Security FAQ

Does Jive Software access data from my public cloud instance?

Jive Software aggregates data from our public cloud customer instances. The kinds of data we collect include usage statistics, user travel patterns, adoption statistics, and other anonymous information. Among other things, this information helps us to make decisions about future product development and improvement. In addition, your contract sets forth how we protect your user-generated content (i.e., we access this data solely to provide support and other services to you as you request).

How does the application prevent cross-site request forgeries (CSRF) using request-based tokens?

Every form throughout the application is protected from CSRF by a token scoped to each request which prevents forgery attempts. The server requires the token on any request that can change data. If the token is not present or does not match, the HTTP request will fail.

Are web services tested?

Yes. All web services are tested as part of an automated monthly security scan process.

Why do you zip or compress certain types of files when a user uploads them to Jive?

There are a number of known security issues with Internet Explorer (IE). In particular, IE will attempt to display or execute a file even if the web server sends an HTTP header indicating that the browser should download, instead of display, the file. This behavior, also known as "content sniffing" or "MIME sniffing," allows attackers to upload seemingly okay files (for example, an MS Word file) that actually contain malicious HTML. An IE user would then attempt to view the file. If the file is not zipped, IE will "sniff" the contents of the file, determine that the file is HTML, and then attempt to render the HTML instead of opening the file with MS Word.

The following types of files are zipped by Jive when they are attached to content: text/plain and text/HTML. Jive uses a magic number process to determine the correct MIME type of an uploaded file. For example, if a document called mydocument.doc is uploaded, the magic number process will validate the document. If the file is actually an HTML file, then Jive zips the file as a security precaution.

Does Jive use Sun's Java Virtual Machine (JVM)?

Yes. Jive uses Sun's JVM 1.6 and the Java Secure Socket Extension (JSSE), which is FIPS 140-compliant.

Which cryptographic technologies are used in Jive?

Jive supports anything the JVM does at the application level and anything OpenSSL does at the HTTPD level. We actively use Blowfish/ECB/PKCS5P, AES-256 for symmetric key encryption, SHA-256 for one-way hashing, and we support and recommend Triple-DES ciphers at the HTTPD server for TLS encrypted channels.
  • SHA-256 -- Jive user passwords are stored in the database as salted SHA-256 hashes.
  • AES-256 -- Bridging credentials, License Metering information, and iPhone UDIDs are all encrypted with AES-256.
  • Blowfish/ECB/PKCS5Padding -- Used for storing LDAP administrator credentials and OpenSearch credentials in the database.

If your product uses cryptography, has this cryptography been certified under the Cryptographic Module Validation Program or is it in the process of CMVP certification? If yes, which Cryptographic Module Testing (CMT) Laboratory are you using and what is your Cryptographic Module Security Level?

Jive uses Sun's JVM 1.6 and the Java Secure Socket Extension (JSSE).

Is the product public-key enabled and is it interoperable with the DoD PKI?

Jive supports X.509-based PKI. However, extra configuration steps are required; we recommend a Jive Professional Services customization.

I am a public cloud hosted customer. Can you encrypt my data at rest?

Yes. We can encrypt your dedicated databases that reside in our hosting data centers. Contact your Jive Software representative to request this additional service and pricing schedules. Note that this service may require additional lead time depending on the size and traffic of your community.

Is SSL expensive to implement?

No. Current SSL solutions typically require no additional machines or hardware and require only a very small amount of CPU resources.