Finalsite's goal is to ensure that our clients - and the students, parents, faculty and others they represent - are protected by reliable, effective security measures. To that end, we are working to make a number of changes across our platform.
Strengthening Password Encryption and Workflow
Finalsite has made a number of updates to how passwords are stored and retrieved:
- User and administrator passwords are now stored as one-way hashes that can no longer be recovered by users in plain text, or be decrypted by Finalsite staff or school administrators.
- Passwords can no longer be distributed to end users in plain text using eNotify; instead, users can be invited to set a password via a secure link that can be distributed via eNotify.
Serving All Pages Over HTTPS
By early October 2017, Finalsite will serve all web pages over HTTPS, including all pages on our clients' websites, admin interfaces, and in Finalsite Learn. Traffic sent and received via a secure connection is encrypted, and so cannot be read or modified by potential attackers.
Starting in October, Google Chrome and Firefox will be making changes to highlight the encryption status of pages, flagging pages with input elements as "Insecure", which may be upsetting to users. Starting early 2018, they will flag all pages served over HTTP as "insecure". Finalsite will soon begin serving all front-end web pages over HTTPS, so none of our schools' web pages will be flagged by browsers.
File and Data Encryption
In addition to sending and receiving data in a secure fashion via HTTPS, Finalsite is also making changes to store data and files "at rest" in a more secure fashion. This means that the physical disks that hold your data will be encrypted, so that if an attacker gained access to these disks, no data or files would be readable or accessible.
- The new site search that was released to all Composer sites is powered by a third party product called Algolia. All indexed data is stored encrypted in Algolia's "vault."
- All files uploaded to the new Resources module will be encrypted (by the end of November 2017).
- All Finalsite databases will be encrypted (by the end of November 2017); this means that all of your constituents' PII (personally identifiable information)
Finalsite has implemented improvements to our software development processes to ensure that our application is secure. With that in mind we have started to following activities:
- Instituted Mandatory Secure Software Development training for the entire development team. The curriculum varies annually.
- Started comprehensive scanning of our code base to identify and remediate any existing security issues within the platform
- Implemented tooling to enable security testing on features as part of component testing. This process will become more tightly integrated with our application release processes in 2018.
If you'd like to learn more about your school website's security contact your Finalsite Client Success Manager.