Scope
Does Chargebee support VAPT security?
How often Chargebee checks the Vulnerability Scanning & Patching?
Summary
Chargebee is committed to ensuring the confidentiality, integrity, and availability of the sensitive, and confidential data of the customers it collects, stores, or transfers.
Vulnerability Assessment and Penetration Testing (VAPT) describes a broad range of security assessments designed to identify and help address cyber security exposures across an organization's IT estate. The evolving tools, tactics, and procedures used by cybercriminals to breach networks mean that it’s essential to test your organization’s cyber security regularly. VAPT helps protect your organization by providing visibility of security weaknesses and guidance to address them.
Types of Scans
Internal VAPT (App & API)
External VAPT (App & API)
DAST (App & API)
Solution
We periodically check and apply patches for third-party software/services. As and when vulnerabilities are discovered we apply the fixes. We do periodic vulnerability scanning using the services of an authorized QSA.
Chargebee performs the VAPT assessment on a quarterly basis.
In addition, we also have an in-house security team who performs Vulnerability scans on a monthly basis.
Each API endpoint is manually tested against the vulnerability which includes the following modules,
BOLA (Broken Object Level Authorization)
Broken User Authentication
Excessive Data Exposure
Lack of resources & rate limiting
Broken Function level Authorization (BFLA)
Mass Assignment
Security Misconfiguration
Injection
Improper Asset Management
Insufficient Logging & Monitoring
Below are the major test cases validated when any module in the Chargebee Product undergoes a security assessment:
Authentication
Authorization
Encryption
Information Leakage
Injection Attacks
Insecure Server Configuration
Session Management
Request Header based attacks
Others
Refer to this link for more information.
Related Articles
How is data security handled in Chargebee?