# HailBytes Security Whitepaper ## Enterprise-Grade Security for HailBytes SAT and HailBytes ASM **Version:** 1.0 **Published:** January 2025 **Company:** HailBytes LLC **Document Classification:** Public --- ## Executive Summary HailBytes provides enterprise-grade security solutions through our cloud-deployed GoPhish and reNgine platforms. This whitepaper outlines our comprehensive security architecture, operational controls, compliance frameworks, and best practices for deploying mission-critical security tools in production environments. Our platforms leverage self-hosted deployment models on AWS and Azure infrastructure, ensuring complete data sovereignty while maintaining enterprise-grade security, availability, and performance. All products are built on open-source foundations (GPL-3.0) with significant proprietary enhancements focused on security, scalability, and operational excellence. ### Key Security Highlights - **Zero-Trust Architecture**: All components operate on least-privilege principles with encrypted communication - **Data Sovereignty**: Self-hosted deployment ensures customer data never leaves their infrastructure - **Continuous Security**: Automated patching, vulnerability scanning, and security monitoring - **Compliance-Ready**: Support for HIPAA, PCI-DSS, SOC 2, ISO 27001, and GDPR requirements - **Audit Trail**: Comprehensive logging and monitoring for all security-relevant events --- ## 1. Platform Architecture & Security Design ### 1.1 HailBytes SAT Architecture HailBytes SAT is an enterprise phishing simulation platform built on a secure, scalable architecture: **Core Components:** - **Application Server**: Go 1.10+ single binary with minimal attack surface - **Database Layer**: PostgreSQL with encrypted connections and automated backups - **Email Service**: Integration with AWS SES, SendGrid, or custom SMTP with TLS 1.2+ - **Admin Interface**: Port 3333 with HTTPS, session management, and CSRF protection - **Phishing Interface**: Port 80/443 for campaign delivery with SSL/TLS **Security Features:** - Bcrypt password hashing (cost factor 10+) - API key authentication with role-based access control - Session management with secure cookie flags (HttpOnly, Secure, SameSite) - CSRF token validation on all state-changing operations - SQL injection protection through parameterized queries - XSS prevention with output encoding **Network Security:** - Private VPC deployment with segmented subnets - Security group rules restricting access to required ports only - Application Load Balancer with WAF integration - DDoS protection via AWS Shield / Azure DDoS Protection - TLS 1.2+ for all external communications ### 1.2 HailBytes ASM Architecture HailBytes ASM provides automated reconnaissance with advanced security controls: **Core Components:** - **Web Application**: Django 3.2 with ASGI (Gunicorn + Uvicorn) for async performance - **Database**: PostgreSQL 12+ with connection pooling and encryption at rest - **Task Queue**: Celery with 5-30 parallel workers for distributed scanning - **Cache Layer**: Redis for session management and job queuing - **Tool Integration**: 20+ security tools orchestrated through containerized workers **Security Enhancements:** - ASGI migration from WSGI for improved performance and security - Self-patching and self-healing infrastructure - Restored Nuclei vulnerability scanning functionality (3,000+ CVE templates) - WebSocket security with authentication and rate limiting - Container isolation for tool execution - Audit logging for all reconnaissance activities **Advanced Features:** - AI-powered vulnerability analysis (GPT-4 / local Ollama) - Real-time monitoring with instant alerting - Continuous subdomain discovery and change detection - API-first design with comprehensive REST endpoints --- ## 2. Data Security & Privacy ### 2.1 Data Encryption **Data in Transit:** - TLS 1.2+ for all HTTP communications (admin panel, APIs, webhooks) - TLS 1.3 preferred where supported by cloud provider load balancers - SMTP over TLS for email delivery (GoPhish) - Encrypted Redis connections for session and cache data - Database connections secured with SSL/TLS **Data at Rest:** - AES-256 encryption for database storage (AWS RDS / Azure Database) - Encrypted EBS volumes / Azure Managed Disks for application servers - Encrypted S3 buckets / Azure Blob Storage for backups and artifacts - Key management via AWS KMS / Azure Key Vault - Automated key rotation policies **Credential Management:** - API keys stored with bcrypt hashing - Database passwords rotated quarterly - Secrets managed through cloud provider vaults - No hardcoded credentials in application code or configuration files ### 