
Issuetrak Security
We understand how important security and reliability are when it comes to keeping your business operations safe and always running. That’s why Issuetrak is loaded with built-in security measures that address a variety of vulnerabilities common to web-based applications.
Cloud reliability, security, and infrastructure
Reliability and security are important aspects of any successful business. As a business partner, Issuetrak values the data and security of our customers.
We leverage world-class hosting facilities provided by Amazon Web Services to deliver the best possible web experience to our customers.
Have questions about security?
Can't find something in our documentation? Shoot us an email and we'll respond as soon as possible.
Need more details about privacy?
Privacy is very important to us. If you'd like to learn more about how we handle privacy, reach out and let us know.
Support Documents? We got 'em.
If you need documentation during your compliance or prospecting journey, we'll send you everything you need.
Security deep dive? Trust is key!
If you want to look deeper into security at Issuetrak, our Trust Center is a fantastic resource.

Physical Security
- Physical access is routinely audited
- Authorized employees are challenged with two-factor authentication at least twice before being provided access to data center floors
- Around-the-clock interior and exterior surveillance
- Intrusion detection systems
- Secure site selection, redundancy, availability, and capacity planning
- Unmarked facilities to help maintain a low profile
- Physical security audited by an independent firm
Environment Continuity
- Data centers are fed power via different grids from independent utilities
- N+1 redundant UPS power subsystem with on-site generators
- N+1 redundant HVAC system
Advanced fire detection and suppression systems - Leakage Detection
- Multiple network paths with multiple service providers
- Regularly exceeds 99.96% uptime
Disaster Recovery and Backup
- Our Disaster Recovery (DR) plan relies upon infrastructure-as-code automation deployment
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO) within 4 hours
- Daily Elastic Block Storage (EBS) snapshots backed by Amazon Simple Storage Service (S3)
- Encryption at rest and in transit
- Encrypted full database backups are taken daily and transferred to an encrypted S3 bucket
- Encrypted transaction log database backups are taken and transferred to S3 every 15 minutes
- Encrypted AMI's and Snapshots synchronized to warm secondary AWS secure datacenter.
Network Security
- Network Traffic isolation
- Each function is isolated to a different subnet
- Nonconformant network traffic is rejected by firewall rules
- Customer traffic is managed separately from administrative traffic
- Network Access Control Lists (NACL) are used in conjunction with security groups
- Virtual Private Network (VPN) configured for support and maintenance access
Environment Continuity
- Data centers are fed power via different grids from independent utilities
- N+1 redundant UPS power subsystem with on-site generators
- N+1 redundant HVAC system
Advanced fire detection and suppression systems - Leakage Detection
- Multiple network paths with multiple service providers
- Regularly exceeds 99.96% uptime
Data Maintenance
- Physical database integrity checks every night
- Logical database integrity checks every week
- Update database statistics every night
- Reorganize fragmented database indexes every night
- Antivirus scanning

Monitoring, System, and Data Security
|
|
Security & Prevention
- Cross-Site Scripting (XSS) Protection
- Encrypted UserIDs in HTTP Requests (POST)
- Ability to disable Form Caching (optional)
- Prevents hackers from accessing cached form field values
- Blocks multiple users sharing a workstation from seeing cached form field values entered by other users
- Secure Client-Side Cookies
- Click-jacking Prevention and Security Measures (optional)
- Built in SQL Injection Prevention
- Cross-Site Referencing Forgery (CSRF) Security Measures (optional)
- Use of an HTTP-Only attribute on cookies ensures client-side scripting cannot access the cookies.
- On sites that utilize TLS, only specific third-party HTTP requests (such as CSS and fonts) are whitelisted and allowed in the product.
- HTTP Strict Transport Security (HSTS) - Forces TLS communication between server and browser is TLS configuration is present and valid
- HTTP request verbs are limited to POST and GET for the main Issuetrak site, while also allowing PUT on the API site
- HTTP request strings containing less-than (<) or greater-than (>) signs are denied.
- A Feature-Policy HTTP response header is in place to deny client-side access to unused browser features
- Content-Type HTTP requests are limited to 100 bytes
- Sites utilizing SSL/TLS have a URL rewrite deployed for redirecting HTTP traffic to the proper HTTPS binding
- Sub-Resource Integrity (SRI) is implemented to verify that resources are delivered without unexpected manipulation.
- Every stylesheet reference in the product uses absolute URLs instead of relative URLs to prevent a Path-relative stylesheet import (PRSSI) vulnerability.
- Application-based Session Timeout configuration
User Access Control & Segmentation
- Roles and permissions – More than 55 permissions focused on access control
- Configuration options to segment access and visibility via Organizations, Departments, or Groups
- Private data fields accessible only by permission
- Issue Audit logging
- Configuration auditing and logging (Admin Auditing)
- Restricted Searching and Reporting capabilities
- Customizable Password Policy
- Password Self Service
- Configurable Password Complexity
- Application user account passwords are secure with the NIST-recommended PBKDF-2 function, with an iteration count that exceeds current recommended standards, and that continues to increase automatically as time progresses.
- Password reset emails have a configurable validity period from 1 to 168 hours.
- For each new password stored, a new, cryptographically random 64-byte salt is generated and supplied to the function along with the plaintext password.
- The hash used in the function is SHA-512.
- Password hashes are retained only as long as the site administrator has configured, and plaintext passwords are never sent to the database.
- Passwords for connecting to external servers (such as mail servers and Active Directory servers) are encrypted with AES-256 in CTR mode using HMAC for authentication, using the SHA-384 algorithm.
- Keys are generated as sets of cryptographically random 32-bytes.
- During use, these keys are stored as DPAPI-encrypted nodes within the ASP.NET website’s “web.config” file.
- All encryption libraries used are professionally audited.
Multiple Encryption Options
- Database Encryption provided through the SQL Server’s Data Encryption capabilities
- Supports usage of an SSL/TLS to encrypt network traffic
- Database Connection String Encryption via DPAPI (Data Protection Application Programming Interface) – DPAPI is a cryptographic application programming interface available as a built-in component in Microsoft Windows operating systems.
- Encrypted Core and Service connection strings
- Support for Integrated Security connection to SQL Server
Responsible Development Practices
- Security auditing via network and application penetration testing
- Vulnerability analysis and application scanning
- Code assessment via analysis tools and peer reviews
- Agile workflows for quick identification and resolution of vulnerabilities
- Regular updates are released, ensuring customers the latest application and security innovation
- Continuing education and security training for all employees
Identity Management / Active Directory
|
|

Reporting security questions or concerns
Issuetrak aims to keep its product and services safe for everyone, and data security is our utmost priority. If you are a security researcher and have discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.
We ask that you keep your findings confidential and do not share or publicize an unresolved vulnerability with/to third parties. If you submit a vulnerability report, the Issuetrak security team and associated development teams will use reasonable efforts to:
-
Respond in a timely manner, acknowledging receipt of your vulnerability report
-
Investigate the reported issue and provide feedback
-
Seek your guidance in identifying or replicating the reported issue
-
Let you know when the vulnerability you've identified has been fixed
Please contact us at security@issuetrak.com with any relevant information so we can investigate security issues immediately.

Looking for more?
Want to see the latest release notes? Our Help Center has all the details on our latest update plus all past versions of Issuetrak. Stop by and discover what you might be missing.