Security & Hosting

Safety Measures

When upgrading the server hardware, all hard drives are magnetically destroyed and the internal hard drive platters are shredded.

External Attacks

External attacks, like DDoS attacks, are detected and mitigated efficiently when they occur ensuring a minimum of downtime.

Authentication

The application uses Windows Forms Authentication. All users must log in to the system using a unique username and password. Once their login attempt is successful an “AuthenticationToken” (AT) is created for their user session. This AT indicates precisely which permissions the user has in the system.

On any request for a page or control it is verified that the AT has permissions to see the requested content. If not, the user is immediately logged out from the system and given the message that access was denied.

This ensures that:

1. Users are only able to see eRFxs, contracts, supplier data and eAuctions from within their own organization
2. Suppliers are only able to see information that is related to the Event they are invited to and they never see private information entered by the event manager
3. Spectators and stakeholders can only see information on the event or contract to which they are invited

Encryption

All sensitive data is stored encrypted in the database. Each customer has their own unique encryption key which ensures one customer cannot access another customer’s data. The encryption is performed using industry standard encryption.

General Security

All database access is performed through the ORM framework or a secure query engine, eliminating the risk of SQL injection attacks.

Most user input is generally encoded so it can be displayed safely. This protects against cross-site scripting or JavaScript injection attacks. Where the user is able to enter rich text input, the resulting mark-up is sanitized.

All requests are validated for correct rights before data is returned or modified.

Penetration Testing

A yearly penetration test is performed by nSense, a highly skilled security company, and any findings are corrected immediately. nSense is certified by the PCI Security Standards Council as an Approved Scanning Vendor, Qualified Security Assessor and Payment Application Qualified Security Assessor. The latest summary is available to customers upon request.

Quality Assurance and Security Testing

Before any change is made in the Scanmarket strategic sourcing platform, the complete change is verified by highly qualified Quality Assurance Personnel ensuring highest possible stability and security in the application. The security testing includes, but is not limited to, testing against malicious requests and malicious input, including possible cross-site scripting attacks.

Test Environment

Scanmarket has a testing and a staging platform that is 100% disconnected from the live servers, so no customer data is available at the test setup. All new features are tested first on the test server and later on the staging server before they are released into production.