ERPAG security blog.Clickjacking.Cross-Origin Resource Sharing.Formula Injection.Stored Cross-Site Scripting
For ERPAG as a cloud-based application and our company as unity, the most important segment is security. When we say security, we mean the safety of data access by our users, the safety of data on servers, the safety of handling such data by employees as well as the overall security of all other factors and procedures that enable ERPAG to function 24/7 all 365 days a year. In order for data security to be controlled, ERPAG Inc. has designated security officers by an internal document. Thanks to good organization and continuous education of employees with modern protection trends, ERPAG successfully passes security tests every year by Synopsys, one of the largest software security companies.
For secure access to data by our users, ERPAG uses multiple combined levels and protection techniques. Access to our service is possible only through the HTTPS secured protocol using the verified SSL certificate and TLS1.2 algorithm. In this way, secure encrypted communication between the browser on the client computer and the ERPAG server is enabled, without the possibility that a third party (malicious software on a client computer or internet providers’) will intercept the communication and encounter sensitive data.
Regardless of the fact that ERPAG does not store customer credit card information, we still respect the PCI Security Standards . Among the recommendations of the aforementioned standard, ERPAG introduced the mandatory use of strong passwords. Also, logging is enabled using oAuth2 authorization where a user, using his Google, Microsoft or Intuit account, authorizes ERPAG without leaving password information. The password recovery option allows the user to recover his forgotten account using his valid email address. ERPAG monitors user activity during logging and validates the password. In the event that there are more unsuccessful logging attempts in a short period of time, ERPAG will consider that someone is trying to use the password-guessing technique to access user data. Then the account will be suspended for at least 30 minutes and an email notice on the temporary suspension of the account will be received on the user mail. In this way, ERPAG prevents unauthorized persons or software from entering the user account with the above-mentioned method. One of the security techniques is also automatic logout for users who are inactive for more than 30 minutes in order to prevent unauthorized access to ERPAG if the user forgets to log out.
ERPAG contains a multi-level defense system from DDOS and Spoofing attacks by placing the attacker’s IP addresses on the blacklist. Also, many other techniques of attacking or downloading user accounts have been prevented, and some of them are:
– Stored Cross-Site Scripting and Reflected Cross-Site Scripting (XSS) prevent injection scripts from client-side; – Clickjacking – preventing data from being stolen by redirecting clicks to malicious software; – Cross-Origin Resource Sharing (CORS) – preventing the use of resources from other domains; – Content-Security-Policy (CSP) – preventing the execution of the code from untrusted domains; – X-Content-Type-Options – prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome when downloading extensions. – Formula Injection – preventing the implementation of embedded malicious code into a spreadsheet such as Microsoft Excel or LibreOffice on the client.
– Restricted File Upload – validate the file uploaded by the user (comparing the contents of the file with its extension, banning executable files .exe .bat .com .dll etc.) as well as checking the file by antivirus.
The database of each individual user is isolated in the so-called sandbox in order to avoid direct access. All sensitive data in the database are encrypted so that they are not possible to read outside ERPAG.
In addition to some of the above-mentioned types of protection, ERPAG replicates data to backup servers on multiple geo-locations, but in accordance with the GDPR and other regulations related to the storage of personal data.
Physical access to servers is limited and regulated by internal documents and protocols of companies that own large data centers and where ERPAG Inc. has leased servers. Also, access to user data by employees in ERPAG Inc. is strictly controlled and permitted only with the written consent of the user and the permission of the security officer, and only in cases when support is needed.
Data security is also affected by the user himself, who besides our engagement needs to understand that data security cannot be controlled from one side only. Irregular behavior by giving a user account to another person, sending a password to the mail, an irregular update of the operating system and browser, allowing access to the computer for third-party users, etc. provides access to user data on which ERPAG Inc. cannot affect.
Despite the mentioned protection techniques, security remains at the very top of our company’s priority. Responsible behavior of our clients and employees in ERPAG Inc. allows ERPAG to function 24/7 in mutual satisfaction.