Overview
Pabble's Web Application Security Program (WASP) defines the standards, processes, and controls we apply to build, deploy, and maintain a secure application. It covers everything from how we write code to how we respond to incidents.
This page is a public summary. A full technical disclosure is available to enterprise customers under NDA.
Secure Development Lifecycle
Code Review
Every change to Pabble's codebase requires a peer review before it can be merged. Security-relevant changes (authentication, data access, integrations) require a second review from a senior engineer.
Static Analysis
We run static analysis on every pull request. Any finding rated High or Critical blocks the merge until resolved.
Dependency Management
All third-party dependencies are scanned automatically on each build and on a nightly schedule. We track CVEs against our dependency tree and patch critical vulnerabilities within 48 hours of a fix being available.
OWASP Top 10
Our development practices are aligned with the OWASP Top 10. Engineers are trained on the current OWASP Top 10 during onboarding and annually thereafter. We verify coverage against each category in our quarterly security reviews.
Infrastructure Security
Cloud Provider
Pabble runs on cloud infrastructure within the EU. Our provider maintains ISO 27001, SOC 2 Type II, and PCI DSS certifications. Physical security, hardware maintenance, and network redundancy are managed at the provider level.
Network Segmentation
Production systems are isolated in a separate network segment from staging and development. Inbound access to production is restricted to documented, approved traffic patterns. All other inbound connections are blocked by default.
Secrets Management
Secrets (API keys, database credentials, signing keys) are stored in a dedicated secrets manager — never in environment files, source code, or CI logs. Secrets are rotated on a defined schedule and immediately on any suspected exposure.
Access Control
Least Privilege
Every employee and service account is granted the minimum permissions needed for their role. Access to production data requires a documented business reason, approval from a manager, and MFA.
Privileged Access
Production database access is available to a named set of engineers only and is logged in full. All access sessions are time-limited and audited quarterly.
Offboarding
All access is revoked within 2 hours of an employee departure via an automated offboarding checklist.
Penetration Testing
We conduct an independent penetration test annually with a third-party security firm. Findings are triaged by severity:
| Severity | Remediation SLA | |---|---| | Critical | 24 hours | | High | 7 days | | Medium | 30 days | | Low | Next quarterly release |
Executive summaries from our most recent penetration test are available to enterprise customers under NDA. Contact us to request one.
Vulnerability Disclosure
We operate a responsible disclosure program. If you discover a potential security vulnerability in Pabble, please report it to security@pabble.app before disclosing it publicly. We commit to:
- Acknowledging your report within 24 hours
- Providing a status update within 72 hours
- Notifying you when the vulnerability is resolved
We do not take legal action against researchers who follow responsible disclosure guidelines.
Monitoring and Incident Response
Continuous Monitoring
All production systems emit structured logs to a centralized logging platform. Automated alerts fire on anomalous patterns — failed login spikes, unusual data access, unexpected API call volumes.
Incident Response
We maintain a documented incident response plan with defined roles, escalation paths, and communication templates. In the event of a confirmed breach affecting customer data, we notify affected customers within 24 hours.