Security Related FAQs
Have a question about MangoApps security? Explore this extensive list of MangoApps security FAQ for the answers you need.
What does the MangoApps security team consist of?
The MangoApps security team consists of engineering professionals, many with 20 years or more experience in Unix based administration and development.
The team has experience in creating end-to-end secure systems, follows the AWS security best practices, and has experience in detecting and recovering using AWS tools.
What is the structure of information security in MangoApps?
MangoApps has two information security components as part of its organizational structure.
- Information security as part of new software releases.
- Information security as part of support, deployment, and production system access.
The information security compliance for new software releases is under our Director of Engineering and the information security compliance for support/deployment/production system access of customer data is under our Director of Deployments.
Both of these teams finally roll in under our CTO.
Are employees at MangoApps required to sign and adhere to confidentiality agreements when dealing with customer data?
Yes, the MangoApps Non-Disclosure Agreement (NDA) binds all MangoApps employees.
Can you provide information on your change control process?
MangoApps change control process comprises of 5 stages:
- Definition: The product management team does wire framing and mock-ups for all product changes (enhancements, features, etc.) as part of defining them.
- Development: The product engineering team does product design and builds and releases the product enhancements and features.
- Quality Assurance: The product quality assurance team builds test strategies, tests scenarios, and tests automation scripts to validate the product changes released.
- Documentation: The product services team updates product documentation, marketing material, and any training materials for the product changes.
- Deployment & Support: The product deployment and support team applies the product changes to a staging environment where it is used by the MangoApps team for several weeks to fine tune the experience. After the product changes pass the quality gate on the staging environment they are deployed to MangoApps Shared Cloud data centers across the world. After the product changes have been live on the MangoApps shared cloud data centers for a couple of weeks, they get scheduled for deployment on the MangoApps private cloud and on-premise deployments — typically once every three months or sooner via a Product Hot fix process if need be.
Do you work with any other third party companies that will be involved with this implementation?
No, all work is done by the MangoApps team internally.
What is the response times on suspected security incidents?
MangoApps is committed to providing a response to all suspected incidents as soon as possible. Our first response times are based on the severity level for each case reported:
- Critical: Initial response time less than 8 hours
- High: Initial response time less than 12 hours
- Normal: Initial response time less than 24 hours
- Low: Initial response time less than 48 hours
Notification of incidents – what process does MangoApps employ around notifying its clients around security incidents.
MangoApps has a full transparent policy with respect to notifying security incidents to our customers. Within 24 hours of discovering a suspected security threat, your account manager will notify you and share all the information we have on the incident and continue to update you if needed.
With respect to generic security threats, we monitor security bulletins and upgrade our systems as soon as patches become available.
Incident Notification Workflow:
Can you briefly describe your coding practices that are employed to avoid common security exploits?
The following product development practices are done to follow security best practices:
- Source code reviews – MangoApps follows agile practices like pair programming which common security exploits like CSRF and SQL injection are checked for.
- Vulnerability testing – A major release of MangoApps is tested with the brakeman scanning tool (http://brakemanscanner.org/) for any vulnerabilities and the critical ones are fixed prior to the release going live.
From a security and QA point of view, what testing procedures do you employ?
Following practices are followed by MangoApps QA regularly.
- Web Application Scanning and Vulnerability testing using Qualys (https://www.qualys.com/) on major release upgrades. Here is a sample of such a report. Some of the items in the report are false positives but this gives a general idea about the process and tools we use.
- QA team also uses the brakeman scanning tool (http://brakemanscanner.org/) to identify cross site scripting, sql injection, command injection, unrestricted mass assignment, unprotected redirects, unsafe file access etc., before a major release upgrade of MangoApps.
Can you provide information on how user authentication is protected?
MangoApps protects user authentication in multiple ways.
- All connections to MangoApps are secured via SSL/TLS
- All passwords stored by MangoApps are encrypted using AES – 256 bit encryption when stored in the database.
- MangoApps supports SSO with Active Directory/LDAP and Google Apps using SAML. With this model of user authentication no user authentication information is stored in MangoApps.
- Admin in MangoApps has additional tools to provide advanced security to user authentication information by enforcing stronger password requirements, enabling multi-factor authentication (2FA), and restricting access to MangoApps from only a particular IP range.
Can you provide information regarding access control? Who has access to what? Do employees have access to Customer Data? If so how is this controlled and monitored?
We have strict policy and technical access controls that prohibit general employee access to production systems or customer data/files. All qualified employees who have approval to access customer data for support, do it over a secure VPN connection.
In addition, the private cloud and shared cloud deployments are on AWS , which grants them extra physical, technical, and heuristic security measures. For more information, check out: http://aws.amazon.com/security/.
Do you periodically audit access rights for MangoApps employees?
Yes, at MangoApps all access rights are frequently reviewed and all access levels are changed on a “need to know” basis.
Can you provide information regarding the data encryption techniques MangoApps employs internally?
MangoApps employs multiple security and encryption techniques internally. These include:
- Source Code Repository only access internally by users on the MangoApps LAN.
- All remote access into MangoApps network is over a secure VPN channel.
- All SSH access is with dedicated key-pair and restricted to a small set of qualified employees and trusted IP addresses.
- All MangoApps employee password are encrypted using AES 256 bit encryption and stored at rest.
- All MangoApps internal files shared are encrypted using AES 256 bit encryption at rest.
- All internal communication in MangoApps is over 256 bit SSL/TLS channel.
- Internally any PC idle for 30 minutes requires users to re-authenticate.
- Access to admin functions internally require admin privileges and has a multi-factor authentication enabled via a PIN.
