In this article, We'll try to synthesize how Flusk Vault works and how we proceed in order to detect security vulnerabilities inside your application.
If you'd like to know more about our compliance, please visit this article.
Privacy and data processing
We understand that granting access to your application and its data may cause concern, but please be assured that we will never access or use your private data without your explicit consent.
Flusk takes privacy very seriously and follows practices to ensure the security of user data. All user data is encrypted in transit and at rest, and all user interactions with the system are protected by authentication protocols. Additionally, Flusk Vault maintains rigorous internal policies and procedures to ensure that user data remains private and secure.
To do so, we:
Mainly use and collect publicly accessible data to perform security tests. This is done by fetching the public JSON application file of your app, which contains information on its structure.
Require all app owners to verify their ownership, making it impossible to use Flusk Vault for identifying vulnerabilities on other apps.
Avoid using customer data for security tests whenever possible. In most cases, we only use the JSON application file to review items. For example, when reviewing if a database field is sensitive, we first assess it based on its field name and context. If we cannot do so, we may use actual database data if you enable the "Allow customer data" privacy setting during installation.
Never store customer data on our server, they are deleted immediately upon check.
We also use only HIPAA-compliant servers to process user data.
Ensure no Team member has access to your app when adding the
[email protected]account as a collaborator. This account is inaccessible to any members of our team for privacy reasons and terms and conditions legally stipulate that the Flusk team cannot access your app or its data without your explicit permission.
How does Flusk Vault work?
Scraping public data
The main thing we use in order to analyze your application is scraping the public App JSON Object on all your pages.
This is basically how our tool works:
First API call to get all the pages of your application
Fetch the JSON Object of each page
Analyze the public content of each page
Analyze the public global properties of your app
This allows us to extract all the front-end data (that is public and viewable by everyone) as a JSON object that we pass to our algorithm.
Once your data is inside our back end, we will analyze it and look for security vulnerabilities on every single page of your app.
In order to ensure the proper installation and functionality of Flusk Vault, we kindly request that you grant access to our internal account, [email protected]. This is necessary for two main reasons.
Firstly, verify that you are the rightful owner of the application and prevent any unauthorized access.
Secondly, to process confidential data such as API Tokens, privacy rules, and cookie exploits, as well as to provide access to features that are not yet publicly available.