Does Chargebee supports Vulnerability Assessment and Penetration Testing (VAPT)?

Modified on: Thu, 16 Feb, 2023 at 9:17 PM

Scope

Does Chargebee support VAPT security?

How often Chargebee checks the Vulnerability Scanning & Patching?


Summary

Chargebee is committed to ensuring the confidentiality, integrity, and availability of the sensitive, and confidential data of the customers it collects, stores, or transfers.


Vulnerability Assessment and Penetration Testing (VAPT) describes a broad range of security assessments designed to identify and help address cyber security exposures across an organization's IT estate. The evolving tools, tactics, and procedures used by cybercriminals to breach networks mean that it’s essential to test your organization’s cyber security regularly. VAPT helps protect your organization by providing visibility of security weaknesses and guidance to address them.


Types of Scans

  • Internal VAPT (App & API)

  • External VAPT (App & API) 

  • DAST (App & API)


Solution

We periodically check and apply patches for third-party software/services. As and when vulnerabilities are discovered we apply the fixes. We do periodic vulnerability scanning using the services of an authorized QSA.

Chargebee performs the VAPT assessment on a quarterly basis.

In addition, we also have an in-house security team who performs Vulnerability scans on a monthly basis.

Each API endpoint is manually tested against the vulnerability which includes the following modules,

  • BOLA (Broken Object Level Authorization) 

  • Broken User Authentication

  • Excessive Data Exposure

  • Lack of resources & rate limiting 

  • Broken Function level Authorization (BFLA)

  • Mass Assignment 

  • Security Misconfiguration

  • Injection

  • Improper Asset Management 

  • Insufficient Logging & Monitoring 


Below are the major test cases validated when any module in the Chargebee Product undergoes a security assessment:

  • Authentication

  • Authorization

  • Encryption

  • Information Leakage

  • Injection Attacks

  • Insecure Server Configuration

  • Session Management

  • Request Header based attacks

  • Others


Refer to this link for more information.


Related Articles

What is PCI compliance? 

SOC 1 & SOC 2 type II Reports

Accepted SSL certificates 

How is data security handled in Chargebee?


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.
×