How can we help?
Security Features
MPS Mission Software is a fully hosted secure private cloud solution. We are penetration tested annually by every client and these tests are carried out by CREST certified companies that we have no association with.
They test for access to the systems and for the reliability of the system if accessed by a malicious user. In this document we have listed some of the features we are tested on and that we secure against.
Here are some examples of the type of security settings we have as standard:
| Security Feature | Description of how MPS handles this |
| Any Broken Authorisations | Access control checks are performed whenever a resource is requested to ensure the user is authorised to access the resource. For example: User Type “User” CANNOT create new Admin Users (OR ANY OTHER USERS) User Type “Guest” CANNOT create new Users or Admin users (OR ANY OTHER USERS) |
| Excel Formula Injection | We enforce appropriate user input sanitisation. Ensuring that no text field can begin with any of the following characters: =, +, -, @, / We have an administrator override to ban all Excel & CSV exporting. It is then not possible to create any EXCEL or CSV files from Mission (tblParameters “No EXCEL” must be set to TRUE). We also have a constant scanning SQL procedure that tests every single text or ntext field to find where the first character is a Special Character and edits/changes/removes it. We also scan all data imported into the system and cleanse prior to adding to live tables. |
| Insecure Direct Object Reference | Access control checks are performed whenever a resource is requested to ensure the user is authorised to access the resource. In url’s we encrypt all ID numbers & regularly rotate these codes to prevent anyone “working out” ID numbers. |
| Cross-site Scripting (Stored) | We sanitise all input and output by escaping common HTML tags, HTML entity encoding, script tags and special characters that an attacker may use. We prevent editing of Javascript code in forms. |
| Confidential data sent on URL | We transmit session tokens, such as HTTP cookies or hidden fields in forms using the POST method. We never store Usernames Passwords and other info in HTML headers. |
| Cookie SECURE Flag Not Set | We use the SECURE attribute in all cookies to track a user’s session. This ensures that it is not possible for the cookie to be transmitted over the insecure HTTP protocol. We always ensure that we set Cookie flags properly |
| SSL/TLS Vulnerabilities | We configure SSL/TLS settings to secure configurations and always upgrade to the latest version of SSL vendor software as soon as we can. |
