Neverfail Security Policy Regarding Engine

Neverfail Security Policy Regarding Engine

Summary

This Knowledge Base article provides information on Neverfail's policy regarding cyber security. UPDATED: February 2026.

More Information

Neverfail takes security very seriously. In light of many of the news worthily incidents (and the thousands more we don’t hear about) surrounding trojan horse hacks and ransomware, Neverfail continues to tighten its security posture with its software.

Neverfail Engine provides users with the highest level of protection that enables IT administrators to recover from continuity events very quickly. 

Latest Security Updates and Fixes for OpenJDK and Apache Tomcat

Compliance - SBOM

  1. SBOM is now available for this release to provide transparency into the bundled components and their dependencies. 
    1. Downloadable SBOMs (CycloneDX) are available in EMS for current GA version of Engine components.  
    2. Added missing component supplier information (required by NTIA).
    3. Added verification pack containing the digital signatures and public key required to verify the integrity and authenticity of the Engine SBOMs.

Recovery from Malware and Ransomware 

Neverfail Engine establishes a process to ensure IT administrators can recover from malware and ransomware attacks due to its cluster architecture. Engine firewalls each node in the cluster. This means the Neverfail Channel connection is restricted to only Engine communications like replication, application and system monitoring. It also provides robust snapshots / data rollback module on each node in the cluster to ensure corrupted data is protected and recoverable on each firewalled node. This is a core value proportion of Engine where it protects the most critical applications.

Harden Engine

Engine provides the tools you need for almost immediate recovery from ransomware. Just follow the hardening recommendations detailed here: How to Use Engine For Ransomware Mitigation.

Snapshots / Data Rollback

Neverfail Engine’s Snapshots (also known as Data Rollback Module) helps avoid problems associated with corrupt data, by enabling data rollback to an earlier snapshot (shadow copy) / point-in-time, if data corruption occur. Snapshots feature configuration is explained in How to Setup Data Snapshots / Rollback for Neverfail Engine.

Third Party Software 

Neverfail Engine uses 3rd party software resources such as Apache Tomcat web services. Neverfail periodically upgrades Tomcat services in its production releases. This ensures we have the latest security patches available. Although our product releases do not coincide with Apache Tomcat, every effort is made to update Engine to reflect the latest security fixes.

In addition, Neverfail using OpenJDK in its core. Java is the primary automation tool Engine uses for orchestration of failover tasks. Achieving our acceptable/targeted/minimal baseline security standards includes periodic upgrades its distribution of OpenJDK. Each upgrade includes patches for security vulnerabilities.

Neverfail Engine also uses Apache Log4j which has been upgraded to remediate CVE_2021_44228.

Due to the fact that 80% of Engine core functions are centered around OpenJDK and that Engine limits storage of credentials, penetration testing is limited to once per year or at a major version release. We do not disclose the results of those test for security reasons.  As mentioned, security vulnerabilities are remediated via periodic upgrades from OpenJDK and Apache Tomcat and Log4j.

HSTS Enablement

HTTP Strict-Transport-Security (HSTS) is now enabled by default in Engine Management Service. Supported older versions of Engine may enable it as described in  How to enable HTTP Strict-Transport-Security (HSTS) in Engine Management Service.

Encryption

Encryption was updated to latest strongest standard commercially available today.

Two Factor Authentication

In the near future, Engine will integrate two factor authentication and eventually MFA into the Engine Management Service (EMS). This will add industry wide best practices for securing user level authentication to Engine.

Code Access

Neverfail strive to secure our product while in development. We limit who as access to source code and build repositories. Strict security protocols are enforced. We also support stringent log management policies in our engineering department to properly audit access and provide accountability.

Additional Information 

For more information on what is supported, please view the Engine Release Notes. You will find the security information in the section “OpenJDK and Apache Tomcat versions”. If you have questions, please feel free to open a ticket with Neverfail Support at support@neverfail.com.

Applies To

Neverfail Engine


    • Related Articles

    • Neverfail Engine 21 Release Notes

      Summary The following information applies to the v21 release of Neverfail Engine. Engine 21.0 This release supersedes Engine v20. What's New Just "Engine" Starting v21, the official product name is Engine. Neverfail Engine. Engine Upgrade Safety ...

    • Neverfail Engine 20 Release Notes

      Summary The following information applies to the v20 release of Neverfail Engine. Engine 20.0 This release supersedes Engine v19. What's New Windows Server 2025 Support OS version detection improvements. Supported deployment of Engine components: EMS ...

    • Neverfail Continuity Engine v10 Release Notes

      Summary The following information applies to the v10 release of Neverfail Continuity Engine. Neverfail Continuity Engine 10.1 This hotfix release supersedes Neverfail Continuity Engine v10.0. Fixes [EN-6024]: [LogCollector] - LogCollector crashes ...

    • Neverfail Continuity Engine 18 Release Notes

      Summary The following information applies to the v18 releases of Continuity Engine. Continuity Engine 18.1 This fix release supersedes Neverfail Continuity Engine v18.0. What's New More Secure v18.1 is updated to Apache Tomcat 9.0.106 which addresses ...

    • Neverfail Continuity Engine 19 Release Notes

      Summary The following information applies to the v19 release of Continuity Engine. Continuity Engine 19.0 This release supersedes Continuity Engine v18. What's New Windows Server 2025 Support Supported deployment of Continuity Engine components: EMS ...