Security FAQ’s

Below is a list of commonly asked questions that often come up from our security conscious customers.  These questions have been taken verbatim and we have provided the responses inline below:

1. Where do I obtain network requirements and firewall configuration for adding my players to my network? For security, please contact your EngagePHD representative or our support team for this information. 
2. Do third parties conduct security assessments of your products? Yes, we use Qualys and perform automated monthly application and server penetration testing. 
3. What do you do with the security assessment reports? We take action to resolve any vulnerabilities discovered at the server side and application side.
4. Does your company monitor the latest attack trends in the underground community and consider how those trends may affect your software? Yes.
5. Do your products contain pre-configured/default credentials? No, when we create usernames/passwords for new users, the user is forced to change the password at first login.
6. Do your products support two-factor/multi-factor authentication? If so, please briefly describe the available options. Yes. A user is sent an email every time they log in from a different IP address and/or device. A link in the email must be checked to continue to log in.  
7. Can your products be configured to disallow the use of weak passwords? Yes. We force minimum requirements.
8. Are any hard coded keys, secrets, or passwords contained within your products or supporting libraries (to include third-party)? No
9. Are there any instances of test or debug code in your production products? No
10. Do your products contain any remote management capabilities that your Company can use to access the application over the Internet? Yes.  Depending on operating system; MS Windows = Team Viewer. Samsung and LG have their own proprietary methods that we can use subject to additional licensing fees required by Samsung and LG.
11. Do your products require a “phone home” in order for features to be accessible? Please briefly describe. EngagePHD works on pull not push basis. So each ‘Player’ will perform a scheduled health check and content check that reaches out to the web servers  to check in and download any new content. EngagePHD does not need access into your LAN.
12. Are all SQL queries protected by the use of prepared statements or query parameterization? Please briefly describe. Yes. All SQL queries are protected by prepared statements.
13. Are passwords stored using a strong hashing algorithm? Please list the algorithm and a brief description.  Yes. We use SimpleMembershipProvider Class that returns a RFC 2898 hash value.
14. Do your products allow for granular user permissions? Please briefly describe.  EngagePHD supports creation of custom user profiles at a very granular level. E.G. One user could be restricted to see just Products. And within Products, just see one specific product record e.g. a Hot Dog. Furthermore if that user tries to change the price of a Hot Dog (where PoS integration isn’t in use) that could be sent to an Admin user for approval.
15. Are session IDs exposed in URLs, error messages, or logs? No
16. Are sessions invalidated when the user logs out? Yes
17. Is logging performed when users are denied access to a particular task or action? All user actions are audited in every aspect of the platform.
18. Do your products support encryption of data in transit? Please briefly describe. Yes, SSL is used throughout 
19. Do your products support encryption of data in use? Please briefly describe. Yes, SSL is used throughout 
20. Do your products support encryption of data at rest? Please briefly describe. Yes, SSL is used throughout