Recent Posts

    Authors

    Published

    Tag Cloud

    System security overview

    Industry best practices are used to secure our systems for the whole of the SDLC

    Overview

    stSoftware systems are designed to meet or exceeds all aspects of the Australian Government Protective Security Policy Framework PSPF. At stSoftware, we take security very seriously. Our servers are locked down to be accessed only via secure shell and from specific IP addresses and are constantly monitored. There is no direct access by developers or business users to the underlying system. All changes by site developers are kept within a sandbox to only ever allow changes that are validated and prevent direct access to the underlying machines.

    Network design

    Best practice network design for a fully redundant, fault tolerant stSoftware server cluster has:-

    Server Lockdown

    All Linux servers are locked down to the highest security standards possible. All services are off by default and all ports shut. Only the required services started. 

    Password Management

    The system administrator can configure the system password options to find the correct balance between convenience and security. The password and login options can be configured at the user level also.

    Data Access Layer 

    All protocols access the underlying data through the DAL (data access layer). There is NO direct access to the underlying data store no matter which protocol is used. Each protocol accepts the request to read or write data and then perform the protocols validations and then passes the request on to the DAL to execute the request which in turn validates the request, checks the user's access and perform any validations before returning the result.

    Standard SQL injection and Cross Site Script attacks are performed on each component as part of normal nightly unit testing. 

    References

    • https://www.sans.org/reading-room/whitepapers/detection/identify-malicious-http-requests-34067