Below is a list of commonly asked questions that often come up from our security conscious customers. These questions have been taken verbatim and we have provided the responses inline below:
- Where do I obtain network requirements and firewall configuration for adding my players to my network? For security, please contact your EngagePHD representative or our support team for this information.
- Do third parties conduct security assessments of your products? Yes, we use Qualys and perform automated monthly application and server penetration testing.
- What do you do with the security assessment reports? We take action to resolve any vulnerabilities discovered at the server side and application side.
- Does your company monitor the latest attack trends in the underground community and consider how those trends may affect your software? Yes.
- Do your products contain pre-configured/default credentials? No, when we create usernames/passwords for new users, the user is forced to change the password at first login.
- Do your products support two-factor/multi-factor authentication? If so, please briefly describe the available options. Yes. A user is sent an email every time they log in from a different IP address and/or device. A link in the email must be checked to continue to log in.
- Can your products be configured to disallow the use of weak passwords? Yes. We force minimum requirements.
- Are any hard coded keys, secrets, or passwords contained within your products or supporting libraries (to include third-party)? No
- Are there any instances of test or debug code in your production products? No
- Do your products contain any remote management capabilities that your Company can use to access the application over the Internet? Yes. Depending on operating system; MS Windows = Team Viewer. Samsung and LG have their own proprietary methods that we can use subject to additional licensing fees required by Samsung and LG.
- Do your products require a “phone home” in order for features to be accessible? Please briefly describe. EngagePHD works on pull not push basis. So each ‘Player’ will perform a scheduled health check and content check that reaches out to the web servers to check in and download any new content. EngagePHD does not need access into your LAN.
- Are all SQL queries protected by the use of prepared statements or query parameterization? Please briefly describe. Yes. All SQL queries are protected by prepared statements.
- Are passwords stored using a strong hashing algorithm? Please list the algorithm and a brief description. Yes. We use SimpleMembershipProvider Class that returns a RFC 2898 hash value.
- Do your products allow for granular user permissions? Please briefly describe. EngagePHD supports creation of custom user profiles at a very granular level. E.G. One user could be restricted to see just Products. And within Products, just see one specific product record e.g. a Hot Dog. Furthermore if that user tries to change the price of a Hot Dog (where PoS integration isn’t in use) that could be sent to an Admin user for approval.
- Are session IDs exposed in URLs, error messages, or logs? No
- Are sessions invalidated when the user logs out? Yes
- Is logging performed when users are denied access to a particular task or action? All user actions are audited in every aspect of the platform.
- Do your products support encryption of data in transit? Please briefly describe. Yes, SSL is used throughout
- Do your products support encryption of data in use? Please briefly describe. Yes, SSL is used throughout
- Do your products support encryption of data at rest? Please briefly describe. Yes, SSL is used throughout