At GymGroups, security is our strength and one of our core competencies. Below is a brief overview of security measures used at GymGroups.
The GymGroups application itself has several layers of security, some of which include:
- An extensive input and output validation layer checks and validates for proper and expected input and output. All user-provided content, such as the URI, query string parameters, form submissions, cookies, etc. are validated through this framework before the underlying application layers are allowed to handle the request. All non-validated input is either escaped or rejected as necessary.
- The application has a robust permission system which allows granular control over user, role, and group level access. Permissions and roles can be applied at the global community level, on categories, boards, and individual users. The fine granularity of the permissions ensures that users can be granted the specific access they need, without having to grant them excessive rights. All unauthorized access attempts are logged in the audit logs.
- User provided content is also checked and validated using an intelligent HTML parser. Administrators can specify which HTML tags are allowed, including tag attributes and sub-tags. This intelligent parsing protects against many forms of attacks such as cross-site scripting, script insertion, style hijacking, cookie theft, etc. By providing such extensive HTML parsing, we can allow our users to safely use HTML tags for rich and lively content creation without forcing them to learn custom or proprietary markup languages.
- On the application layer, we also employ a fail-safe countermeasure called “ticketing”, whereby secure, encrypted, and time sensitive tickets are assigned to user requests. All form submissions which result in an administrative action require valid and matching tickets to proceed. The ticketing system is completely transparent to the user and helps protect against certain classes of attacks called cross-site request forgery. This measure protects against attacks that originate from external content outside of the application’s control.
- A GymGroups proprietary safeguard called BlackBox is also used on GymGroups communities. Similar to the black box recording systems used on airplanes, it records key information about the system and user requests including, request parameters, URLs, IP addresses, etc. In case of a security breach GymGroups can playback these recordings to identify exactly how the breach took place, as well as any actions and damage that the intruder may have inflicted. If necessary, BlackBox recordings can be used to rollback the community to a specific point in time and undo any damage caused due to malicious activity.
At the network level, GymGroups’ production environment is designed toprovide maximum security based on security best practices.
- Our servers are protected by redundant firewalls.
- The front-end application and web servers are isolated from other services such as DNS and SMTP.
- The databases are further protected in a separate data island firewalled from the front-end servers. No direct access from the Internet is allowed to the database servers.
- Intrusion Detection Systems are deployed to monitor unauthorized access or detect malicious traffic.
- Only relevant ports are allowed such as port 80 (HTTP), port 443 (HTTPS), and a 5xxx range port for customers using the chat application.
At the host level, GymGroups servers are fine-tuned or “hardened” according to security best practices.
- Only necessary services and software are installed.
- Servers are regularly updated with the latest security patches.
- All management traffic to the servers is encrypted.
- Where applicable, malware detection tools are also used for good measure.
- Administrative access to servers is restricted to authorized staff and must occur over a secure encrypted session. All administrative access is logged and monitored.
- Security auditing is turned on and logs are sent to a secure log collection system.
The GymGroups production environment is hosted in SSAE16 and ISO27001 certified secure datacenters. Datacenters are equipped with CCTV systems, digital recorders, and manned by security guards on a 24x7 basis. Access to the data centers is restricted to authorized staff only and reviewed on a regular basis. Multiple forms of authentication are required to access the facility such as:
- a valid picture ID
- a secret PIN code
- and biometric identification.
Data centers are also equipped with fire, water, and heat detection and protection systems.
Physical access to the datacenters is restricted to GymGroups Technical Operations staff and controlled by access lists held by the colocation facility’s security department. Logical access to the production environment can only be established via a secure encrypted session which is also restricted to GymGroups Technical Operations staff. All administrative access is logged and monitored.
GymGroups monitors all communities and critical infrastructure on a 24x7 basis. An alert system is tied to each of the community’s health statistics, as well as major parts of the GymGroups hosting infrastructure. All major services such as DNS, firewalls, servers, and Internet connectivity are actively monitored.
Alerts are also set up to monitor security related events and detect security violations. Security auditing is enabled on systems, and logs are sent to a secure log collection system for retention and safe keeping.
Redundancy and Backup
The hosting infrastructure at GymGroups is designed with multiple redundancies for maximum uptime.
- Secure data centers have UPS and generator backup systems for power and diverse entry points for key utilities and communication facilities.
- At the network edge, GymGroups has deployed multiple high-speed Internet Service Providers for fast Internet connectivity using the BGP protocol for redundancy and automatic failover.
- Beyond the network edge, each critical system in the GymGroups architecture is set up in a redundant manner to eliminate single points of failure. This includes redundant load balancers, firewalls, switches, and routers.
- At the system layer, servers are deployed with redundant power supplies, redundant network cards, and redundant disk storage.
- At the database layer, data replication is set up from master database servers to slave database servers in real-time.
- Lastly, regular backups are made and stored offsite in a secure location for safety.
- Compliance, Audits and Certification
- GymGroups datacenters are SSAE16 certified, ISO 27001 certified, and PCI DSS section 9 certified.
- GymGroups hosted application solutions are ISO 27001 and SSAE16 certified.
- GymGroups is U.S.-E.U. Safe Harbor and U.S.-Swiss Safe Harbor self certified.
- GymGroups conducts annual security vulnerability and penetration testing using independent third party auditors.
Security Testing Policy
GymGroups is fully committed to keeping our customers' information secure. We encourage safe and responsible security testing and reporting of security issues according to the following few simple rules.
- All security testing must be conducted in our non-production environment to minimize risk to our customers. Please contact the GymGroups Security team at security [at] GymGroups [dot] com for details or to arrange for testing.
- Report all issues privately and securely to GymGroups Security team by sending an email to security [at] GymGroups [dot] com. If possible, please use proper encryption and protection such as SMIME certificates or PGP encryption. Please refer to the Reporting Security Issues section below for additional details.
- Do not attempt any testing that could cause or trigger a Denial-of-Service condition.
- Do not attempt to access, modify, or delete information that does not belong to you or your organization.
Reporting Security Issues
To report security issues or problems with any GymGroups product or service or website, please follow these simple rules:
- If you are conducting security testing, please follow our Security Testing Policy above.
- Report all issues privately and securely to the GymGroups Security team by sending an email to security [at] GymGroups [dot] com and sign and encrypt your email using SMIME certificates or PGP encryption.
- To exchange SMIME certificates or PGP encryption key credentials please send a signed email message to security [at] GymGroups [dot] com.
- If you don’t have access to SMIME or PGP, please send an email to security [at] GymGroups [dot] com to make alternate arrangements.
- Provide full details of the issue and any details to replicate the problem.
- Provide your contact information so the GymGroups Security team could contact you for clarifications or details.
Requesting Security Information
Please email security [at] GymGroups [dot] com to request additional information, such as:
- Current GymGroups hosted application SAS70 Type II report
- GymGroups hosted application SAS70 bridge letter requests
- Any other information security requests and inquiries
Certain security documentation will only be made available to existing GymGroups customers.