Published by Steve Close on Jun 12, 2019 6:30:00 PM

VividCortex Achieves SOC 2 Type II Certification

We are pleased to announce that VividCortex has successfully completed SOC 2 Type II certification. This reaffirms and advances our ongoing commitment to protecting our customers—and by extension, their customers. The report is the result of another intensive effort by our dedicated security team, providing evidence to our auditors so they could examine our processes and controls. The audit was completely successful, as with our first audit, and was a clean and uneventful process.

Read More
Published by Samantha Toet on Jun 1, 2018 4:26:17 PM

Monitor Critical Databases Confidently with the Sensitive Data Vault

Building extremely deep monitoring as a SaaS product has a drawback: we capture too much data for some customers’ compliance requirements. As a result, some companies have been unable to deploy us, or have had to redact data before sending it to our cloud platform. To address this, we built the Sensitive Data Vault, a highly secure, completely on-premises storage module for the most critically private data that must never leave the customer’s firewall.


Read More
Published by Steve Close on Dec 13, 2017 3:59:24 PM

Committed To Security: VividCortex and SOC 2 Type 1

Security has always been a priority at VividCortex, and we have architected and built our product for security from the beginning, frequently conducting exercises such as third-party penetration tests and code reviews. Today we are pleased to announce that VividCortex has successfully completed SOC 2 Type I certification.  The report comes after an intensive (and completely successful) auditing process, and is tangible and transparent proof of our commitment to customer protection.

SOC 2 compliance is neither an easy process nor a useless one. Most of us at VividCortex have worked in companies that were subject to various types of security requirements. What we like most about SOC 2 is that it’s sensible and legitimate: the requirements are both common sense and rigorous types of things you must do to actually be secure. SOC 2 Type 1 attests that the VividCortex controls were designed and implemented to meet the criteria for Security, Availability, Processing Integrity and Confidentiality.

Read More
Published by Baron Schwartz on Jul 31, 2017 10:17:00 AM

How We Encrypt Data In MySQL With Go

A SaaS product needs to use security measures you might not ordinarily use in an on-premises solution. In particular, it’s important that all sensitive data be secured. Encryption plays an important role in information security. At VividCortex, we encrypt data in-flight and at-rest, so your sensitive data is never exposed.

Read More
Published by Alex Slotnick on Oct 17, 2016 2:41:18 PM

Smart RBAC and SSO Implementation Improves Security, Management, and Workflow

VividCortex's recent introduction of two important product features—Role-Based Access Control (RBAC) and Single Sign-On (SSO)—gives us the opportunity to initiate a conversation about topics that are relatable to anybody at a modern-day company or organization: security, workflow, and effective management. How can a powerful monitoring solution improve the way an organization operates while also making the way it handles data safer?

Read More
Published by Kelsey Uebelhor on Oct 13, 2016 9:45:57 AM

New User Security and Compliance Enhancements with RBAC and SSO

We’re thrilled to announce a brand new set of capabilities available in VividCortex that address an ongoing challenge for users, and engineering and application team managers alike – provisioning and managing users.

While users have come to expect powerful database monitoring insights and visibility from VividCortex, we’re now matching those high standards in how we meet the needs of enterprises in compliance, security, and user management.

Read More
Published by Alex Slotnick on Jul 28, 2016 4:02:59 PM

SQL Injection Detection and Alerting are Vital For Secure Data

The recent Mossack Fonesca “Panama Papers” hack is the latest security breach to drive home how much an impact an SQL injection can have on modern-day organizations. Though that hack ultimately revealed massive professional fraud by companies and governments around the world, it involved the exposure of 11.5 million confidential documents. The 2.6 terabytes of data stolen were a powerful reminder that the history of web-based business has been riddled with instances of SQL injections. They remain common and potentially devastating to organizations.

Read More
Published by Alex Slotnick on Jun 9, 2016 12:11:13 PM

VividCortex's SQL Injection Detection

For data-driven applications, security is of absolute importance. Virtually all modern tech-driven organizations must treat the protection of sensitive information as an imperative. At VividCortex, we know that our customers value the premium we put on data-security, along with the specific defenses we have in place that keep their data out of the wrong hands.

Read More
Published by Baron Schwartz on Jan 21, 2015 3:18:00 AM

Securing JSON APIs with Wrapper Objects

At VividCortex, security is a top priority. Leading companies such as Zappos, Dyn, and Etsy use our cloud-based database performance management service to monitor MySQL in production. We have designed for performance, isolation, and security from the start.

Even small decisions can make a big difference. One of those micro-decisions is making all of our APIs return a top-level object in JSON, never a top-level array. This is to avoid an old, obscure, unlikely, but still possible JSON security vulnerability.

If you have never heard of JSON security vulnerabilities, you should go read Anatomy of a subtle JSON vulnerability before continuing.

Now that you’ve read that, you know a lot more than most people about JSON and security! Although modern browsers have fixed the underlying vulnerability, older browsers are still in use, and so although it’s not as convenient, we think it’s still important not to leave this potential hole open to exploit.

What does this look like in practice? It simply means that APIs that return lists of objects wrap the list in a top-level object. For example, suppose you have a Person data type in your API. If you GET a single Person, you might end up with the following JSON response:

{ "name": "John Smith" }

All’s well so far. But what if you want a list instead of a single one? The most intuitive way might be as follows:

[{"name": "John Smith"}, {"name": "Jane Smith"}]

But that’s exactly the situation we need to avoid. As a result, all of our APIs at VividCortex use a top-level object for lists such as this, with a single data property:

{"data": [{"name": "John Smith"}, {"name": "Jane Smith"}]}

Some people object to this; it seems inherently wrong to them. Our view is that security trumps elegance, and it’s not a big deal for consumers of the API to look for a nested list instead of a top-level list. Developing a large-scale service-oriented application involves making lots of decisions, many of which include tradeoffs. Here are a few resources you may find interesting:

What do you think of this convention and the underlying security concerns? Leave your suggestions and thoughts in the comments!

Thumbnail Cred

Read More
Published by Baron Schwartz on Dec 1, 2014 2:57:00 AM

Running VividCortex Via An HTTP Proxy

Many of VividCortex’s customers have strict policies about Internet access from and to their database servers. As a longtime consultant who worked on many servers that lacked a direct connection to the Internet, I anticipated this. Since the beginning, VividCortex has been designed to work in deployment scenarios without requiring direct Internet access, and requiring no inbound access at all.

Read More

Recent Posts

Posts by Topic

see all