Can you provide information regarding data encryption techniques MangoApps employs on client data?
MangoApps employs multiple security and data encryption techniques on client data:
- All client data in transit from any MangoApps platform is over a SSL/TLS channel and encrypted using 256 bit encryption.
- All client passwords stored by MangoApps are encrypted using AES – 256 bit encryption when stored in the database.
- All client files shared are encrypted using AES 256 bit encryption at rest.
More information is available here: http://www.mangoapps.com/social-software-security-compliance.
Credential management – How does MangoApps and employees manage their passwords? Are they managed via AD or an equivalent?
Yes, MangoApps user management and passwords are managed via an internally hosted LDAP server.
Additionally all access to servers are controlled via VPN and certificate based authentication. Certificates are rotated once every quarter.
All access is monitored regularly.
Can you provide information on the MangoApps password policy? (Retention, strength, encryption, etc.)
MangoApps requires its users to set strong passwords. Admins can increase their users’ security even more by setting strict password requirements. Passwords can consist of at minimum 10 characters and contain uppercase and lowercase letters as well as numbers and special characters.
All passwords are encrypted using a 1-way AES 256 bit encryption and stored at rest.
What is the MangoApps data retention policy around internal data?
MangoApps uses a secure environment for all internal communication and data. This environment is physically and logically not shared.
All communication including file transfers is over a secure SSL/TLS channel which is encrypted.
All internal files are encrypted at rest. Regular completed projects get archived by admins and have typically have a retention period of 1 year. A project after its retention period can be deleted. After a project is deleted, all of its contents and files are permanently removed.
How does MangoApps destroy data, including physical drives?
MangoApps does permanent deletion by formatting and re-installing the OS. It also uses AWS S3 capabilities to manage the permanent deletion of files.
Could you provide information on data transfer encryption that will be used?
All MangoApps data in transit into and out of the production environment is encrypted at all times. Communication with MangoApps is over HTTPS (SSL/TLS1.2) regardless of user end-point (Web, Desktop App, Mobile App, Mac App, API).
What internal data encryption techniques does MangoApps employ internally?
We make extensive use of MangoApps software to run our own business. Hence we use the same techniques for ourselves as we do for our customers.
Find more details in question #18 above.
Are confidential data customers ever on removable media? If so, how is this managed and what security procedures are in place?
No, we do not store anything on removable media. All customer data is stored in an AWS managed infrastructure (Primarily RDS & S3).
MangoApps does not migrate customer data inside or outside of the production network.
Are confidential data customers ever on portable computers?
MangoApps does not store confidential customer data on portable computers. All customers data is stored in AWS managed infrastructure (Primarily RDS & S3).
Additionally, MangoApps does not migrate customer data inside or outside of the production network.
Who has access to the production instance of MangoApps?
MangoApps deployment and support leads have varying levels of access. The deployment team has sudo access. The support team has read-only access on a need to know basis. Access is controlled via customer specific certificates and keys.
Is there any confidential data held in the test environment?
MangoApps does not hold any confidential data in the test environment.
On AWS does MangoApps make use of delegated rights to restrict user’s access to sections of AWS?
Yes, MangoApps restricts user’s access to sections of AWS.
On AWS do you make use of security groups to restrict how instances are connected to?
Yes, MangoApps makes use of security groups extensively.
- Only required ports are opened for external access to the EC2 instance.
- An RDS instance is controlled by allowing access from the EC2 instance internal ip address only.
- Access to S3 bucket is also ip restricted to the EC2 instance.
Do any third parties have access to the MangoApps AWS account(s), including automated backup services?
No third parties have access to the MangoApps AWS account.
Does MangoApps enforce a password policy around AWS credentials?
Yes, MangoApps enforces a strict password policy, two-factor authentication, and a need to know basis access to all AWS hosted accounts.
Is access to any live and or test environments logged? If so how?
MangoApps extensively logs access to different components.
Application specific logs include Ubuntu access logs, Apache access Logs, application server logs, database logs, messaging server logs — along with the AWS provided logging.
Patch management – How do you deploy patches when required?
MangoApps has an automated patch management process to ensure customer configuration and customer data are preserved with every patch deployed.
MangoApps uses a custom version of puppet to deploy software and patches to all our customers.
An overall architecture of the patch management process is as follows:
More details are in this document:
What operating system does MangoApps use to host both the application and data?
For the application server, MangoApps is hosted on Ubuntu Linux 14.04 LTS . For the database, MangoApps is hosted on the RDS instance of MySQL 5.6.
Do you have any system / network monitoring in place?
Yes, each on-premise and private cloud deployment is monitored for uptime and running processes both through AWS CloudWatch and custom crontab scripts. Monitoring from outside to AWS instances is done via PingDom – www.pingdom.com. Email notifications are sent out to report any issues to the MangoApps support time.
What are the physical access requirements for MangoApps offices?
MangoApps development offices have 24 x 7 x 365 in-person security personnel.
All access (in and out) is via access control and employee specific badges. All visitor entry into the office premise is captured via detailed visitor entry logs.
Does MangoApps store any data onsite? If so what physical security is in place?
No, MangoApps does not store any onsite data outside of the production network. All data is on AWS and or customers’ on-premise deployments.
Does MangoApps follow any information security standard?
As MangoApps is hosted on AWS, it benefits from following AWS accreditation.
- SOC 1/SSAE 16/ISAE 3402
- SOC 2
- FISMA Moderate
- PCI DSS Level 1
- ISO 27001
- International Traffic In Arms
- FIPS 140-2
For more information, please see: http://aws.amazon.com/security/.