We understand how important security and reliability are when it comes to keeping your business operations safe and always running. That’s why Issuetrak is loaded with built-in security measures that address a variety of vulnerabilities common to web-based applications.
Cloud Reliability + Infrastructure
Reliability and security are important aspects of any successful business. As a business partner, Issuetrak values the data and security of our customers. We leverage world-class hosting facilities provided by Amazon Web Services to deliver the best possible web experience to our customers. The following are some of the security measures provided by Issuetrak:
- Physical access is routinely audited
- Authorized employees are challenged with two-factor authentication at least twice before being provided access to data center floors
- Around-the-clock interior and exterior surveillance
- Intrusion detection systems
- Secure site selection, redundancy, availability, and capacity planning
- Unmarked facilities to help maintain a low profile
- Physical security audited by an independent firm
- Data centers are fed power via different grids from independent utilities
- N+1 redundant UPS power subsystem with on-site generators
- N+1 redundant HVAC system
Advanced fire detection and suppression systems
- Leakage Detection
- Multiple network paths with multiple service providers
- Regularly exceeds 99.96% uptime
Monitoring, System and Data Security
- Website, ping, and port monitoring
- Server vital statistic monitoring (CPU, Memory, Disk, Network)
- SQL Server Severity alerts
- Windows Event Viewer alerts
- System Auditing
- Single-tenant databases per customer
- Secure Socket Layer (SSL) encryption forced on all sites
- SSL Protocol / Cipher Suite testing and remediation
- Monitoring/security information restricted to limited authorized personnel
- Server event auditing
- Dynamic Data Masking
- CloudWatch - Securely logs for compliance and retention with targeted alerting
- AWS CloudTrail - Provides security logging and analysis
- AWS Config - Monitors and audits AWS configurations
- AWS Systems Manager - Simplifies resource and application management
- Trusted Advisor - Scans AWS instances and makes recommendations to improve instance configurations according to best practices
- AWS Security Hub - Aggregates and organizes priority security alerts for AWS instances in a centralized location
- AWS Inspector - Scans and analyzes the behavior of AWS instances, checks for common vulnerabilities and exposure scanning
- AWS Identity and Access Management (IAM) - Manages access to AWS services and resources
- Two-factor authentication required for all AWS resources
- Adherence to CIS AWS Foundations
- AWS Virtual Private Cloud
- AWS Security Groups - Provides infrastructure access and control
- Annual third-party penetration testing and auditing
- Physical database integrity checks every night
- Logical database integrity checks every week
- Update database statistics every night
- Reorganize fragmented database indexes every night
- Antivirus scanning
Disaster Recovery and Backup
- Our Disaster Recovery (DR) plan relies upon infrastructure-as-code automation deployment
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO) within 4 hours
- Daily Elastic Block Storage (EBS) snapshots backed by Amazon Simple Storage Service (S3)
- Encryption at rest and in transit
- Encrypted full database backups are taken daily and transferred to an encrypted S3 bucket
- Encrypted transaction log database backups are taken and transferred to S3 every 15 minutes
- Encrypted AMI's and Snapshots synchronized to warm secondary AWS secure datacenter.
- Network Traffic isolation
- Each function is isolated to a different subnet
- Nonconformant network traffic is rejected by firewall rules
- Customer traffic is managed separately from administrative traffic
- Network Access Control Lists (NACL) are used in conjunction with security groups
- Virtual Private Network (VPN) configured for support and maintenance access
Security & Prevention
- Cross-Site Scripting (XSS) Protection
- Encrypted UserIDs in HTTP Requests (POST)
- Ability to disable Form Caching (optional)
- Prevents hackers from accessing cached form field values
- Blocks multiple users sharing a workstation from seeing cached form field values entered by other users
- Secure Client Side Cookies
- Click-jacking Prevention and Security Measures (optional)
- Built in SQL Injection Prevention
- Cross-Site Referencing Forgery (CSRF) Security Measures (optional)
- Use of an HTTP-Only attribute on cookies ensures client-side scripting cannot access the cookies.
- On sites that utilize TLS, only specific third-party HTTP requests (such as CSS and fonts) are whitelisted and allowed in the product.
