Intro
If you are especially security conscious, then the Truss team is your kind of people.
Our CTO, Ken Kantzer (LinkedIn) is the leading and highest-credentialed cyber-security expert within the accounting software industry. His background includes:
Princeton
Top security clearances
Consulting three-letter government agencies
Founding a cyber-security auditing firm
And much more.
Detailed below ⬇️ are the specs of our best-in-class approach to security.
General
From our CTO:
The security protocols in Truss provide the underlying tools,
systems, processes, and resources to build a secure and
privacy-protected system. Truss has industry-leading security:
SOC 2 Type II Certified
Software has been reviewed and built in consultation with leading security experts
Uses modern and up-to-date software and security frameworks
Uses security best-practices as defined by standards like
OWASP and NIST-800
Uses best-in-class encryption in-transit and at-rest using industry-standard encryption algorithms like AES-256 and Bcrypt.
Uses SOC 2, Type II-certified secure cloud for infrastructure to host all client data and services (AWS and Heroku)
Infrastructure Security
Truss is SOC 2 certified and the infrastructure of the Truss software is deployed in SOC 2 security certified cloud provider Heroku, which runs on AWS. Both implement strong security practices.
Heroku’s security practices and security certifications are defined here.
AWS security practices and security certifications are defined here.
The web application benefits from Heroku’s standard, security-by-default serverless infrastructure, and customer passwords are stored in Postgres database in encrypted
form.
Refer to the systems architecture diagram above to see details on our infrastructure.
Privacy
Your data is NEVER:
Sold
Exposed to the public domain
Used to train Large Language Models.
Network Security
Truss limits external access to network services by isolating and blocking all unnecessary ports from external traffic. Access to the production network is limited to necessary personnel, logged, and secured using multiple factor
authentication. This is in addition to the built-in security provided by AWS.
Access to the production network is encrypted using modern TLS 1.2 and is sent over HTTPS in all cases. The database and customer files also require encryption in transit (TLS 1.2 HTTPS).
Our infrastructure implements rate limiting that allows developers to specify how often an IP range or a user may send a request in a specific time period. This prevents users from abusing services. All network connections to the web application are automatically upgraded to HTTPS and use HSTS headers to prevent man-in-the-middle attacks.
Server Security
All data storage is located in Amazon AWS, which provides a very high level of security. Their security is composed of Infrastructure Security, DDoS (Denial of Service) Mitigation, Data Encryption, Inventory and Configuration, Monitoring and Logging, Identity and Access Control, and Penetration Testing. More information on its security protocols can be found here: https://aws.amazon.com/security/
All production access to AWS is logged within AWS Cloudtrail.
All code deploys are logged within Heroku. Web application activity is tracked within logs.
Truss servers are managed by Heroku, using their best-inclass, SOC 2, Type II certified server infrastructure that provides an enterprise-ready secure file collaboration solution. These servers are deployed in alignment with industry standards and related standards, guidance and security principles.
Truss’s file uploads are stored in AWS S3, and use AWS KMS to encrypt the files at rest and in transit. This encryption is designed to complement other security layers at the disposal of system administrators, and includes:
TLS at the transport level
Encryption in Transit and at Rest
Two-Factor Authentication to protect authentication
In addition, it uses technologies and standards like OpenSSL and AES-256 as recommended by organizations such as NIST.
The Truss code has a number of protections built in like forbidding character sequences such as “..\” or “../”, prevention of common OWASP Top 10 web vulnerabilities such as XSS protection and SQL injection.
Our production management interfaces have brute force protection that logs invalid login attempts and slows down multiple attempts from a single IP address (or IPv6 range). This feature is enabled by default and protects against an attacker who tries to guess a password from one or more system administrators.
Application Security
All application code is stored in version control on GitHub, in private repositories, and is encrypted at rest. Access to code requires two factor authentication.
All application code undergoes regular static code analysis scanning to find vulnerabilities both in up-stream third-party open-source software, as well as in our own code.
Truss utilizes built-in monitoring and logging tools, compatible with industry standard tools like Splunk, Nagios and OpenNMS.
Truss also provides a full, compliance-ready activity log for reporting and auditing purposes.
Truss uses industry-standard TLS encryption for data in transfer. Additionally, data at rest in storage is encrypted using a default military grade AES-256 encryption with server based key management.
Truss stores user session data including login state, user name and other data in an encrypted way. The client accesses data via an encrypted cookie which has to be sent to the server with every request for data the user sends to the server. It also enforces the same-site cookies to be present on every request by enforcing this within the request middleware.
Truss secures file and sharing options with a series of encryption operations. When a file is shared, a secure-random URL is generated that is associated with that upload form.
This URL cannot be guessed, and allows easy-but-secure access to uploads. Furthermore, this secure link will not allow download of documents - only upload. In this way, it is strictly more secure than sending documents over email - even if the
link is shared with email.