Security
Vercel platform
21RISK is not deployed to self hosted servers like EC2, but instead use Vercel . Vercel started as a frontend only tool, but know offer several products aimed at teams like 21RISK, to run serverless lambdas and edge functions.
Vercel is a PaaS, that makes it easy for developers to focus on business value and not infrastructure. From a security perspective, Vercel is essentially a wrapper around other cloud providers, mainly AWS and Cloudflare.
You can read more about Vercel's platform here , but here is a screenshot from the Vercel infrastructure:
Features used by 21RISK
We use the following features form the Vercel platform:
| Vercel feature | How we use it |
|---|---|
| Serverless functions (managed AWS lambda) | Powers the 21RISK backend |
| Edge functions | Next generation serverless framework, that we are slowly adopting at 21RISK around 2024. |
| Edge config | Not used |
| Postgress | Not used (we use MongoDB Atlas) |
| Blob storage | Not used |
Vercel Compliance
Vercel is a dedicated platform to security offering:
- GDPR
- SOC type 2
- PCI Level 1
There is a wide range of features improving security at Vercel, including but not limited to fire detection and suppression, climate and temperature control, firewalls, DDoS mitigation, Spoofing and Sniffing protection, port scanning etc. To read more about an area of particular interest see this document .
We are not allowed to share the Vercel SOC 2 report with 3rd parties, but here are some of the important CUEC’s that 21RISK is responsible for:
User entities are responsible for provisioning and deprovisioning their proprietary access lists for their team and subscription.
Access to the Vercel platform
Only employees responsible for managing the Vercel platform can have access. We utilize the Vercel platform feature, to restrict access to users email with domain 21risk.com (in the admin role)
| Role | User |
|---|---|
| Admin | Andreas Hald |
| Admin | Alex Bjørlig |
Vendor accounts
User entities are responsible for managing their subscriptions, as well as provisioning and deprovisioning (when no longer needed) Vercel vendor user accounts.
21RISK only operates one user account at Vercel; “21RISK”. We acknowledge that in the case we no longer use Vercel, we will have to close the account.
Annual review
User entities should perform an annual user access review over access to their Vercel subscription
We do this annually, last time november 2023
| Date | Findings |
|---|---|
| 2022, June 16th | Alex and Andreas had admin access. |
Incident response plan
User entities are responsible for developing and testing an incident response plan for security incidents that occur within the user entity’s environment.
See our chapter on incident responses.
Disaster recovery
User entities are responsible for developing and testing a disaster recovery plan for disaster scenarios that may impact the user entity’s environment.
See our chapter on disaster recovery.
Data on Vercel's platform
User entities are responsible for determining that their methods of delivering data to Vercel conforms with their security and confidentiality requirements.
To protect data delivered to Vercel.com, we generally enforce 2 important principles:
Secrets synced from Doppler We store our secrets in Doppler, a secrets as a service. We only a small set of secrets to Vercel, so that our build scripts can communicate with Doppler and build.
Note
We don't sync any production secrets directly to Vercel. Instead we use the Vercel CLI, to deploy prebuilt projects with the secrets embedded. You can read more about this feature here .
Secure https setup at Vercel
Vercel is a strong PaaS offering, and it’s actually not able to use low versions of TLS or only http. Http is automatically upgrade to https, and web applications are protected by the Vercel edge network.
Usernames and passwords
User entities are responsible for maintaining the confidentiality of usernames and passwords associated with their account and for all activities that occur under their account.
To protect the confidentiality and integrity of user accounts, we have adopted 1pasword in 21RISK.
Confidentiality of data
User entities are responsible for maintaining the confidentiality of their data while it is in their possession.
To ensure the confidentiality of data in the possession of 21RISK employees, please read more about our security principles here.
DNS, DDoS mitigation and others
Using Vercel and SvelteKit together is indeed a secure option when it comes to web development, particularly regarding common vulnerabilities such as Cross-Site Scripting (XSS), HTTP (vs HTTPS) vulnerabilities, and more. Here's why:
SvelteKit and XSS Prevention: SvelteKit helps mitigate Cross-Site Scripting (XSS) attacks. By design, SvelteKit escapes dynamic content in the templates, which prevents the inadvertent execution of malicious scripts injected into your data. It's important to note that developers still need to handle user input correctly and avoid dangerous practices, such as using innerHTML and other methods that could introduce unescaped data.
HTTP/2 and HTTPS with Vercel: Vercel provides support for HTTP/2 out of the box. Additionally, Vercel automatically configures HTTPS for your projects, including automatic certificate renewal. HTTPS encrypts the data sent between the client and server, preventing man-in-the-middle attacks and ensuring data integrity and privacy.
Serverless Functions: With Vercel, you can deploy serverless functions which reduce the attack surface as compared to traditional server-based applications. Since serverless functions are stateless and ephemeral, it's harder for an attacker to exploit them. Content Security Policy (CSP): SvelteKit allows you to set a Content Security Policy, a security measure that helps prevent a variety of attacks, including XSS and data injection attacks. It gives you granular control over where resources can be loaded from, thereby preventing the execution of malicious code.
Edge Network Security: Vercel uses a global edge network for serving your applications. This means that the content is distributed across a wide network of servers around the globe, and served from the location nearest to the user. This network setup inherently provides DDoS mitigation and other security benefits. SvelteKit and Immutability: SvelteKit uses an immutable data model, which can help prevent a variety of bugs and security issues related to mutable state.