Skip to main content

Nuclei FAQs - Security

Hiro
  • Updated

Overview

Security is very important to us at Nuclei. In fact, it's so important to us that we engage a third-party firm to audit our infrastructure, systems, and processes continuously.

That firm's called Vanta, and they make a report that covers everything they check — it's almost like a pen test for our entire organization! Their reports are updated daily, and are available upon request.

 

Infrastructure 

In general, Nuclei adheres to the “Serverless Application Lens” that is part of the “AWS Well-Architected Framework” to ensure that all applications and workloads are architected according to best practices from AWS.

The "Security Pillar" of the framework includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.

Nuclei implements all five best practice areas for security in the cloud, including:

  • Identity and access management
  • Detective controls
  • Infrastructure protection
  • Data protection
  • Incident response

Serverless architectures like Nuclei's address some of today’s biggest security concerns as it removes infrastructure management tasks, such as operating system patching, updating binaries, etc.

 

Frequently Asked Questions

Which security features of AWS are being used?

In general, we adhere to the “Serverless Application Lens” that is part of the “AWS Well-Architected Framework” to ensure that all applications and workloads are architected according to best practices from AWS. (which includes the “Security Pillar”)

Nuclei's complete technology stack is “serverless”, which eliminates some of the largest security concerns from the beginning:

 

Traditional AWS Application  

Platform, OS, network, data at rest and in transit security shifts to Vendor or Customer

mceclip0.png

 

Serverless AWS Application

Platform, OS, network, data at rest and in transit security shifts to AWS

 

mceclip1.png

Unlike a traditional application running in the Cloud, with a serverless architecture AWS manages the underlying infrastructure, foundation services, virtualization layers, operating systems, and application platforms (see Shared Responsibility Model – Lambda) which significantly reduces our risk surface and eliminates some of the largest security risks.

We also use several security oriented services from AWS to optimize our security posture, including:

  1. AWS Organizations (Hard separation of PROD / DEV / TEST resources at the AWS account level)
  2. AWS Parameter Store and AWS Secrets Manager
  3. AWS Config
  4. AWS Security Hub

 

Is MFA used?

Yes. MFA is mandatory for all AWS IAM user accounts, and we use the Virtual MFA device form factor for all users.

 

What password policies are set?

At present we are mirroring the recommendations from NIST (Section 5.1.1 – Memorized Secrets)

One exception is that we extend the minimum password length to 18 characters.

 

More Information

For more information on Nuclei's security posture, please contact our network security team at hello@nuclei.ai

Thanks!! ✌️

Related articles

Comments

0 comments

Please sign in to leave a comment.