Security Policy
At Idoba, security is our absolute highest priority. Therefore we take myriad security measures to ensure that the data of our customers and pentesters is secure and safe. In the spirit of openness and transparency, here are some of the security measures we take to protect and defend the Akumen platform.
Web Application Firewall
Idoba leverages Amazon Web Services Web Application Firewall (WAF) and AWS Shield to protect the site from:
Distributed denial of service (DDoS) attacks Blocking of suspicious activity SQL injection, comment spam Possibility of quickly blocking IPs or entire countries
Encrypting Data in Transit
All HTTP-traffic to Akumen runs over an SSL-encrypted connection and we only accept traffic on port 443. The status of our SSL configuration can be found here.
During a user agent’s (typically a web browser) first site visit, Akumen sends a Strict Transport Security Header (HSTS) to the user agent that ensures that all future requests should be made via HTTPS even if a link to Akumen is specified as HTTP. Cookies are also set with a secure flag.
Hosting and Database Storage
Akumen is hosted via Kubernetes and managed within Amazon data centers that leverage secure Amazon Web Service (AWS) technology.
Encrypting Data at Rest, Database
Akumen’s backend is supported by a Postgres database to persist data. All data at rest and associated keys are encrypted using the industry-standard AES-256 algorithm. Only once an authorised user is granted access to their data will that subset of data be decrypted. For further details around the encryption at rest please see AWS encryption procedures.
Encrypting Data at Rest, Files
Static files, such as images and other documents are persisted using AWS S3 storage. All static files are encrypted before they’re stored so while at rest they are encrypted.
Location of Data and Jurisdiction
Akumen entirely resides on servers located within Australia, and all data is stored securely within Australia. In the event that this changes (e.g. for geo-distribution, performance or durability purposes), all clients will be notified ahead of time.
AWS Security Practices
Amazon Web Services undergoes recurring assessments to ensure compliance with industry standards and continually manages risk. By using AWS as a data center operations provider, our data center operations are accredited by:
ISO 27001 SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II) PCI Level 1 FISMA Moderate Sarbanes-Oxley (SOX) More information about AWS security can be found here.
Password Policy and Storage
During an account creation and password update, Akumen requires a strong password that has 8 characters or more, and contains numbers as well as lower- and uppercase letters. We do not store user passwords: we only store one-way encrypted password hashes, including:
- Uses PBKDF2 hashing algorithm with HMAC-SHA256
- Cost ratio 10000 iterations - delaying brute-force attacks
- Per-user-random-salt - protect against rainbow table attacks and encrypted password matching
- If a user incorrectly enters an account password on multiple attempts, the account will be temporarily locked to prevent brute-force attacks. To further protect account access, Two-factor authentication is available to all Akumen users, and can be turned on via the user account security settings.
Following an email change, password change or similar sensitive user account changes occur, the user is always notified in order to quickly be able to respond, should an account attack be undergoing.
XSS and CSRF Protection
To prevent Cross-Site Scripting attacks (XSS) all output is per default escaped in ASP.NET Core before hitting the browser. We avoid the use of the any raw output methods potentially causing unwanted data being sent to the browser.
ASP.NET Core also provides CSRF token creation, which is enabled on all relevant forms.
In addition to these measures, we regularly perform automatic site scans for injection and XSS attacks using external tools like the OWASP security scanner.
Organization
We require all employees to use strong, unique passwords for Akumen accounts, and to set up two-factor authentication with each device and service where available. All Idoba employees are required to use recognized password managers like LastPass or 1Password to generate and store strong passwords, and are also required to encrypt local hard drives and enable screen locking for device security. All access to application admin functionalities is restricted to a subset of Akumen staff and restricted by IP and other security measures.
Monitoring and Notifications
Idoba uses several services to automatically monitor uptime and site availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies. Some of our preferred services for logging and 24h-notification-access are the ELK stack, updown.io and FreshStatus.
Code Review and Static Code Analysis
Idoba institutes strict code reviews of changes to sensitive areas of our codebase. We also employ GitLab CI/CD for static security code analysis to automatically detect potentially known vulnerabilities through static source code analysis. Quay.io is used to perform automated Docker container scanning to ensure that base images are up-to-date and do not contain known vulnerabilities.
Vulnerability Disclosure
Since launching Akumen, we’ve invited anyone on the internet to notify us of issues they might find in our application to further strengthen and secure our platform. All vulnerability report submissions are read within hours of receipt, and we aim to respond to all submissions within 48 hours.
Emergency
In the event of a security breach, we have created procedures for resolute reactions, including turning off access to the web application, mass password reset and certificate rotations. If our platform is maliciously attacked, we will communicate this information to all of our users as quickly and openly as possible.