The International Mission Board (IMB), Pioneers, and the Billy Graham Evangelistic Association (BGEA) conducted independent code reviews with forensic security firms. They reviewed the code quality and potential vulnerabilities of Disciple.Tools as a contact system to ensure the protection of names of believers in persecuted countries.
If you are reviewing Disciple.Tools technically for implementation with international teams or for projects working in security concerned locations, we have prepared this white paper to cover the basic design and security patterns followed in crafting Disciple.Tools.
Disciple.Tools was built and tested by a team based in one of the most intrusive cyber police states in the world. Threat of persecution against Christians from government and non-government actors surrounded them constantly. This context necessitated a solution like Disciple.Tools.
It will be a matter of conscience as to how each Disciple Making Movement effort chooses to track and keep accountable their work. We understand each context is different and trust the Spirit to guide each appropriately. As you seek out solutions, do not assume simple equations, i.e. internet = vulnerable.
Keeping names on mobile phone, on paper, or written anywhere offers as much a security risk — or in many cases more risk — than keeping names in a secure online database.
We are confident in the engineering and best practices that surround Disciple.Tools. Read the provided resources to understand the due diligence we have done for this issue.
We are even more confident, however, the real risks we take for the Great Commission are not irresponsible. Instead we believe doing less or being too conservative with risk is a greater eternal risk.
“I was afraid, and I went and hid your talent in the ground. Here, you have what is yours.” (Matt. 25:14-30)
These are basic security elements required/recommended at the launch of Disciple.Tools.
Disciple.Tools requires secure server connections throughout the whole of the code base. This SSL server certificate is often provided for free with good hosting services.
Restricting database access based on permission levels and specific assignments.
This allows you to control risk management. Host anywhere as opposed to a centralized service – you control where and how the data is stored and who has access.
Multiple organizations have conducted code audits to verify security standards.
Many eyes are on the code.
There are a number of recommendations on how to “harden” your Disciple.Tools installation depending on your security requirements. Some of these are as follows:
Adding a WordPress plugin can add two-factor authentication to the current username/password security of Disciple.Tools.
Place Disciple.Tools behind a VPN firewall.