- HTTP Strict Transport Security (HSTS) - Forces TLS communication between server and browser is TLS configuration is present and valid
- HTTP request verbs are limited to POST and GET for the main Issuetrak site, while also allowing PUT on the API site
- HTTP request strings containing less-than (<) or greater-than (>) signs are denied.
- A Feature-Policy HTTP response header is in place to deny client-side access to unused browser features
- Content-Type HTTP requests are limited to 100 bytes
- Sites utilizing SSL/TLS have a URL rewrite deployed for redirecting HTTP traffic to the proper HTTPS binding
- Sub-Resource Integrity (SRI) is implemented to verify that resources are delivered without unexpected manipulation.
- Every stylesheet reference in the product uses absolute URLs instead of relative URLs to prevent a Path-relative stylesheet import (PRSSI) vulnerability.
- Application based Session Timeout configuration
Multiple Encryption Options
- Database Encryption provided through the SQL Server’s Data Encryption capabilities
- Supports usage of an SSL/TLS to encrypt network traffic
- Database Connection String Encryption via DPAPI (Data Protection Application Programming Interface) – DPAPI is a cryptographic application programming interface available as a built-in component in Microsoft Windows operating systems.
- Encrypted Core and Service connection strings
Responsible Development Practices
- Security auditing via network and application penetration testing
- Vulnerability analysis and application scanning
- Code assessment via analysis tools and peer reviews
- Agile workflows for quick identification and resolution of vulnerabilities
- Regular updates released, ensuring customers the latest application and security innovation
- Continuing education and security training for all employees
User Access Control & Segmentation
- Roles and permissions – More than 55 permissions focused on access control
- Configuration options to segment access and visibility via Organizations, Departments, or Groups
- Private data fields accessible only by permission
- Issue Audit logging
- Configuration auditing and logging (Admin Auditing)
- Restricted Searching and Reporting capabilities
- Customizable Password Policy
- Password Self Service
- Configurable Password Complexity
- Application user account passwords are secure with the NIST-recommended PBKDF-2 function, with an iteration count that exceeds current recommended standards, and that continues to increase automatically as time progresses.
- Password reset emails have a configurable validity period from 1 to 168 hours.
- For each new password stored, a new, cryptographically random 64-byte salt is generated and supplied to the function along with the plaintext password.
- The hash used in the function is SHA-512.
- Password hashes are retained only as long as the site administrator has configured, and plaintext passwords are never sent to the database.
- Passwords for connecting to external servers (such as mail servers and Active Directory servers) are encrypted with AES-256 in CTR mode using HMAC for authentication, using the SHA-384 algorithm.
- Keys are generated as sets of cryptographically random 32-bytes.
- During use, these keys are stored as DPAPI-encrypted nodes within the ASP.NET website’s “web.config” file.
- All encryption libraries used are professionally audited.
Active Directory User Authentication
- Encrypt all data exchanged between your Active Directory (AD) and Issuetrak servers using the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) option.
- Requires valid LDAP over SSL (LDAPS) certificate installed on your Domain Controller (DC)
- Requires DNS and port settings configured within your network
- Requires AD module and AD server settings configured within Issuetrak site (supports multiple domains)
- Compatible with Common Access Cards (CAC) and Smart Cards to control Issuetrak users' access and information
- Encrypt all data exchanged between Active Directory (AD), Active Directory Federation Services (ADFS) and Issuetrak servers using the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) option.
- ADFS connectivity via OAUTH2
- Customizable claims and user mapping
- Requires valid configuration and for certificate installed of ADFS
- Requires DNS and port settings configured within your network
- Requires AD module and ADFS server settings configured within Issuetrak site (supports multiple domains)
Reporting security questions or concerns
Issuetrak aims to keep its product and services safe for everyone, and data security is our utmost priority. If you are a security researcher and have discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.
We ask that you keep your findings confidential and do not share or publicize an unresolved vulnerability with/to third parties. If you submit a vulnerability report, the Issuetrak security team and associated development teams will use reasonable efforts to:
- Respond in a timely manner, acknowledging receipt of your vulnerability report
- Investigate the reported issue and provide feedback
- Seek your guidance in identifying or replicating the reported issue
- Let you know when the vulnerability you've identified has been fixed
Please contact us at [email protected] with any relevant information so we can investigate security issues immediately.