This Knowledge Base article provides information on Neverfail's policy regarding cyber security. UPDATED: 4/1/2022
Neverfail takes security very seriously. In light of many of the news worthily incidents (and the thousands more we don’t hear about) surrounding trojan horse hacks and ransomware, Neverfail continues to tighten its security posture with its software.
Neverfail Continuity Engine provides users with the highest level of protection that enables IT administrators to recover from continuity events very quickly. Neverfail's approach is two fold:
Recovery from Malware and Ransomware
Neverfail Continuity Engine establishes a process to ensure IT administrators can recover from malware and ransomware attacks due to its cluster architecture. Continuity Engine firewalls each node in the cluster. This means the Neverfail Channel connection is restricted to only Continuity Engine communications like replication, application and system monitoring. It also provides robust data rollback module on each node in the cluster to ensure corrupted data is protected and recoverable on each firewalled node. This is a core value proportion of Continuity Engine where it protects the most critical applications.
Third Party Software
Neverfail Continuity Engine uses 3rd party software resources such as Apache Tomcat
web services. Neverfail periodically upgrades Tomcat services in its production releases. This ensures we have the latest security patches available. Although our product releases do not coincide with Apache Tomcat, every effort is made to update Continuity Engine to reflect the latest security fixes.
In addition, Neverfail using OpenJDK in its core. Java is the primary automation tool Continuity Engine uses for orchestration of failover tasks. Achieving our acceptable/targeted/minimal baseline security standards includes periodic upgrades its distribution of OpenJDK. Each upgrade includes patches for security vulnerabilities.
Neverfail Continuity Engine also uses Apache Log4j which has been recently upgraded to remediate (CVE-2021-44228).
Due to the fact that 80% of Continuity Engine core functions are centered around OpenJDK and that Continuity Engine limits storage of credentials, penetration testing is limited to once per year or at a major version release. We do not disclose the results of those test for security reasons. As mentioned, security vulnerabilities are remediated via periodic upgrades from OpenJDK and Apache Tomcat and Log4j.
Two Factor Authentication
In the near future, Continuity Engine will integrate two factor authentication and eventually MFA into the Engine Management Service (EMS). This will add industry wide best practices for securing user level authentication to Continuity Engine.
Neverfail strive to secure our product while in development. We limit who as access to source code and build repositories. Strict security protocols are enforced. We also support stringent log management policies in our engineering department to properly audit access and provide accountability.
For more information on what is supported, please view the Continuity Engine Release Notes
. You will find the security information in the section “OpenJDK and Apache Tomcat versions”. If you have questions, please feel free to open a ticket with Neverfail Support at firstname.lastname@example.org.