Security Review & Pen Testing
Launch Rail is architected with security at every layer — from AES-256 encryption and mTLS service mesh to structured vulnerability disclosure and third-party penetration testing. Here's exactly what we do.
Structured Testing Methodology
Our penetration testing process follows a four-phase methodology aligned with PTES and OWASP testing guides, tailored specifically to microservice architectures.
Reconnaissance & Scoping
- Attack surface enumeration across all 14 microservices
- gRPC / REST / WebSocket endpoint discovery
- Dependency & third-party library audit
- Authentication flow mapping (JWT, API Keys, SAML, SCIM)
Vulnerability Assessment
- OWASP Top 10 testing on all public endpoints
- Privilege escalation & IDOR checks across RBAC layers
- JWT / API Key forgery and rotation bypass tests
- SSRF, injection, and deserialization vectors
Exploitation & Proof-of-Concept
- Controlled PoC demonstrations in isolated test tenants
- Cross-tenant data leakage simulation
- Rate-limit bypass and quota exhaustion testing
- Webhook forgery and replay attack simulation
Reporting & Remediation
- Full executive + technical report with CVSS scores
- Remediation guidance mapped to your service layer
- Retest included at no extra cost within 30 days
- Compliance artifact package (SOC 2, HIPAA, ISO 27001)
Data Encrypted Everywhere
Every byte of customer data is protected whether it's sitting on disk, moving between services, or leaving your infrastructure boundary.
Encryption at Rest
Encryption in Transit
Key Management
Defense in Depth
Security controls applied at the infrastructure, application, and identity layers — not bolted on after the fact, but baked into the architecture from day one.
Infrastructure
- VPC isolation with private subnets for all data services
- Kubernetes RBAC with least-privilege pod security policies
- Network policies restricting east-west traffic between namespaces
- Bastion-free access via SSM Session Manager / IAP
- Immutable infrastructure — no SSH access to production nodes
- Container images signed and scanned in CI (Trivy + Cosign)
Application
- Input validation and output encoding at every API boundary
- Rate limiting enforced at gateway and per-service level
- Dependency vulnerability scanning on every PR (Dependabot + Snyk)
- Static analysis with gosec + semgrep in CI pipeline
- SQL parameterization enforced — no raw query construction
- CORS policies locked to allowlisted origins per environment
Access & Identity
- MFA enforced for all human access to production systems
- Time-limited, just-in-time production access grants
- Service-to-service auth via short-lived mTLS certificates
- API key hashing — plaintext keys never stored
- Session invalidation cascade on password change / logout
- All admin actions logged with requestor identity + IP
Vulnerability Disclosure Program
We welcome security researchers to responsibly disclose vulnerabilities. We commit to fast response, transparent communication, and public recognition.
Submit Report
Email security@launch-rail.com with a detailed description. Use our PGP key for sensitive findings.
48-Hour ACK
We acknowledge every report within 48 hours with a tracking ID and initial severity assessment.
Active Triage
Our security team investigates and keeps you updated throughout. Critical issues escalated immediately.
Patch & Credit
Critical patches in ≤ 14 days, high severity in ≤ 30 days. Credited in our Hall of Fame upon your consent.
In Scope
- launch-rail.com and all subdomains
- All public REST and gRPC API endpoints
- Authentication and authorization services
- Webhook delivery infrastructure
- Admin and developer portal
- API key management service
Out of Scope
- Physical security attacks
- Social engineering of employees
- DDoS or volumetric flood attacks
- Automated scanning without prior approval
- Third-party services and integrations
- Customer-owned self-hosted deployments
Request a Security Review Package
Need our full security documentation for your compliance team, legal review, or enterprise procurement? We'll send you penetration test results, encryption specs, SOC 2 readiness report, and architecture diagrams.