Security

We are somewhat hesitant to talk about security since we do not want to invite unwanted attention. However, with regular reports of security issues popping up (for example here and here), and now the report of the JP Morgan Chase race security breach, we figured it might be useful to give guidance to our industry of common practices that can help secure systems.

We are not giving specifics of what and how we do things (you can contact us and arrange a call to discuss details), but these are the sorts of things that should be done to make a site more secure:

  • Do NOT store credit cards on the registration server
  • Utilize a highly robust and secure cloud infrastructure like the leader, Amazon AWS
  • Screen Shot 2016-01-24 at 11.34.29 AM
  • Multi-level firewalls between multiple virtual private clouds and subnets for each layer of the server architecture. For example your load balancers accepting traffic from the public internet should be the only publicly available addresses.  The firewalls and VPC should be configured to allow only the known IP addresses from each tier and only the needed application type.
  • Have secure password storage like bcrypt.
  • Applications should sanitize user input and use SQL prepared statement to prevent XXS attacks and SQL injection. This is especially important and there should be a code review process to make sure all code added is done in this manner since this is typically the way that security breaches like the one mentioned in the JP Morgan Chase article likely happened to be able to get access to all user accounts and passwords.
  • Entire website should be using https – and http requests should be automatically redirected to https.

Things like PCI compliance are typically highlighted in registration websites, and this is a baseline requirement for doing secure credit card processing.  However, the list above is actually more important to implement.

Author: RunSignUp

RunSignUp is the leading innovator of online tools for race registration, race day solutions, and running clubs. Services include RunSignUp for registration, RunSignUp Go for Race Day, RunSignUp RD Go for Timers, RunSignUp Clubs to enable membership management, and RaceJoy for mobile experiences. More than 10,000 race directors, timers, running club officers and running stores use these services today, including leading organizations like the Boilermaker Road Race, Crim Festival of Races, Pittsburgh Three Rivers Marathon, Inc., Fifth Third River Bank Run, Blacklight Run, Bubble Run, Night Nation, Mercedes Marathon, Kentucky Derby Festival, Leone Timing, KC Running Company, Compuscore Timing, Knoxville Track Club, Pikes Peak Road Runners, Gulf Coast Runners, Columbus Running Company, Playmakers Running Store and many more. In 2015, over 10,000 races used the system to register more than 2.7 million participants. In 2016 over 14,000 races will use the system to process over 4.3 million paid registrations. Services are free except for processing fees when conducting monetary transactions such as race registration or club membership renewal. RunSignUp is founded by runners for runners, using technical capabilities to bring the power of cloud computing to benefit the running community. For more information, visit www.RunSignUp.com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s