Security at Fugue

Bulletins
2021/12/13, updated 2021/12/17
Fugue is aware of the security issues affecting the Apache Log4j library, CVE-2021-44228 and CVE-2021-45046. The Fugue Platform, including its engine, API, client, and Regula, are not written with Java components and are therefore not affected by this issue. Fugue's reporting components are operated by Google Looker and were patched on December 13th, 2021 for CVE-2021-44228 and on December 16, 2021 for CVE-2021-45046. Fugue customers do not need to perform any remediating actions at this time. We are actively tracking AWS's remediation for the services Fugue is built on. For more information please see the AWS response.
Attestation and Certifications
Fugue is SSAE-18/SOC 2 Type II Compliant
Fugue is CIS Certified
Our Security Philosophy
Security is a first-class citizen at Fugue, and we are committed to ensuring the security of our customers and their data.
Securing Your Data
The following technical and organizational measures are performed on the processes taken by Fugue:
Physical access controls:
- Fugue is built on Amazon Web Services and leverages all the platform's available security, privacy, and redundancy features
- AWS maintains controls regarding physical and environmental security according to the shared responsibility model
- Fugue is serverless by design to reduce attack surface and decrease operational overhead
Logical access controls:
- Access to production data systems is denied by default
- Audits are performed quarterly to ensure appropriate levels of access are authorized and commensurate with employee job function
- Fugue's data stores are private with a number of restrictions to ensure they are not publicly accessible
- Fugue scans itself to continuously monitor for security and compliance issues
- Fugue employs security automations backed by AWS WAF
- Fugue employs AWS services for IDS/IPS functionality across all production accounts
Operational controls:
- All Fugue employees undergo a thorough background check before hire
- All employees sign a proprietary information and inventions assignment (PIIA) at time of hire
- All employees undergo security training at time of hire and annually thereafter
- Fugue's critical vendors are reviewed annually
- Fugue exercises incident response policies and procedures annually
- Fugue undergoes annual risk discovery exercises followed by semiannual check-ins
- Device security is audited quarterly
- Third party packages are checked for vulnerabilities on each commit, including in Javascript, Go, and Python code and audited quarterly
- Fugue follows the latest NIST guidelines regarding password and MFA requirements
- Fugue leverages third parties to conduct penetration and vulnerability testing
- Fugue conducts application vulnerability scans quarterly using industry standard tools
Storage controls:
- All data is encrypted at rest
- All data is stored using highly available and durable services
Transmission controls:
- All data is encrypted in transit using TLS 1.2 and above protocols
- Removable storage is not used
Availability controls:
- Fugue maintains business continuity and disaster recovery plans
- Disaster recovery is tested annually or when significant changes occur to the infrastructure
- Disaster recovery is conducted in a separate AWS account to ensure no production disruptions
- Backups occur continuously and are stored in a separate AWS account with restricted access
- Backups are encrypted at rest and in transit to the backup account
Separation controls:
- Fugue maintains separate accounts for development, staging, and production
- Data is segmented such that no production data can be moved to non-production environments
Report an Issue
Security belongs to everyone, including you. Fugue highly values and encourages participation from our community using our responsible reporting process.
We're very appreciative when members of the security community report vulnerabilities to us.
