Log4j and General Security Practices

Hi Matt and Jay -

With the security world on high alert due to deficiencies in log4j (https://nvd.nist.gov/vuln/detail/CVE-2021-44228), can you please comment whether log4j is used anywhere within Indigo 7.5 or later, whether the app or reflector service?

Additionally, I am eyeing migrating from 7.5 to 2021.2. My biggest hesitation is the reflector service. While I understand that backhauls from the reflector service to the end-user are TLS encrypted, I am interested to understand additional details about security practices you have put in place to help ensure safety and security of your hosted servers and services. Any details you can share are appreciated, including security procedures, patching policies, change control, exploit / disaster management, etc.

Thanks!

Adam

[jay (support)]

We doesn't use Java in any capacity in the Indigo product itself or on our backend servers, so there's no issue there.

We use industry best practices for security on our hosted systems and apply all security patches available. We have tightly controlled our hosted servers in terms of services/ports and our hosted systems use a variety of packages to monitor and protect against intrusions.

Just FYI, we've never had any intrusions on our backend servers (knock wood) and we haven't had any reported intrusions of Indigo Servers.