A commitment to security

Posted on May 25, 2019 by Jonathan Reinink

Without a question, the biggest concern when congregations first switch to Church Social is the safety and privacy of their membership records. It can be uncomfortable moving records from their own control, often a file on their own computer, up to “the cloud”, some random computer somewhere in the world.

Of course, doing this has huge benefits to the church, which is why more and more churches are making this move. But it does require churches to ask the question: “Are our membership records safe?” Church records, after all, typically include a lot of personally identifiable information (PII).

In reality, even churches who keep their data offline are often much more online than they realize. For example, many church administrators backup their files to Dropbox, Google Drive, Microsoft OneDrive, or Apple iCloud. Plus, emailing membership reports and data between church members and committees is common practice. As churches, we need to be aware of how this data is being used, and do our best to keep it safe.

Church Social takes our role in this process extremely serious. Which is why we’ve taken three key steps to ensure the ongoing safety of our customer’s data.

1. Ground-up application rewrite

The first step happened early last year when we completed a ground-up rewrite of Church Social. The previous iteration of the app was almost seven years old, and was built on dated technology. We wanted to start over, making security a priority at every layer of the application.

Church Social now uses a highly reputable, industry leading server-side web framework, called Laravel, which follows modern best security practices, especially when it comes to user authentication, authorization, session management, password hashing and encryption.

The benefits of using a popular framework like Laravel are enormous. It’s been installed millions of times, and is contributed to by thousands of developers around the world. This ultimately leads to a battle-hardened software platform that we can trust deeply to build our product on top of.

2. New hosting infrastructure

The next step was an improvement to our hosting infrastructure. There are two main attack vectors on any given website: the application, and the server it’s being hosted on. Both need to be rock solid in order for the entire system to be secure.

And, while our previous hosting provider was fantastic, their business model wasn’t right for us. They provided us with a barebones server, which we then had to maintain ourselves. That meant installing software, running security updates, managing backups, etc. It meant that we had to be both application security experts, and web hosting security experts at the same time. That was more responsibility than we felt comfortable with.

When the redesign was launched, our hosting was also moved to a new provider called Heroku. Besides being an industry leading hosting provider, known for hosting some of the Internet’s biggest brands, they also offered a whole extra level of service. Instead of simply providing us with a server that we were responsible for managing, Heroku manages the entire hosting infrastructure. They install software, they run updates, they deal with critical security vulnerabilities that arise, and handle backups.

Put simply, Heroku has allowed us to focus all our efforts on building Church Social, knowing that our web servers are safe with them.

If you’re interested in learning more about Heroku’s security practices, you can do so on their website, here.

3. Third-party security audit

The third step happened earlier this year, when we contracted the Digital Boundary Group, a web security firm located in London, Ontario to do a complete web application penetration test on Church Social. This is something we’ve wanted to do for quite some time but, frankly, is quite expensive. With thankfulness we were able to make this investment into the product in March.

We were pleased with the results of the audit, which found no critical vulnerabilities. Digital Boundary Group did make a number of recommendations, many of which we’ve already implemented. Put simply, Church Social has never been more secure.

Looking to the future, we intend to do more security audits, as technologies change, and as new features are added to the app. Web application security isn’t an item we can check off our list and be done with. Rather it’s become an integral part of our ongoing development process and business.

If you’d like to learn more specifics about our security practices, please visit our security page.