Report these issues directly to security@fugue.co
Please use these guidelines:
- Use our PGP key (available below) to encrypt your report
- Do not submit vulnerabilities through the Fugue UI via Receptive
- Give us enough detail to reproduce the vulnerability
Responsible Disclosure
Fugue will investigate all reports and act to remediate vulnerabilities as quickly as possible. We will not take legal action against you provided you comply with the following:
- Do not access or modify data that does not belong to you
- Do not attempt to DOS the UI or API
- Allow us a reasonable amount of time to respond to, evaluate, and resolve security incidents before making any information public
PGP Key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFzv5wUBEACsMQiuBE9MXXskyB74UHflEafPuCbQ164Etc4CxtZG+p7kDDfg iExR3J+eXxClTf15orG7SL9DZ1zOi5oOgHEcZpsh4dnLUwsKK1lGSzqKw/r9Br/g HpMuAGllYaVnh56CaDkzWsthIQNgyncu0O7LCQcKnBRVojtPGHTpEdh+Y6fPj/lD O9NupZOEq4lktAz0VJ81S2boq45x4sd4QgLEcD8QCdB8wQ8dWYzgUyJ+alXb9LpM IdDGMSxEI3FpMi6tTELCW5lc+axUW+URfDlVUs02lTZiCQCZQGqvb+ZlmK1lrs4T dHFbtIPmVokKGD36B0NF3Li4AbCrvmMZ2NOoBtf2g49y+BAG33v1SonrKltoU3P6 39mgn0r19xIUweE6ja5xzX3vKVWdOJShRB3ySoM8zXZz6JixumTYxzQ9HLNHcer1 osUDxTREdCpCbFouhm3hYEqLWpxIoLGpBOc/nGRJybxDdmhgTrzmthErJKzEcuBT 5c86qoWTe32J4JCRg97D/53krKwfHML/J9cIDmdsNTm/cDnB0iwdDvKi/n8cOXz2 +ys7cIgsSX4hos8Q3RCWgRCHmYs/b25zlpHhUV0jMN0OFx0bK9pwVT4dfHbfBGnl 4jQVFY7E1AoZ7QtWk+K7M0Vw91dnzM4Smhh+N0BOXJnczcP/zLlPk4SzeQARAQAB tCRGdWd1ZSBEaXNjbG9zdXJlIDxzZWN1cml0eUBmdWd1ZS5jbz6JAlQEEwEIAD4W IQTyRF4aRNRNgauzolCOM450i4zWkQUCXO/nBQIbAwUJCWikgAULCQgHAgYVCgkI CwIEFgIDAQIeAQIXgAAKCRCOM450i4zWkRyDD/9rIPDUoiyi8DY3NYd7mm9XCY0F N8yTfLtkE21BvPjyfdGWbc3G0hX/cJjkOBxGMtLUBavJFC7+e1ZYaQM3bCYpppNd 3W44+/H4WNAav2PoFb06XDXbulEVfk7dFr56df9+JNyBxyCWtlnsm4CEzH7ibgf/ 2ktpQ4nVO0N/Qx9YzVcbSL3Evntvt0wmCLzZnobr6JEFnFW2IZkAAdmn9TWVffCS VE+NVc2C+HIsrla3fGlrMo5OJzn+bPyiDkRP7wKKee3kCYh1iJaSvOlgxBYAqKc4 hqcYcL4/1JBalW+Wqd/xRpAXTpff9A9U2b6DGeO8ocPHk4Fdd0LuRKIsCS/qvIa+ DKrvLLBeZYej3dwK288naMSiwwHdkaz7Sw7fzA/2t/USfv0lQBhxdGapTNEWAeMc umZk0nPLT+5XGbT/SRafpDGj6jlDnNJJRKJwri/xtRblUhbklBnip49A2Gs8tKY8 ldbxd9yZ+BpYL5SwPwVuN25SNODMTEPh/HqpQPV0Z9mBlhn8sNQhHGugROTXC1v3 ATMtpFpk/fTkIfDp5PTfleAcxfebxVkIhLwpIcELtPC0XbQ4dXc1BYzNnbRuV4RH 42gNWnOK+a3vz48nW4u1gfp7DDrRNPk9waIFgQWGzZrnxRMmocvJq0bELP9k0UuP HqsyyFrfbgvDhpVYnLkCDQRc7+cFARAAtAI6IE1Oo2dkzZcLNYScU/Ond5RJkOpc gFjH1JXPc+KDG8EjkACJJ5bHGOo6zLxKPXzFfdBDn/oOPzq5gpVJzCdi9v88Rs/F XEblm/9Ctf+wyLS9jRX67po8wELgk4JOBKKlnkX9gu3N1UObQoQ9V2Bb3PHSBQX1 w29Ax0aP/yOSz09VbfzE9VHnZ1tw/Wj7P/WAbxiQI5MsXOysv1tW4+v+Lt9yr4cg t7oqz2lpre2JDGXCoAZz3bKvnprTI6SGgT0eE4GtcNur9lw7m1l1b75+gSwzYWfh dni/Yls5Ll7/zFeQtwBVK1CtXTh7IQjFkzoYv3h8/bb/L9chDSR7WOsE3Wn4QGCy SAcSPXlNfvfu417WDsjyUvrVSYOXGCDLzbail4eruYOGX72Fv/qUfrG5NSTW8Xgf 9LUAeycuHfmbTigZ5G2lnAQynrk2+gM2Lq0WsXN1VWG2S7/iDoqiFEb66ZLeb7gI WDS96KYygpFc5M8vnzEReDNATjZUib4zkLmI3QIpeGPGg9j7u5yh7gDS2CgD4e6r BZt7tQLuQwUsqMy1z9rSJ1ZuLYdLWF6HuhHal+enDcnmcr7a4HE64jqOpzLGMA6Z GhPZ4j7UuxfD1gAbUWzpPMSvj2VA0BMSwrxXzQWL9hYQ/hwOjq0f8ZMrgqfaBxkH Da+N7VDGjJkAEQEAAYkCPAQYAQgAJhYhBPJEXhpE1E2Bq7OiUI4zjnSLjNaRBQJc 7+cFAhsMBQkJaKSAAAoJEI4zjnSLjNaRG8gQAKUieArTBc7PGc7K1XQlLn0xaeWj 3N20nXu41TuAfhlEFr/9rZT3xvhmxZIVRmHJ2o2e++XVuAMO/zbT/B7e6Vphs08x DYmJRDc5IgIFjDBqaXzshWZGnp8TINldKp8GQAPlWKyXjNtuMfNjaWZf9ysQSeN7 BiNsEyFqwMHTKkrHZB5tyTSLDBgEb/hYswPn5AbMWSiSZ2YVDc9gIsOhTHGGATZk jP0eYGJtqlISqAJQnc9pzHJdbVxVotgMJV/lt4PW07d+2CwHkcl1H+GgPs+CsQSi 6WTkC5R0SE9IOGgwZKb17MhIq1QJWbovz3MBJsHovXY1AMHw7ABgANclwuRiYZwY 5Sminja9ddSHSfpxkgDBSjDxAT4pn/+MNnoFkEXN6xX49vVtiUKGdb/Ikgz4yehT EbpMabs+DwV0IKrJgap2VzXtCamjXVeBr00bn3hNDAnqjt0Y1Ksw5vV1Puwf3OJP ytHHyw+V+WmbW3HaqgH9a5AYE/h9nCnYoHZa+pJyKTyYsOgM97Aj07OWZc8B0VAu Qk5eyemV5jvKbmNCGr4Hbg0TduFXvDheg2NqQpA2ALImP7Kl2LpyLTABDBFHUDSu rqAP9H8uhPhCC8ocbduWeK+inTjDQu/8vS7ztkAIMocumcx25isScHTyMv/wi4B+ DSZsgUTGDJpukSww =3/8P -----END PGP PUBLIC KEY BLOCK----- |
Fingerprint
F244 5E1A 44D4 4D81 ABB3 A250 8E33 8E74 8B8C D691
|
v1.5, February 07, 2022
|