Security Assessment for Public Sector Customer: Gitter Security Review
Hello @MadLittleMods - thank you for your assistance with the following questions. @estrike was able to answer the majority but the below require your input.
-
Here is a link to the online questionnaire: https://ucarfa.github.io/ucarvsaq/vsaq.html?qpath=questionnaires/webapp.json -
You can either provide me with the answers here or respond to them directly in the issue, whatever is easier for you.
-
-
Please tag me once you are down so that I might wrap up the review and notify the public sector team. Thank you! -
Request completion date: close of business on Friday, if possible.
- How is traffic between the load balancer and the application servers protected?
- Traffic is encrypted and certificates between load balancer and application servers are validated.
- Traffic is unencrypted, but all networks transited between load balancers and application servers are owned and exclusively used by us.
- Traffic is unencrypted, and traffic has to transit through networks not owned and exclusively used by us.
- Through other means.
- Session IDs can be constructed in many ways. Select the methods used in your application:
- The web application framework we use has a built-in session ID mechanism.
- Our session IDs are randomly generated strings or numbers.
- We store a signed token as a cookie to indicate that the user is successfully logged in.
- We use some other mechanism.
- Do you have special unit tests in place for testing the security of your code? For example, unit tests can be used to do the following:
- Verify that XSRF tokens are required for all state-changing actions
- Confirm that user input is correctly escaped and/or sanitized
- Check that the application enforces access control (e.g., user A doesn't have access to user B's data)
- Yes
- No
-
Who has access to the backend database?
-
What do we do in the event of client data corruption?
Do we have take regular backups?
Edited by Eric Eastwood