Vendor Sec Review: eTranscription Solutions

VERIFIED FIXED

Status

mozilla.org
Security Assurance: Review Request
--
major
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: Mary Trombley, Assigned: ygjb)

Tracking

Details

(Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd])

(Reporter)

Description

6 years ago
Here are the answers to your security questions for eTranscription Solutions. I don't know how satisfactory the answers will be. This vendor is a very small business. You may get additional information by calling the contact, Susan Burgess, at (740) 385-5994.

Overall:

Please describe the overall purpose of the system and how Mozilla data will be integrated


ETranscription Solutions uses a custom built application designed specifically for secure and user friendly transfer of files and transcripts between us and our clients. Your data will be managed through our username/password based system that will allow you to upload your files as well as download your completed transcripts.



Security Management:

Have you performed internal security audits of your code or application that, at a minimum, addressed the OWASP Top 10? If so, please provide a description of the review and results.


I am not familiar with the OWASP standards, but our application is HIPPA compliant and uses a 256 encryption SSL for secure transfer of data as well as the most modern web technologies to ensure security.



Has a security audit been performed by an external third party? If so, who performed this audit and are the results available?



No official security audit has been performed, but our application has been thoroughly tested by ETranscription Solutions as well as the company that built the application. It has been in use for several years and we have never had a security breech.



How do you protect Mozilla data that will be stored on your servers or within your applications?



All data is protected by 256 bit encryptions, and all files are uploaded and downloaded through your unique username/password account with ETranscription Solutions. Only authorized administrators can access the files from our end.



How do you prevent other customers of your service from obtaining access to data provided by Mozilla?



All files are linked to the customer's unique account. Only files and transcripts associated with their unique account are displayed.



What is your disclosure policy to customers in the event of a compromise of your servers, applications or any related infrastructure that interacts with the applications holding Mozilla data?



I may not be understanding this question due to our high volume of work, however, we have never had this happen and we take every measure to ensure that this does not happen. We would let you know, however, we've never had this happen.



Have you suffered a security compromise in the past 24 months? If so, please provide details and remediation that occurred as a result.



No.



What other large engagements/clients have you supported with this application?



We do not disclose our clients' names.



Technical Design:

Do you support full SSL communication for all inbound and outbound communications?



Yes, the entire site is protected by a 256 bit SSL connection.



Describe the technology stack of the application and infrastructure. What options do your support for authentication? (username/password, certificate based authentication, secret token)



Our application resides on a Linux server running the LAMP stack (Linux, Apache, MySQL, and PHP). All server access and database access is secure and protected by usernames/passwords.



Do you use third party servers or do you host the servers yourself?



We host our application on third party servers, however this has never caused any security breaches or data loss.



Do you use any third party services or communicate with any third parties from this application?



No. The entire application is self contained. There is no communication with outside sources from our server that affect the application.



Security Verification:

Will testing of the running application be possible?



Yes, you can test the upload and download system before sending real data. Please let us know if you would like us to establish an account for you.



Will source code for their application be available?



Feel free to ask any specific questions about the source code. Code snippets can be provided if necessary.
Whiteboard: [pending secreview] → [pending secreview][triage needed 2012.07.18]
(Reporter)

Comment 1

6 years ago
Hi, hiring this vendor is a critical part of our project, which is due to start in less than two weeks. Can we increase the priority for the review? Sorry-- I should have made the priority higher when I opened the bug.
Severity: normal → major
(Assignee)

Comment 2

6 years ago
Hi Mary,

I will contact you tomorrow morning to discuss the project.
Assignee: nobody → yboily
(Reporter)

Comment 3

6 years ago
Yvan, can you close out this bug please? It's standing in the way of the vendor being paid.
Keywords: sec-review-needed
Whiteboard: [pending secreview][triage needed 2012.07.18] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
(Assignee)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.