OWASP Top 10 (1)
The Open Web Application Security Project (OWASP) maintains a list of what they regard as the Top 10 Web Application Security Risks.
These are listed below, together with an explanation of how hiboo deals with them.
1. Injection
SQL - Prevented by design: All access is limited to authenticated users and can only be performed through the Hiboo API. Raw SQL is not supported. All requests to the database is made through Hiboo API and we use Sequelize, the open-source node.js standard.
OS - There is no shell execution performed from within the application.
2. Broken Authentication and Session Management**
We use open-source best practices. Today we use JWT authentication
3. Sensitive Data Exposure**
Our databases are encrypted at rest with AES-256, block-level storage encryption. All connections to the application or API use HTTPS.
4. XML External Entities (XXE)
We uses up-to-date XML processors and SOAP 1.2 or higher. We limit the uses of XML in favor of JSON
5. Broken Access Control
All access is denied by default, access control mechanisms are implemented once and re-used.
JWT tokens are invalidated on logout
6. Security Misconfiguration
We uses Heroku platform to simplify and minimize the misconfiguration. Our deployment process is automated and only the necessary employees have access to the production environment.
7. Cross-Site Scripting (XSS)
We use framework that escape XSS by design (React JS) and limit the user input
8. Insecure Deserialization
We enforce a strict type constraints during deserialization. We log all deserialization exceptions and failures and alert when needed.
9. Using Components with Known Vulnerabilities
We periodically remove all unused components and librairies. We update our dependencies periodically and they are installed only from NPM after checking the author.
10. Insufficient Logging & Monitoring
We uses Heroku platform for low-level logging and monitoring. For application level we uses Logentries and Datadog to monitor our platform. All logs are linked to a requestId for auditing. Alerting is setup for critical events.