“Knowing that Lift have thoroughly reviewed our code and architecture gives us warm, fuzzy feelings.”
In 2014 npm transitioned from a single-person, volunteer open-source project into a company. We had two goals: as an increasingly crucial part of the open-source ecosystem, it was important that we avoid security holes that would allow attackers to poison open-source modules affecting millions of users. Secondly, we were introducing private modules and needed to audit a sprawling, 5-year-old codebase to ensure that we could reliably keep users' personal information private.
Lift audited our code base and reviewed our architectural plans, as well as conducting an active scan of our API surface. They reported a number of well-hidden but potentially serious flaws before any harm was done, and recommended a set of best practices to improve the depth of our defenses in future.
“The ^lift team did a great job in finding creative ways to discover vulnerabilities of our system producing a comprehensive assessment.”
Contentful is an API-first content management platform focussing on developers. It enables companies to engage in platform-agnostic publishing. Unlike traditional web CMS vendors, Contentful is based on structured content and separates content from presentation, both of which make it really easy to publish to smartphones, tablets, and any other smart device.
Since Contentful powers mission critical applications for major companies, we have devised a thorough security policy to ensure that our service continues to offer an enterprise-grade uptime, performance, and security level. As part of this policy, we do periodic external test on our infrastructure and technology stack. Goal for the security audit project with ^lift was to identify possible vulnerabilities and weaknesses, so as to externally verify if our internal security measures have indeed performed to our requirements.
^lift did not only perform your typical set of run of the mill vulnerability scans, but found ingenious ways and put in a lot of effort in coming up with ways to penetrate our systems. We were able to receive a thorough report of findings, and were able to reaffirm our roadmap in terms of security features, as well as the internal processes put in place to ensure we continue to serve our most demanding customers. ^lift also directly reviewed our application code in order to assess possible shortcoming that could be detected from the code base itself.