Frequently Asked Questions

All the little things that don't neatly fit in the marketing copy :D

If there's anything else you'd like to know, just ask via [email protected]


Dispatch

How does it work?

You authenticate Hecate Dispatch to your GitHub organisation using the newer "app" installation model. Once authorised we listen to all webhooks for merges, deployments, and releases to generate instant deploy notification via email or Slack. We also can generate a daily activity summary based on the data we collect letting you know what the team has been doing. All notifications are performed as per rules you define yourself in a hecate.yml file as specified in our reference configuration.

How do I connect slack?

Visit the Hecate app, sign in via GitHub, and then on your settings page you should see a "Connect to Slack" button. Click that and follow the prompts within your Slack workspace.

What slack permissions does it request?

We ask for the following permissions to your Slack organisation when it's installed

  • chat:write:bot - write only access into public channels, how we post the notifications
  • bot - Add a bot user with the username @hecate
  • links:read & links:write - this pings us when a hecate.co link is shared so we can do link unfurling

Can I connect Hecate Dispatch to multiple organisations?

Yes, you can go through the signup process multiple times connecting to a different GitHub organisation each time.

Didn't this used to be called "Shipping News"

Yes, and it was awesome. Unfortunately we couldn't make nautical product names work for the rest of the suite so we've fallen back to simpler but more boring names.


Security

Do you hold any certifications related to information or system security? Can we see the audit reports?

We do not hold any information or system security certificate at this time.

Briefly describe your security policies.

Hecate is a firm believer in secure experience and multifaceted security protocols, to ensure that every aspect including architecture, engineering, testing, and deployment, follows and complies with industry leading standards of security. As first line of defense, Hecate's application is protected by Heroku's firewalls which are tasked with countering regular DDoS attacks and malicious network intrusions.

In our application we have implemented HTTPS by default, and use VNC protocols for secure data transfer. This data is also encrypted to ensure that data is not compromised in-transit.

Hecate is 100% cloud hosted, and the cloud vendors in use have been selected primarily for their secure-by-default design and fully compliant data centres. To learn more please read the Heroku Security Compliance documentation and Amazon Web Service's security documentation.

Do your employees sign/agree to a confidentiality statement?

Yes.

How is your application architected, in particular is there separation between publicly accessible parts of the application from the data storage?

Our application is a three tier web application with a javascript client application, a backend API service behind that, and a SQL database behind that. The data storage tier is completely inaccessible from outside the API environment, and all connections within the environment are password protected over TLS.

Describe your coding, testing, and deployment practices.

At Hecate we follow Agile development methodologies. We use automated testing to ensure releases are of high quality. We use Heroku deployments for a fully automated release process with no human intervention.

Do you perform web application vulnerability testing or intrusion detection?

We periodically tests our applications for vulnerability both through automated and manual means.

How do you manage access to production systems? Do you have a staff termination/offboarding policy and process? What is it? Do you log and audit performance of this process?

Access to production systems is strictly controlled through Heroku's single sign on system. Each developer authenticates against that identity with a unique SSH key.

Do you have an enforced password policy for admin accounts? Do you require MFA for admin accounts?

All administrative access is via Heroku single sign on where we have enforced usage of MFA.

What logging do systems perform? How are logs protected? What encryption is used? Do you have BI systems? Do they hold PII?

At Hecate, we maintain a variety of logs such as syslog (system logs), auth (authentication) logs, web server logs, application server logs, database server logs etc provided by Heroku. We use Papertrail for our log aggregation and long term storage, access to which is strictly controlled via Heroku SSO.

What is your system patching regime?

We follow SemVer versioning standards and publish hot-fixes and patches as it is required. Underlying system patches are applied by Heroku on a continuous basis.

Do you have separate production, qa, test, dev environments?

Yes, we maintain fully separate development and production environments.

Are these systems separated from your corporate network and each other?

Yes, we operate on a model of zero-trust networking and are fully isolated from each other.

Do you perform system vulnerability scans and penetration testing?

We perform periodic system vulnerability scans, both automated and manual.

What type of firewalls/DDoS defense do you use?

We use Heroku's provided network security and firewalls as documented here

How do you monitor your systems and networks?

At the outermost layer we rely on the monitoring provided by Cloudflare, Heroku, and AWS. Internally we maintain a suite of custom alerting out of our Papertrail logging.

Do you perform system vulnerability scans and penetration testing?

We perform periodic system vulnerability scans, both automated and manual.

Are user passwords stored in manner compliant with NIST Special publication 800-63B Digital Identity Guidelines

All authentication for Hecate is via GitHub oauth and therefore user password storage compliance is not required.

How is user data stored? What encryption is used for data at rest? What about data in transit?

All user data is stored in Heroku provided databases and use the encryption outlined here

Can unprotected user data be accessed by your staff? Is this access audited?

Yes, user data can be accessed by staff with access to the production environment

How are backups managed? What encryption is used? How are they destroyed when no longer needed?

Our backups are externally managed by Heroku and you can read about their Continuous Protection here

Do you operate physical infrastructure? If so what certifications do they hold related to physical security? Can we see the audit/certification reports?

Our application is hosted entirely on third party hosting providers like Heroku, AWS, etc. All our hosting partners have very high security protocols. For example checkout Heroku security protocols or AWS security protocols.

What are your policies and processes around notification of a security breach?

In case of an identified breach, all related users are notified of the breach within 72 hours so that they can take necessary measures to prevent further loss. We share this information with our registered users through our email channels.