2.2 Data Sovereignty & Privacy **Self-Hosted Deployment Benefits:** - All customer data resides in customer-controlled AWS/Azure accounts - HailBytes never has access to campaign data, scan results, or target information - Customer chooses deployment region for data residency compliance - Customer controls data retention, backup, and deletion policies **GDPR Compliance Support:** - Data minimization: only essential data collected - Right to access: customers control all data access - Right to deletion: configurable data retention with automated purging - Data portability: export capabilities via API and UI - Consent management for phishing campaign targets **HIPAA Compliance Support:** - Business Associate Agreement (BAA) available upon request - Encrypted storage and transmission of Protected Health Information (PHI) - Access controls and audit logging for all PHI access - Configurable data retention to meet regulatory requirements ### 2.3 Data Retention & Disposal **Configurable Retention Policies:** - GoPhish campaigns: configurable retention (30 days to indefinite) - reNgine scan results: automated cleanup of old reconnaissance data - Audit logs: minimum 1 year retention recommended for compliance - Backup retention: 30-day rolling backups with automated lifecycle management **Secure Data Disposal:** - Database records permanently deleted (not soft-deleted) - Encrypted volumes securely wiped during decommissioning - Backup lifecycle policies ensure data is not retained beyond policy limits --- ## 3. Access Control & Authentication ### 3.1 Role-Based Access Control (RBAC) **HailBytes SAT Roles:** - **Admin**: Full system access, user management, campaign creation/deletion - **User**: Campaign creation and management, limited user visibility - **Read-Only**: View-only access for reporting and compliance teams **HailBytes ASM Roles:** - **Admin**: Full system access, project management, tool configuration - **Auditor**: Read access to all projects and scan results - **Viewer**: Limited read access to assigned projects only ### 3.2 Authentication Mechanisms **Built-in Authentication:** - Password-based authentication with enforced complexity requirements - Session management with configurable timeout (default: 30 minutes idle) - Account lockout after failed login attempts (5 attempts, 15-minute lockout) - Password reset functionality with email verification **Enterprise Authentication (Professional/Enterprise Tiers):** - SAML 2.0 integration for SSO with Okta, Azure AD, OneLogin - OAuth 2.0 support for modern identity providers - LDAP/Active Directory integration for user synchronization - Multi-factor authentication (MFA) via TOTP or SMS ### 3.3 API Security **API Authentication:** - API keys for programmatic access with unique per-user keys - Bearer token authentication for REST API endpoints - Webhook signatures for validating inbound webhook requests - Rate limiting to prevent abuse (configurable per tier) **API Authorization:** - API keys inherit user's RBAC permissions - Scope-limited API keys for restricted access patterns - IP whitelisting available for sensitive API operations --- ## 4. Infrastructure Security ### 4.1 Cloud Provider Security **AWS Deployment:** - VPC with private and public subnets across multiple Availability Zones - Internet Gateway for public subnet access only - NAT Gateway for outbound internet access from private subnets - Security Groups configured for least-privilege access - AWS Systems Manager for patch management - CloudWatch for logging and monitoring - AWS Backup for automated database and volume backups **Azure Deployment:** - Virtual Network (VNet) with subnet segmentation - Network Security Groups (NSGs) for traffic filtering - Azure Bastion for secure administrative access - Azure Monitor and Log Analytics for centralized logging - Azure Security Center for threat detection - Azure Backup for automated disaster recovery ### 4.2 Compute Security **Virtual Machine Hardening:** - Ubuntu 22.04 LTS with automated security patches - Minimal installed packages to reduce attack surface - Host-based firewall (UFW/iptables) configured - SSH access restricted to bastion hosts / VPN only - Fail2ban for brute-force protection on administrative services **Container Security (reNgine):** - Docker containers run as non-root users where possible - Container images scanned for vulnerabilities (Trivy, Clair) - Minimal base images (Alpine Linux) to reduce attack surface - Resource limits enforced on containers (CPU, memory, network) - Container network isolation with overlay networks ### 4.3 Database Security **PostgreSQL Security Hardening:** - Network access restricted to application servers