The following are detailed descriptions of the security measures that have been and are enforced with regard to the HackerEarth platform.
HackerEarth has adopted a Security-by-Design approach for software development that seeks to minimize system vulnerabilities and reduce the attack surface through designing and building security in every phase of the SDLC.
This includes incorporating security specifications in the design, continuous security evaluation at each phase, and adhering to best practices.
We have secure development practices in place and our developers are trained regularly. We logically and physically segregate development, test, and production environments.
We follow industry best practices for our password policy at HackerEarth. These include the following:
- The length of the password should be a minimum of 8 characters.
- Each password must be a combination of alphanumeric and special characters.
- The password history policy is 10 passwords.
- The password age is 60 days.
- HackerEarth Assessments uses the PBKDF2 algorithm with the SHA-256 hashing.
- We also support the SSO mechanism for authentication.
Risk assessment is done on a periodic basis and whenever there is change.
All risks are recorded, controlled, and monitored.
Cryptographic measures are put in place to protect data at rest, in transit, and in process. We use AWS to host all our data securely with cryptographic key management. We also use SSL/TLS 1.2 is set for end-to-end communication between a browser and a server to protect request payloads. Non-SSL page requests are redirected to their SSL pages.
Incidents are regularly recorded and monitored. We have a dedicated email ID where users can report incidents to email@example.com. Any incidents impacting customers will be reported based on severity.
We use AWS as the hosting web server. For high availability, we have servers in three availability zones.
HackerEarth has implemented the Sqreen application security platform, which protects applications by preventing data breaches, stopping account takeovers, and blocking business logic attacks. This increases visibility by monitoring incidents in real-time, streamlining incident response management, and automates application inventory. It also secures code by finding critical threats, fixing vulnerabilities, and integrating security into the SDLC.
We ensure encryption of information at rest, in transit, and in use inline with the best security practices of the Cloud Security Alliance. We have implemented the AWS S3 bucket policy that only allows objects encrypted by AWS KMS to be stored.
Vulnerability assessment is done internally on a regular basis. We also get penetration testing done annually by third parties. New patches, hot-fixes, patch clusters are tracked and implemented in a timely manner to prevent vulnerabilities from being exploited.
HR and training.
Well-qualified personnel are hired and they are screened before hiring. All employees are required to sign an NDA, Code of Conduct, and confidentiality agreements when they join HackerEarth. Training is provided during onboarding and at least annually thereafter. Any breach or violation of HackerEarth’s policies will result in disciplinary actions being taken.
Asset inventory is maintained for all the assets of the organization. Asset owners are identified, classified & labeled based on HackerEarth’s classification scheme and handled accordingly. Movement of assets is recorded in asset movement registers. Disposal of assets is done as per HackerEarth’s asset disposal procedure.
HackerEarth has an access control policy in place. User access will be provided on a need-to-know basis only depending on their role in the organization. All users have unique credentials and user IDs are reviewed on a regular basis. Logs of admin user activities are maintained.
Here’s an exhaustive list of the third-party processors that HackerEarth uses and the services that they provide.
|Sendgrid||Email service provider
Stores and processes users’ emails
|Plivo.com||Automated OTP SMSs and calls
Stores and processes users’ phone numbers
|Twilio||Automated OTP SMSs and calls
Stores and processes users’ phone numbers
|Amazon||AWS Cloud Infrastructure|
|Landbot||Automated chat bot on our b2b website page
Stores users’ email IDs