Contents
At Torq, our commitment to security has always been at the forefront of our mission to empower businesses through our SaaS platform.
Today, we’re proud to announce a significant step forward in our security journey: Torq has signed the CISA Secure by Design Pledge.
This pledge underscores our dedication to ensuring that our customers can trust our platform to uphold the highest security standards, enabling customers to focus on their goals without concerns about their security posture.
Advancing Security by Design
The CISA Secure by Design Pledge perfectly aligns with our approach to security. This initiative emphasizes the importance of building security into the foundation of all products and services.
For Torq, this means integrating robust security measures throughout our development lifecycle, from initial concept to deployment and beyond.
By signing this pledge, we are reinforcing our commitment to:
- Proactive security measures: Embedding security into every layer of our platform, ensuring our customers’ data is protected at all times.
- Transparency: Providing clear, actionable information about managing and securing data, empowering our customers to make informed decisions.
- Continuous improvement: Regularly evaluate and enhance our security practices to stay ahead of evolving threats.
What This Means for Our Customers
When you choose Torq, you’re not just selecting a SaaS solution but partnering with a company that prioritizes your security. Our adherence to Secure by Design principles means:
- Minimal configuration risks: Our platform is designed to work securely out of the box, reducing the burden on your team to configure complex security settings.
- Enhanced resilience: With built-in safeguards and automated protections, your organization’s security posture remains robust despite emerging threats.
- Ongoing support: We’re committed to providing tools, resources, and guidance to help you confidently navigate security challenges.
This blog post outlines our commitment, investments, and transparency in those Secure by Design principles and our plans for the upcoming security year 2025.
Multi-factor authentication (MFA)
“Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.”
Torq’s customer’s default application authentication is SSO-based via federation through external identity providers, ensuring uncompromised authentication standards for our customers.
This approach ensures consistent MFA configuration and enforcement with their identity provider’s MFA settings.
Torq supports SAML 2.0 and OpenID Connect with code flow and implicit grant type. It’s compatible with many enterprise IDPs, including:
- Microsoft Entra ID
- Okta
- OneLogin
Supported SSO Methods and Protocols
- Open ID connect
- SAML 2.0
Default passwords
“Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.”
Torq’s customers are invited to their new workspace by an invite email directly sent to their corporate mailbox.
The invite email contains a unique invite link, and clicking it invokes the authentication process.
When a customer’s admin user logs in to their Torq account using the invite link, they use their email and self-generated password; hence, no default passwords are involved.
Per policy, customers are informed that 2FA is necessary to continue.
The user must scan the QR code presented or enter the activation code into a recognized authenticator application on their cellular device.
Upon completion, the customer can set up the organization’s SSO, which neglects password usage thereafter.
Torq’s application password policy enforces the following criteria:
- Between 8 to 20 characters
- At least one capital letter
- At least one lowercase letter
- At least one number
- At least one special character
Reducing entire classes of vulnerability
“Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.”
Torq adopts a “security by design” approach to effectively minimize attack surfaces that are vulnerable to potential threats.
That said, to effectively deal with zero-day attacks and reduce vulnerabilities, Torq has a few key components aiming at that goal, such as:
- Penetration testing
- Scanning Torq’s supply-chain pipeline, including code dependencies (open source), containers (dockerfiles), code (SAST), Secrets, and IaC as part of SDLC and CICD
- Utilizing the world’s best-of-breed CNAPP
- Utilizing Distroless cloud workloads
- Utilizing an EDR vulnerability scanning module on Torq’s laptop devices fleet and addressing findings through automation
Looking ahead:
Over the course of the following year, we intend to focus on improving runtime visibility, gaining better and higher vulnerability verdict.
Security patches
“Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.”
As a SaaS offering, Torq’s application is updated continuously through a process where Torq manages the deployment of new features, bug fixes, and security patches. Customers benefit from automatic updates without needing to install new versions manually. Torq’s Continuous integration and deployment (CI/CD) pipelines enable rapid, frequent updates, allowing it to deliver improvements and patches quickly while ensuring stability and performance.
No action is necessary on the customer’s part to have these patches automatically applied to their workspaces.
Customers are notified through Torq’s “what’s new” segment and through https://kb.torq.io/en/
Vulnerability disclosure policy
“Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP).”
In addition to Trust Center, where customers can obtain up-to-date reports, policies, and the status of Torq’s security posture, Torq also maintains a Security and Compliance public page within its torq.io commercial website – https://torq.io/security-compliance/
At the bottom of this page, visitors are introduced to Torq’s privacy and security mail accounts for any security-related matter, including vulnerability disclosure.
Torq addresses and responds to any approach made.
https://torq.io/security-compliance/
As a continuous improvement, the process could be enhanced by having a dedicated online form for a better vulnerability disclosure experience within Torq’s security-compliance page.
CVEs
“Within one year of signing the pledge, demonstrate transparency in vulnerability reporting.”
At Torq, we take security seriously and continuously monitor our platform for vulnerabilities. Unlike traditional software that requires customers to manage their own patches, SaaS platforms like ours are centrally managed, allowing us to rapidly mitigate security issues without requiring customer intervention.
CVE (Common Vulnerabilities and Exposures) program focuses on publicly disclosed security vulnerabilities in software products, hardware, and firmware.
Torq is a SaaS offering that, by its operational fashion, is non-distributable and installed on its customers’ end. Hence, it does not directly fit and is obligated to issue CVEs disclosure.
We believe in transparency and proactive security measures.
Our approach to vulnerability management includes:
✅ Continuous monitoring and rapid patching – We detect and remediate security issues before they impact customers.
✅ Customer notification – We will notify impacted customers if a vulnerability affects data security or compliance.
✅ Third-party component reporting – If an issue involves open-source or third-party software, we may issue a CVE when appropriate.
✅ Security bulletins – We publish important security updates via our Trust Center.
✅ Regulatory compliance – We align with industry standards (e.g., SOC 2, ISO 27001, FedRAMP) to ensure best-in-class security.
Evidence of intrusions
“Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.”
Torq generates audit logs. These logs provide a comprehensive record of events within a workspace, capturing various actions and changes. They record events such as user activities, workflow changes, and resource modifications. Typically, log entries are created immediately after an action is taken. The audit logs include the event occurrence, timestamp, the user or service that initiated the action, and the affected entity.
To enhance the security and oversight of your workspace, audit logs could be streamlined to a SIEM or bucket using Torq workflows, steps, or API.
Looking Ahead
As cyber threats evolve, Torq’s security journey doesn’t stop here. Signing the CISA Secure by Design Pledge is just one of many steps we’re taking to ensure our platform remains a trusted partner for businesses worldwide. Our team will continue to innovate, collaborate, and advocate for security practices that benefit not only our customers but the broader digital ecosystem.
We’re excited about this new chapter and its meaning for our customers. By seamlessly integrating security into our solutions, we’re not just mitigating risks — we’re enabling your success.
Stay tuned for more updates on how we’re driving security excellence at Torq, and feel free to reach out if you have any questions about our Secure by Design journey.