only (private subnet) - SSL/TLS required for all database connections - Strong password policies enforced - Automated backups with point-in-time recovery (PITR) - Database audit logging for security-relevant queries - Encryption at rest enabled via cloud provider managed databases ### 4.4 Network Security **Web Application Firewall (WAF):** - AWS WAF / Azure Application Gateway WAF deployed - OWASP Top 10 protection rules enabled - Rate limiting to prevent denial-of-service attacks - SQL injection and XSS detection rules - Geographic blocking available for restricted deployments **DDoS Protection:** - AWS Shield Standard / Azure DDoS Protection Basic (included) - AWS Shield Advanced / Azure DDoS Protection Standard (optional) - Rate limiting at application load balancer level - Auto-scaling to handle traffic surges **Network Monitoring:** - VPC Flow Logs / NSG Flow Logs enabled - Centralized log aggregation to SIEM (optional) - Anomaly detection for unusual traffic patterns - Automated alerting for security events --- ## 5. Application Security ### 5.1 Secure Development Lifecycle **Code Security:** - Open-source codebase with community security reviews - Proprietary enhancements undergo internal security review - Static application security testing (SAST) integrated into CI/CD - Dependency vulnerability scanning (Dependabot, Snyk) - Regular updates to third-party libraries **Vulnerability Management:** - CVE monitoring for all dependencies - Monthly security patch releases - Emergency patches for critical vulnerabilities within 48 hours - Coordinated vulnerability disclosure program - Security hall of fame for responsible disclosure ### 5.2 Input Validation & Output Encoding **HailBytes SAT:** - All user inputs validated server-side - Email template HTML sanitized to prevent XSS - Campaign names and sender profiles validated - File upload restrictions (type, size limits) - SQL injection prevention through ORM/parameterized queries **HailBytes ASM:** - Domain and subdomain inputs validated with regex - Tool output sanitized before display in web UI - API request validation with schema enforcement - File upload restrictions for scan configurations - Command injection prevention for tool execution ### 5.3 Session Management **Security Best Practices:** - Secure session cookies with HttpOnly, Secure, SameSite flags - Session IDs generated with cryptographically secure random number generator - Session fixation protection through ID regeneration on login - Configurable session timeout (idle and absolute) - Logout functionality that invalidates sessions server-side --- ## 6. Monitoring, Logging & Incident Response ### 6.1 Security Monitoring **Real-Time Monitoring:** - Application performance monitoring (APM) for anomaly detection - Failed login attempt tracking and alerting - API rate limit violations and suspicious activity - Database query performance and anomalies - Infrastructure health checks and uptime monitoring **Alerting Mechanisms:** - Email alerts for critical security events - Slack/Discord/Teams integration for real-time notifications - PagerDuty/Opsgenie integration for on-call incident response - Webhooks for custom alerting workflows ### 6.2 Audit Logging **Comprehensive Audit Trails:** - User authentication events (login, logout, failed attempts) - Campaign creation, modification, deletion (GoPhish) - Scan execution, configuration changes (reNgine) - API calls with request/response details - Administrative actions (user management, configuration changes) **Log Management:** - Centralized logging to CloudWatch Logs / Azure Monitor - Minimum 1-year retention for compliance - Log integrity protection through immutable storage - SIEM integration support (Splunk, Sentinel, ELK) ### 6.3 Incident Response **Incident Response Plan:** - Documented procedures for security incident handling - Designated incident response team with 24/7 availability (Enterprise tier) - Customer notification within 24 hours of confirmed data breach - Root cause analysis and remediation tracking - Post-incident review and continuous improvement **Backup & Disaster Recovery:** - Automated daily database backups with 30-day retention - Point-in-time recovery (PITR) for databases - Infrastructure-as-Code for rapid environment recreation - Multi-region deployment option for high availability (Enterprise tier) - RTO (Recovery Time Objective): 4 hours - RPO (Recovery Point Objective): 1 hour --- ## 7. Compliance & Certifications ### 7.1 Compliance Frameworks **SOC 2 Type II (Following Practices):** - HailBytes follows SOC 2 Type II practices and controls - Annual third-party security assessments planned - Documented policies and