How does xMatters ensure security when integrating with a client's network?
- All versions of xMatters
At xMatters, we’re committed to developing high quality software. Our development teams use an Agile software development model and follow a Secure Software Development Life Cycle (SSDLC) approach. This involves integrating security testing, code analysis, peer review, and other controls into our existing development process.
- The integration platform (including Integration Builder, Flow Designer, and the REST API) has many features designed to improve integration security, provide more control over authentication, and track interactions between your applications and xMatters.
- The integration platform also offers different authentication options for inbound requests that can be set separately for each integration.
- For more detail, review the resource kit for integrators.
- You can build a workflow to transform incoming web requests (or signals) from an external application to take action in xMatters.
- These requests can be handled in the xMatters cloud, or run on your own system behind a firewall.
- xMatters offers different methods for authenticating incoming web requests, including URL authentication that allows anyone with access to an integration URL to trigger the integration. More secure, user-based authentication methods include Basic, API Key, or OAuth.
- For more detail, review our integration design overview.
Authentication and session management
- Standard REST APIs are authenticated via URL endpoints and no session is created. For data exchange with SaaS platforms, all data is transmitted over secure channels.
- Only users with defined integration capabilities can access credentials for the API, which are managed on the integration level and user role level. These credentials are stored in the integration configuration or in the user profile.
- User access control can be managed from a centralized web user interface admin console. xMatters has many tools to mitigate authentication issues. These include password complexity rules for users, SSO/SAML/OAuth authentication, lock out options for failed login attempts, password resets, and more. No client or user account is shipped with default credentials and a forced password change can be set upon first login.
- Session management consists of a high-entropy session identifier created upon login. The client data is encrypted within the lifecycle of the session, then the session identifier is destroyed and invalidated after logout. Our platform offers settings to configure session timeout duration from 5 to 60 minutes.
- xMatters has a number of controls to protect against XSS, XSRF, and DOS attacks. The development teams are mindful of the OWASP Top 10 web application security risks and work to minimize and mitigate these risks during the development phase.
- Data is protected in transit as xMatters uses TLSv1.2 & 1.3 protocols. This protects against snooping, replay and man-in-the-middle attacks.
- Clients renew API credentials periodically for both web service authentication and AES Encryption key for data protection from XML parsing, and XXE (XML external entity attack).
The xMatters Agent application and SaaS web user interface have active vulnerability management programs, including monthly static scans using Veracode Static Analysis
At xMatters, we continuously assess our infrastructure and applications for vulnerabilities and remediate those that could impact the security of customer data. For more information on our application development and vulnerability management, please contact firstname.lastname@example.org.