We secure your information in a number of ways:
Coding guidelines and checks
- We enforce strong coding guidelines.
- All Ajax response action pages are secured against being called directly.
- Included files cannot be linked to directly.
- Query parameter checking is used everywhere to type-check and secure against SQL injection attacks.
- URL and Form parameter checking is used everywhere to type-check user requests and secure against and prevent attacks.
- All content that originates from a user is escaped with XSS filters preventing Cross Site Scripting attacks.
- Integrated permission system prevents unauthorized access to objects.
- All logins failed and successful are logged
- Incorrect login attempts over user defined threshold locks account for a period of time
- Changing a users password automatically logs out all other sessions where the current user is logged in
- Passwords are never sent via email
- SSO via GSuite and federated login available depending on price plan
- The database has character escaping turned off.
- Passwords are stored in hashed format using Bcrypt - even with access to the database, passwords cannot be determined.
- Multiple-line SQL statement execution disabled to prevent SQL injection attacks.
- Error reports are automatically emailed to developers - this also shows any hacking attempts.
- High security SSL is used online for all logins and is an option for any accounts using a Custom Domain
- Policies include routine changing of server access passwords.
- All OS and middleware security updates applied and routinely checked.
- All unnecessary services are disabled.
- High strength passwords, 2FA and IP restrictions are used.
- Debugging only available to registered IP Addresses.
- Execute permissions disabled on web folder to prevent uploaded files from being executed.
- Pending files stored in non-web accessible location before being transferred to Amazon S3.
- Servers are in a highly secure location.
- Access to servers is limited to a few people.
- Firewall prevents access from unauthorized locations (except for port 80 basic HTTP, Port 443 for SSL and Port 8840 for Websocket implementation).
Testing & Awareness
- We monitor general Internet security threats and ensure all updates and hot fixes are promptly applied.
- We have a number of scripts and tools such as SQLPowerinjector to test our interfaces.
- QA Team utilize an API regression test