procedures for security operations - Evidence collection for audit readiness **ISO 27001 (Following Practices):** - Information Security Management System (ISMS) following ISO 27001 framework - Risk assessment and treatment processes - Regular management review of security posture - Continual improvement of security controls ### 7.2 Industry-Specific Compliance **HIPAA Compliance Support:** - Self-hosted deployment ensures no PHI leaves customer control - Encryption at rest and in transit for all data - Access controls and audit logging meet HIPAA requirements - Business Associate Agreement (BAA) available for healthcare customers **PCI-DSS Compliance Support:** - HailBytes SAT supports PCI-DSS Requirement 12.6 (Security Awareness Training) - Quarterly phishing simulations for cardholder data environment personnel - Documented training completion and metrics for auditors - Auditor-ready reports with campaign results and user progress **GDPR Compliance Support:** - Data minimization and purpose limitation principles - Consent management for phishing campaign recipients - Data subject rights supported (access, deletion, portability) - Data processing agreements available for EU customers ### 7.3 Third-Party Assessments **Penetration Testing:** - Annual third-party penetration testing conducted - Scope includes web application, API, and infrastructure - Remediation of critical and high-severity findings within 30 days - Executive summary and detailed reports available to Enterprise customers **Vulnerability Scanning:** - Automated vulnerability scanning using industry-standard tools - Weekly scans of production infrastructure - Critical vulnerabilities patched within 48 hours - High-severity vulnerabilities patched within 7 days --- ## 8. Open Source & Licensing ### 8.1 Open Source Foundation **GPL-3.0 Licensed Software:** - GoPhish: Open-source phishing framework (GPL-3.0) - reNgine: Open-source reconnaissance platform (GPL-3.0) - All modifications and enhancements included in source code on server images - Compliance with GPL-3.0 distribution requirements **Proprietary Enhancements:** - Production-ready infrastructure automation - ASGI migration for improved performance (reNgine) - Self-patching and self-healing capabilities (reNgine) - Nuclei functionality restoration (reNgine) - AI-powered analysis integration - Enterprise authentication integrations - Advanced monitoring and alerting - Professional support and SLA guarantees ### 8.2 Third-Party Dependencies **Security Tool Integration (reNgine):** - Subfinder, Amass, Nuclei, Nmap, and 15+ additional tools - All tools maintained at latest stable versions - Automated updates for security patches - Compatibility testing before production deployment **Legal & Compliance Notice:** This product includes open source software licensed under GPL-3.0. Complete source code is provided on the server image in compliance with licensing requirements. Ubuntu is a registered trademark of Canonical Ltd. This product is not endorsed by or affiliated with Canonical Ltd. --- ## 9. Security Best Practices for Deployment ### 9.1 Pre-Deployment Checklist **Infrastructure Security:** - [ ] Enable encryption at rest for all storage volumes - [ ] Configure TLS 1.2+ for all external endpoints - [ ] Implement VPC/VNet with private subnets for databases - [ ] Configure security groups/NSGs with least-privilege rules - [ ] Enable DDoS protection and WAF - [ ] Set up automated backups with tested restore procedures **Application Security:** - [ ] Change default admin credentials immediately - [ ] Configure session timeout and idle timeout - [ ] Enable MFA for all administrative accounts - [ ] Configure SMTP with authenticated relay - [ ] Set up audit logging to centralized log management - [ ] Configure automated security updates **Monitoring & Alerting:** - [ ] Configure health checks and uptime monitoring - [ ] Set up alerts for failed login attempts - [ ] Enable database slow query logging - [ ] Configure capacity alerts (CPU, memory, disk) - [ ] Test incident response notification channels ### 9.2 Operational Security **Patch Management:** - Enable automated security updates for Ubuntu LTS - Subscribe to security mailing lists for GoPhish/reNgine - Test patches in staging environment before production - Maintain patch deployment window schedule **Access Management:** - Implement least-privilege access for all users - Regularly review and revoke unused accounts - Rotate API keys and database passwords quarterly - Maintain bastion host for SSH access (no direct SSH to production) **Data Protection:** - Configure data retention policies aligned with compliance requirements - Test backup restoration