Security
Disciple.Tools has been reviewed and approved
by independent forensic security firms
who specialize in international Christian missions work.
Security Audits
The International Mission Board (IMB), Pioneers, and the Billy Graham Evangelistic Association (BGEA) have all previously commissioned code reviews from qualified forensic security firms. Disciple.Tools has consistently performed well in these reviews, passing both dynamic and static tests. The codebase was meticulously scrutinized by each firm to assess the quality of the code and uncover any possible vulnerabilities.
Even the smallest potential issues were promptly addressed by the Disciple.Tools team.
Disciple.Tools is grateful for the valuable contributions made by these organizations to the broader community and remains steadfast in our commitment to protecting the identities and locations of believers and churches in persecuted nations.
An additional firm, Centripetal’s Professional Services, performed penetration testing on behalf of EastWest Ministries in early 2023. EastWest Ministries serves in many security conscious fields. Centripetal reported one low level action item related to comment reactions. The issue has been corrected and they happily endorsed EastWest’s use of Disciple.Tools. Centripetal’s Professional Services team has decades of experience in penetration testing and is highly certified, currently holding the GSE, GIAC Advisory Board, CISSP, GCTI, GXPN, CEH, along with additional certifications.
Can I put my contacts on the internet and keep them safe?
A Matter of Conscience
Disciple.Tools was built and tested by a team based in one of the most intrusive cyber police states in the world. Threat of persecution against Christians from government and non-government actors surrounded them constantly. This context necessitated a solution like Disciple.Tools.
It will be a matter of conscience as to how each Disciple Making Movement effort chooses to track and keep accountable their work. We understand each context is different and trust the Spirit to guide each appropriately. As you seek out solutions, do not assume simple equations, i.e. internet = vulnerable.
Keeping names on mobile phone, on paper, or written anywhere offers as much a security risk — or in many cases more risk — than keeping names in a secure online database.
We are confident in the engineering and best practices that surround Disciple.Tools. Read the provided resources to understand the due diligence we have done for this issue.
We are even more confident, however, the real risks we take for the Great Commission are not irresponsible. Instead we believe doing less or being too conservative with risk is a greater eternal risk.
“I was afraid, and I went and hid your talent in the ground. Here, you have what is yours.” (Matt. 25:14-30)
Hardening Disciple.Tools
Initial Security
These are basic security elements required/recommended at the launch of Disciple.Tools.
Free WP Security Plugins
SSL Required Hosting
Disciple.Tools requires secure server connections throughout the whole of the code base. This SSL server certificate is often provided for free with good hosting services.
Permissions Based
Restricting database access based on permission levels and specific assignments.
Decentralized/Self Hosting
This allows you to control risk management. Host anywhere as opposed to a centralized service – you control where and how the data is stored and who has access.
Audited
Multiple organizations have conducted code audits to verify security standards.
Open-source
Many eyes are on the code.
Extended Security Options
There are a number of recommendations on how to “harden” your Disciple.Tools installation depending on your security requirements. Some of these are as follows:
Two-Factor Authentication
Adding a WordPress plugin can add two-factor authentication to the current username/password security of Disciple.Tools.
VPN
Place Disciple.Tools behind a VPN firewall.
