Take Blip
  • Updated

Last update: September 2020

1. Mission and Responsibilities

1.1 Mission

Ensure the availability, integrity and confidentiality of information.

1.2 Team responsibilities

The responsibilities of the security teams are thus distributed, but not limited, to the following topics:

 

Security Operations Center (SOC)

Data Protection Privacy

Application Security

Cloud Security

Penetration Tests

Incident Investigation

Access Control and Identities

Compliance and Security Auditing

Security Incident Management

Risk assessment

Targeting good practices

 

2. Blip security

2.1 SAST static code analysis

Every compilation pipeline undergoes static code analysis. With this tool, categories of software defects are evaluated, including: code smells, vulnerabilities, and security hotspots.

2.2 SCA Analysis - Software Composition Analysis

Verification of component software, libraries, and search for vulnerabilities is performed.

2.3 Pull Request Analysis and Approval

The development teams when finalizing codifications, whether of new implementations or correction of software defects, commit the code and send pull requests, which are evaluated by the tech lead of your squad.

2.4 Protection of source codes

The source codes are stored in a private Git repository, with authorized access using integrated authentication.

2.5 Segregation of environments

There is a separation of the development, approval and production environments, each with their respective access permissions. The productive environment follows the concept of the least privilege.

2.6 Encryption of data in transit

Data in transit across the platform uses TLS 1.2 in its HTTP communication by default. Connections to banks also have encryption in transit.

2.7 Secrets management

Sensitive application information such as API keys and database passwords are stored in a password vault with activity log and restricted network access. The safe in the production environment follows the minimum privilege as described in item 3.1.

2.8 Exchange of files in Blip

The media that travel on Blip are subjected to antivirus analysis and cannot exceed 20 megabytes. Some types of potentially malicious files, such as executables and libraries, are also blocked.

2.9 Execution of pentest

Take Blip every six months to contract an outsourced company for independent execution of gray box pentest of the Blip application. Proof letters can be requested from Take Blip's Information Security team.

3. Cloud security

3.1 Minimum privilege

Access to the cloud environment requires a second authentication factor by default. Data considered sensitive depends on VPN access for access or that the computer is physically on Take Blip's internal networks.

Production subscriptions have restricted access, only tech leads access data and assets, with the exception that audit data such as access logs remain restricted to infrastructure and security teams.

3.2 Logs of Actions and Activities

Logs of actions and activities such as modifying settings, creating and deleting assets from production subscriptions are maintained to allow audits and investigations whenever necessary.

3.3 Monitoring

There is monitoring of actions through a dashboard where the compliance of the environment with regard to the current security policies is inspected. Policies are enforced by enforcement whenever possible.

3.4 Safety certifications

The cloud environments used by Take Blip in the provision of services meet the strictest security requirements, which are audited and certified.

4. Data Security

4.1 Cryptography

Relational databases are all encrypted on disk and in transit.

4.2 Anonymization

Information is anonymized whenever possible with respect to privacy. Anonymization, when necessary, is performed due to the mapping of sensitive data existing in relational databases.

4.3 Access logs and change log

Access logs and record changes are maintained for auditing purposes when needed from all production relational databases. The logs are kept for five years.

4.4 Backups

Backup of production relational databases is performed automatically every day with a seven-day retention.

4.5 Location of Data

Databases and media files are stored in the cloud in data centers located in Brazil.

5. Workstation security

5.1 Antivirus

Take Blip computers are installed by default with an antivirus system with management controlled by remote administration.

5.2 Software installation

Take Blip employees are not allowed to install software without the knowledge of the Information Security team. There is software inventory installed.

6. WhatsApp channel

6.1 Blip and WhatsApp communication

Each WhatsApp number represents a container in Blip infrastructure, each of these containers has its own encryption, just like a cell phone with an activated number.

Thus, Take Blip does not have access to any text or media content, stored in each active container on the WhatsApp channel.

7. Networks

7.1 Firewall

The Blip cloud operation networks have firewalls at the edges that can block the block due to the risk they pose to the platform.

7.2 Reputation of IPs

IP reputation analysis is performed on each request received by the platform, so that a request can be blocked due to this condition.

7.3 Segregation of networks

The production, approval and testing networks are segregated and have no communication between them.

8. By-design initiatives

8.1 Security by design

During the development refinement phase, the IS team participates as security consultants, seeking to adapt each new implementation to more appropriate security standards. Whenever possible, the OWASP Threat Modeling framework is used.

8.2 Privacy by-design

During the refinement phase of the development teams, the IS team conducts assessments of the impact on the privacy of the data entered in the project. Teams have the autonomy to request privacy assessments whenever necessary.

9. Awareness

9.1 Onboarding process

New employees are trained by the Information Security team before starting their activities. On that occasion, the topics of the Information Security Policy (PSI) are presented.

9.2 Training

Teams routinely receive training from the Information Security team on issues related to security and privacy in line with the performance of their activities.

9.3 Communication

The Information Security team uses Take Blip's internal communication channels to keep all employees informed about security-related topics in order to raise awareness and to keep themselves updated about the Information Security Policy (PSI).

9.4 Information Security Committee

There is an Information Security committee with the participation of people from different sectors and responsibilities on Take Blip. The objective is to conduct training with a focus on identifying security needs, for a proactive action, regarding the possible risks to security projects in internal teams.

10. Useful Links

Additional information links about Blip.

  • Blip Help Center

https://help.blip.ai/

  • API Reference

https://docs.blip.ai/

  • Blip Policies (Cookies - Privacy - Terms of Use)

https://help.blip.ai/security/

  • Blip Status Page (Incident Availability and History)

https://status.blip.ai/

  • Blip Changelog

https://changelog.blip.ai

11. Contacts

Take Blip's Information Security team is available for clarification through the electronic address: si@take.net

Take Blip has a Data Protection Officer (DPO) to support guidance related to data privacy. Questions related to data privacy can be sent to the email address: legal@blip.ai

 

Related articles

Powered by Zendesk