To further enhance and reinforce the security of the Trabian infrastructure we have upgraded the overall security of the webforms with the introduction of the Webform Encrypt module in the Canvas CMS and, before November 2022, Composer sites that are moving to the Trabian infrastructure. This module makes webform submissions more secure and further eliminates vulnerabilities by encrypting the data at rest in the database.
How will this impact our site?
With this update, clients will no longer be able to send webform submission data in the email confirmation. Sending data freely in an email opens up risk and is not a secure form of communication. With the new module, there will be a standard email confirmation that will include a link to the webform submission that can be accessed when logged into the CMS. Also, confirmation emails to form submitters will be disabled.
Are there any other options?
We understand that this could have an impact on current processes and procedures and thus are looking into alternate ways of delivering webform data, such as S/MIME which would securely email submission data directly to a recipient within the FI. Note that data will not be stored in the CMS for this solution. We are anticipating this functionality to be available at the end of the year.
For FIs where upload ability was removed
During the introduction of Canvas, certain webform fields, such as image/video upload fields, were not disabled and are inadvertently being used in forms. Upload fields are an attack vector in that malicious actors can upload images and files that may inject malware into our system. Because the CMS was not designed and intended for form submission file storage, there is no mechanism to scan files for malicious code. Due to the nature of upload fields being an attack vector, we have had to disable these field types to maintain our security posture.
Questions or concerns?
Please reach out to your project manager to discuss any questions or concerns you might have about the information shared. It is our goal to continue to serve our clients in the best way possible that includes creating a secure and stable environment and reducing risk and potential vulnerabilities wherever possible.