Keeping Your Wild Apricot Account Secure

 

Although security threats are a fact of life in today's digital world, since the release of Wild Apricot in 2006 we have been constantly reviewing and improving our security processes.


Security Team

In order to provide information security, there is a dedicated group of specialists in Wild Apricot - the Security Team.

Wild Apricot's Security Team has extensive experience in finding vulnerabilities, allowing us to prevent threats before they occur. Applying both offensive and defensive security measures, we provide an integrated approach to Wild Apricot security on all levels.


Offensive security processes include:

  • Infrastructure penetration test.

  • Web application penetration test.

    Lock and key icon
  • Social engineering - in the context of information security, this refers to the psychological manipulation of people into performing actions or divulging confidential information.

  • Security intelligence - this is an integrated approach, with combined processes and methods of collecting and analyzing data related to the company's information security.

Defensive security processes include:

  • Security forensics - when a serious incident occurs, we start a security investigation.

  • Infrastructure security hardening.

  • Security monitoring (alerts and notifications).

  • Security review of all new features.

  • Security awareness trainings.

  • Security compliance (PCI DSS, GDPR).

  • Vulnerability management.

 

Wild Apricot Product Security

Before we release new features and functions, the Security Team always reviews their safety using OWASP Top 10 and OWASP Testing v3 methodologies. In case of any security flaws, the Security Team can postpone the publication of the feature until it gets fixed by developers.

In addition, the Security Team conducts penetration tests. This is an evaluation method where real-world hacker attacks are simulated in order to improve understanding of the system, to discover vulnerabilities, and to enhance security. Wild Apricot follows the testing processes described in NIST Special Publications 800-115 Technical Guide to Information Security Testing and Assessment.

In addition, we have also been working to develop special software - Security Operation Center - to automatically detect attacks and correlate security events from various systems (Windows, Linux, Network, Social).

Laptop icon 3

External and internal penetration tests are performed systematically. An external test should assess any unique access to the scope from the public networks, including services that have access restricted to individual external IP addresses. Both internal and external testing must include application-layer and network-layer assessments. External penetration tests must also include remote access vectors such as dialup and VPN connections. Upon completion of the analysis, the tester will generate a report that identifies system, network, and organizational vulnerabilities along with recommended mitigation actions.

The Security Team monitors all vulnerabilities that need to be fixed. When the vulnerability is fixed, the crew reviews it again. After a successful review, the Security Team approves the feature or function for release.

 

Your Data Belongs to You

Your personal data is yours and yours only. We pledge not to sell or transfer it. For more information on how Wild Apricot deals with your data, see our Privacy Policy.

In addition, we comply with the requirements of the GDPR. The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018. This law is designed not only to protect the personal data of EU citizens, but also to increase the organization's level of responsibility. Any organization or service that keeps, uses, and stores personal data of EU citizens is affected by the law. Many of the GDPR requirements do not relate directly to information security, but in order to comply with this law, companies should review their existing security processes.

For more information about GDPR compliance, visit https://www.wildapricot.com/gdpr.

 

Special Attention to Your Payments

PCI DSS is the Payment Card Industry Data Security Standard (for more detailed information

Credit card iconvisit https://www.pcisecuritystandards.org/document_library). Complying with the requirements of this standard assures customers that their payment transactions will be secure. Wild Apricot complies with PCI DSS standard requirements. We do not store payment data of clients. We only transfer them to accredited payment gateways and monitor PCI Compliance of these gateways.

Servers conducting payment transactions (servers from which the payment data is sent) pass an annual certification for compliance with PCI DSS. WA successfully completed the evaluation on December 13th, 2017 and at the moment we are preparing for a new certification in 2018. For more information, please visit https://www.wildapricot.com/security-policy-overview.

 

mobile app screenYou Decide Who Has Access to Your Account

You decide who to grant administrative rights to, and what level of access to assign to each administrator. Do not provide administrator roles without a real need - try to limit access as much as possible to keep your account secure. For more information on access rights, and administrator roles, see https://gethelp.wildapricot.com/en/articles/50

 

Mobile App Security

We care about the security of Wild Apricot's mobile applications - the app for admins and the app for members. The Wild Apricot mobile applications interact with the API only using the secure HTTPS protocol. In this case, all access checks occur on the server side and the user can not assign authority. For detailed information about API access parameters, see https://gethelp.wildapricot.com/en/articles/484-api-access-options.

 

 

Company-wide Security

By default, we treat all client information as confidential and use common rules and recommended security requirements for the entire company. Here are just a few of them:

  • We are very cautious about confidential information on any channel. If we have any doubts, we communicate face to face or use a phone call.

  • Inside the company, we use special software to manage sensitive data and credentials. It allows us to store data without exposing them to the outside world through emails, text messages or any other vulnerable channels.

  • The Security Team monitors people's access to various data and internal systems. Access to all systems is granted to WA employees selectively depending on the tasks performed.

  • We are always looking for ways we can improve our security by trying to follow CIS's benchmarks - https://www.cisecurity.org/cis-benchmarks.

 

In Conclusion

The Security Team follows the standards of world class security practices and tries to apply them on all possible levels in WA security. We update, develop or completely re-create security processes whenever we find any shortcomings.


Search: WildApricot.com 

About results ( seconds) Sort by: 
Sorry, an error occured when performing search.