Coursedog

Coursedog Security

Data Protection and Accessibility

  • All customer data within Coursedog belongs to the customer. This includes all schedule content, whether text based or the data that we store in our database. Customer can request a copy of all data, including archived catalogs.
  • Coursedog will maintain audit logs of all requests sent to production applications for a minimum of 6 months. These logs will include the resource requested, source IP, HTTP referrer and HTTP user agent. Access log data will be provided to the client’s administrative contact upon request.
  • Upon termination of our Software as a Service agreement, all data will be turned over to Customer in tab delimited or comma format.

Compliance

  • Coursedog does not require, nor request, any FERPA-protected data.
  • Coursedog is in full compliance with GDPR, WCAG 2.0 and OWASP guidelines.

Connection Security

  • Coursedog uses HTTPS to encrypt traffic between the web server and the user’s browser. We do not serve any resources over insecure HTTP.
  • Coursedog uses HSTS (HTTP Strict Transport Security) to ensure that browsers will only allow opening a secure connection to our servers. This protects against protocol downgrade and cookie hijacking attacks.
  • Coursedog supports almost all University-supported authentication techniques and prefers Shibboleth/CAS single sign on.

Data Security

  • Our database is encrypted with AES-256, an industry standard encryption algorithm.
  • Coursedog uses bcrypt, a widely-used password hashing function, to hash and salt all passwords before putting them in our database. Use of a one-way hash function ensures that in the event of a data breach, the original passwords cannot be recovered. No Coursedog employee will have access to your original plaintext passwords. Password salting is used to prevent against rainbow table attacks by appending a random string to each user's password, so a potential hacker could not determine if any two passwords are the same, nor create a lookup table of the hash values for common passwords.
  • We encrypt all user information before we store credentials in our database.
  • Coursedog uses randomly generated session tokens to identify users, which are sent over HTTPS in every request so we can ensure that data is only accessible by users with the correct privileges. We implement session timeouts consistent with industry best practices.
  • Our database and database backups are managed by MongoDB, a reputable industry leader. Only our servers are IP whitelisted to access the database, and the connection between our server and database is encrypted. Coursedog takes advantage of MongoDB's expertise in creating a strong security profile.
  • Coursedog takes security extremely seriously and exceeds guidelines and standards for security. Coursedog maintains a set of internal security standards for its database set by Coursedog's CTO. Our internal policies strictly limit the employees that have access to anonymized production data on an as-needed basis. Specifically, access to the production database requires approval and oversight from the CTO, Senior Backend Engineer or Senior Frontend Engineer.

Security By Design

  • Coursedog has built its software and database with security at the forefront. We know the importance and fragility of data. Coursedog's web solutions are constructed to be as resilient as possible to common attack vectors.
  • Where possible, defenses against attacks are incorporated directly into the design. For example, use of MongoDB maintains a separation of the data in the query from the query itself, making an SQL injection type attack fundamentally impossible. Our use of a REST API is beneficial because session state information is not stored on the server, mitigating state-based attacks.
  • Coursedog's web-based design is an important reason why our solutions can be fundamentally more secure than our competitors. Coursedog never requires clients to install custom software to access our products. By running in the browser sandbox, our software by default runs with extremely limited privileges unlike an installed executable. Modern browser sandboxes have been tried and tested for many years and are used by millions of people to protect their computers from malicious actors while on the web. In a web browser sandbox Coursedog cannot access confidential local files or install viruses or keyloggers on Customer's machines, even if the system were compromised. This design isolates the Coursedog system from the rest of our Customers' networks.

Security Management

Coursedog takes a proactive approach in detecting potential vulnerabilities to mitigate them before they are exploited. We monitor disclosed vulnerabilities in technologies used by our backend servers and browsers used by our Customers. We also maintain an open line of communication with all of our Customers to address any concerns.

If a vulnerability is found, we follow a three-step process to mitigate damage.
  • We evaluate the issue and determine how it could affect our system.
  • We attempt to replicate the issue, and ascertain if any data is at risk.
  • If the issue is easily resolvable, we do so. If the issue is only resolvable by the Customer, i.e. with a browser update, we immediately notify those responsible summarizing the risks and our recommended resolution. If we cannot resolve the issue in a timely fashion, we will manually shut off access to the at-risk features to protect data until a suitable resolution can be found.
We look forward to working with the Customer to streamline its academic scheduling process.