Security

Personnel & Processors

Background Checks

All Salad employees and contractors must pass a background check and sign confidentiality agreements.

Employee Security Awareness

Salad mandates that new employees attend classes covering security best practices.

Engineering Security Education

Engineers are required to attend an additional technical security workshop.

Policies

Salad maintains various security policies which are maintained and communicated by our security management team.

Security Incident Response

Response Team

Salad maintains an Incident Response Team

Response Policy & Plan

Salad maintains an Incident Response Policy and Runbook to facilitate decision making during critical situations.

Communication

Network and security incidents are published at https://status.salad.com/

Network Security

Vulnerability Scanning

Salad implements a Docker-centric vulnerability scanning tool in its software development CI/CD process. Patching timelines:  
Critical - 14 to 30 days
High - 14 to 30 days
Medium - 45 to 90 days
Low - 90 to 180 days.

Internal Systems Auditing

Salad maintains a formal Audit Policy governing application events, system events, hardware events, and physical access. This includes the what, when, and where of the event, its source, its object, its outcome, and the person associated with it.

Architecture

Salad’s architecture consists of multiple layers of data security including a DMZ, bastion hosts, and iptables.

Global Distribution

Salad’s Site Reliability, Support and Engineering teams are globally distributed.

Build Isolation

Salad runs in isolated sandboxes that are destroyed after each use.

Data Security

Traffic Encryption

All data in transit is encrypted via TLS and SSH.

Environment Variable Encryption

Environment variables are encrypted at rest and in transit, and injected into the runtime environment at the start of a job. All sensitive secrets such as keys, tokens, and other credentials should be stored as environment variables within Salad.

Data Backup

Salad maintains a Data Backup and Snapshot Policy that requires restoration capabilities within common industry timelines.

Application Security

Secure Coding

The Software Development Lifecycle Policy dictates delivery, review and merge processes to minimize rollbacks, downtime, design flaws and security incidents.

Site Reliability

Salad employs a team of Engineers ensuring that the Salad application security layers are consistently maintained.

OWASP Top 10

Salad's web application is designed to withstand OWASP Top 10 matters such as injections, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, missing function level access control, cross-site request forgery (CSRF), unvalidated redirects and forwards.