procedures quarterly - Implement data classification and handling procedures - Document data flows for privacy impact assessments ### 9.3 Security Training **Administrator Training:** - Platform architecture and security controls - Incident response procedures - Secure configuration best practices - Compliance requirements and evidence collection **End-User Training:** - GoPhish: Campaign creation best practices, targeting ethics - reNgine: Legal scanning requirements, authorization procedures - Reporting security incidents and vulnerabilities --- ## 10. Contact & Support ### 10.1 Security Contact **Responsible Disclosure:** - Email: security@hailbytes.com - PGP Key: Available on website - Response Time: 48 hours for initial acknowledgment - Coordinated disclosure: 90-day window for remediation **Security Hall of Fame:** We recognize security researchers who responsibly disclose vulnerabilities: - Ubaid Ahmed (February 2025) - reNgine vulnerability disclosure - Flv-cmd (January 2025) - reNgine vulnerability disclosure - YSalai (January 2025) - reNgine vulnerability disclosure ### 10.2 Support Tiers **Community (Free):** - GitHub issue tracking - Community Discord support - Public documentation **Professional ($5,000/year):** - 8am-5pm MT support (weekdays) - Email support with 48-hour SLA - Deployment assistance - Quarterly security updates **Comprehensive Support ($1,500/month additional):** - 24/7 priority support - Dedicated Slack channel - Integration assistance - Custom security consulting ### 10.3 Resources **Documentation:** - Deployment Guides: https://docs.hailbytes.com - API Reference: https://api.hailbytes.com - Security Best Practices: https://security.hailbytes.com **Compliance Resources:** - SOC 2 Reports: Available under NDA to Professional/Enterprise customers - Penetration Testing Reports: Available to Enterprise customers - Compliance Questionnaire Assistance: Contact security@hailbytes.com --- ## Appendix A: Security Architecture Diagrams ### HailBytes SAT - High-Level Architecture ``` [Internet] --> [Load Balancer + WAF] | [Application Server] | +---------------+---------------+ | | [PostgreSQL DB] [SMTP Service] (Encrypted) (AWS SES/SendGrid) ``` ### HailBytes ASM - High-Level Architecture ``` [Internet] --> [Application Gateway + WAF] | [ASGI Web Application] (Gunicorn + Uvicorn) | +---------------+---------------+ | | | [PostgreSQL] [Redis Cache] [Celery Workers] (Encrypted) (Sessions) (Scanning Tools) | [Containerized Security Tools] (Nuclei, Nmap, Subfinder, etc.) ``` --- ## Appendix B: Security Checklist ### HailBytes SAT Security Checklist **Authentication & Authorization:** - [x] Strong password policy enforced - [x] Session timeout configured - [x] RBAC implemented (Admin, User, Read-Only) - [x] API key authentication - [x] CSRF protection enabled **Data Protection:** - [x] TLS 1.2+ for admin panel - [x] Database encryption at rest - [x] Bcrypt password hashing - [x] Automated encrypted backups **Network Security:** - [x] VPC with private subnets - [x] Security groups restrict access - [x] WAF deployed - [x] DDoS protection enabled ### HailBytes ASM Security Checklist **Application Security:** - [x] ASGI architecture for performance - [x] WebSocket authentication - [x] Container isolation for tools - [x] Input validation on all endpoints - [x] Output encoding prevents XSS **Reconnaissance Security:** - [x] Tool execution sandboxing - [x] Rate limiting on API endpoints - [x] Scan authorization tracking - [x] Audit logging for all scans **Infrastructure Security:** - [x] Encrypted database connections - [x] Redis authentication enabled - [x] Auto-scaling for worker capacity - [x] Infrastructure as Code (IaC) --- ## Appendix C: Compliance Matrix | Control Category | HIPAA | PCI-DSS | SOC 2 | ISO 27001 | GDPR | |------------------|-------|---------|-------|-----------|------| | Encryption (Transit) | ✓ | ✓ | ✓ | ✓ | ✓ | | Encryption (Rest) | ✓ | ✓ | ✓ | ✓ | ✓ | | Access Control | ✓ | ✓ | ✓ | ✓ | ✓ | | Audit Logging | ✓ | ✓ | ✓ | ✓ | ✓ | | Data Retention | ✓ | ✓ | ✓ | ✓ | ✓ | | Incident Response | ✓ | ✓ | ✓ | ✓ | ✓ | | Security Awareness | ✓ | ✓ | ✓ | ✓ | - | | Vulnerability Mgmt | ✓ | ✓ | ✓ | ✓ | - | | Data Sovereignty | ✓ | - | - | - | ✓ | | Right to Deletion | ✓ | - | - | - | ✓ | --- ## Document Revision History | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | January 2025 | HailBytes Security Team | Initial publication | --- **Document End** For questions or clarifications regarding this whitepaper, please contact: **Email:** security@hailbytes.com **Website:** https://hailbytes.com/compliance **Support:** https://hailbytes.com/contact © 2025 HailBytes LLC. All rights reserved.