CivicReady and Regroup place great importance on the security of our application and the data housed in the application.
- We pass all network and website vulnerability tests.
- CivicReady is protected with the following:
- SSL Security: CivicReady uses 256-bit SSL (https) encryption site-wide. The connection uses TLS 1.0 protocol encrypted via AES_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism. These security measures prevent stolen credentials, session hijacking, and access to sensitive information.
- OS-Level Firewall: CivicReady uses an OS-Level Firewall. This protects against malware, spoofing attacks, security exploits, denial of service (DOS) attacks, and rootkits.
- Authorization Bypass Security: CivicReady is secure from Authorization Bypass vulnerabilities. Authorization Bypass vulnerability allows attackers to gain unauthorized access to resources by circumventing access controls. This can be accomplished by disabling certain scripts, modifying parameters in a request, or finding links to secured areas that are protected by obfuscation.
- Cross Site Scripting (XSS) Security: CivicReady is secure from Cross Site Scripting (XSS) vulnerabilities. XSS allows attackers to inject executable code into an unvalidated input that is then executed in a user’s browser when the page is loaded. Through this, an attacker may gain complete control of a user’s session, which allows them to alter page functionality to harvest data, phish for sensitive information, or steal user credentials and session information.
- Cross Site Request Forgery (CSRF) Security: CivicReady is secure from Cross-Site Request Forgery (CSRF) vulnerabilities. CSRF vulnerabilities permit attackers to take advantage of a legitimate session established by a user to perform unauthorized actions on behalf of that user. Effectively, anything the given user has permissions to do can be done without their knowledge by the attacker. These attacks can be very difficult to trace, as the activity appears to come from an authorized user.
- SQL Injection Security: CivicReady is secure from SQL injection vulnerabilities. SQL injection vulnerabilities happen when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are then injected from the web form into the database of an application, like queries, to change the database content or dump the database information to the attacker.
- Additional Security and Server Hardening:
- Login is only via ssh/secure keys
- Clients can use our direct SSH FTP (SFTP) access for delivering student information, which eliminates security issues with email and the web
- Use of captcha on signup page
- Regular review of vulnerabilities and new methods of hacking
- Multiple Data Centers and Redundancies