ReloTracker Application Security Purpose: This document explains the security of the ReloTracker system, independent of where it is hosted. Author: David Sanders Revised: 10 October, 2013 Status: Public Overview Security is more and more a concern for any organization, not only from an internal point of view but also from a commercial perspective. No system can be made 100% secure, and many security flaws are caused by poor practices by users. Security is not only a goal, but also a continual process. ReloTracker is developed according to security best practices and has been tested internally and externally. A list of common questions and appropriate responses are provided for our licensees. Security Basics ReloTracker is an “online system” or “web-based application”. This means that it is hosted on a web server and users access it using a web browser. Because of this, there are many possible security issues: The users’ computer or mobile device. The network from which the user accesses the application, whether a company network, home network, airport, or other public place. The type of network also matters: whether it is by cable or wireless (Wi-Fi). The server on which the ReloTracker system is hosted. If we are hosting your application, please see the document, ReloTracker Hosting and Backup. The security of the application itself, which is the subject of this document. This document mainly addresses the security of the ReloTracker system, although you will find in Appendix A some recommendations on how you can address other security issues. It is your responsibility to address these other security issues. Application Security Best practices in application security fall into several categories: 1. Develop according to established security guidelines. 2. Enforce strict security controls. ReloTracker Application Security © 2013 ReloTracker Page 1 3. Test internally for security issues. 4. Use external testing to verify security controls. Establish Security Guidelines Security is based on two foundations: preventing possible means of attack and following best practices. The Open Web Application Security Project (OWASP: https://owasp.org/) is a worldwide not-for-profit organization focused on improving the security of software. It publishes a Top 10 list of application security issues. Please see Appendix B: OWASP 2013 Top 10 Vulnerabilities. ReloTracker is built using Microsoft’s ASP.NET Framework, used by millions of companies to create applications. ASP.NET has built-in features to prevent different types of attacks, like Cross-site Scripting and Session Hijacking. In addition to the security features provided by ASP.NET, ReloTracker has several security measures built into its design, including. All access is Role-based. There is no default role, so the role of every user needs to be determined before the system shows any information. The cookie that ReloTracker sets in the user’s browser is encrypted, so it is not possible to understand and manipulate a cookie. Database queries are made using parameters in the business layer, rather than simply replacing variables, and user input is validated, to prevent SQL injection attacks. Tracing and debugging are turned off by default. ReloTracker requires that users have at least 6 characters in a password. Passwords are encrypted in the database. Solution and Project files are not stored on the web server. Enforce Strict Security Controls The first measure of our security controls means that we train our developers and support personnel on the guidelines that we have put in place. They are expected to make changes to the system within those guidelines. The second measure of controls is that all changes to the system are reviewed before release. This means that when a developer makes changes and submits them, that that the Director of Operations reviews them before they are released and implemented. Internal Testing Despite these controls, there remains a possibility that weaknesses enter into the system. For this reason, we conduct internal testing on a regular basis. Tools such as the OWASP’s Zed Attack Proxy are regularly used to test for a wide range of vulnerabilities against attacks and threat agents. See Appendix C: Penetration Testing Process. ReloTracker Application Security © 2013 ReloTracker Page 2 External Testing Occasionally we also employ an outside company to perform penetration testing of the application. This is both to ensure that vulnerabilities are identified, and to confirm that our internal tests are identifying any issues. Espion (http://www.espiongroup.com/), an IT security and forensics company in Europe, was contracted to perform this testing in September, 2013. Their Executive Summary states: “Based on the results of this review no high priority finding has been identified”. Proactively using ReloTracker Security Security is often only mentioned in response to specific customer requests. Our customers do not feel comfortable using it as a sales argument. But it can be a powerful selling tool. Here are some statements that you might use, adjusting them according to your needs. We track and monitor our operations using ReloTracker, the leading relocation management software. It is used by tens of relocation companies in every part of the world. ReloTracker is developed using proven Microsoft technologies, like ASP.NET and SQL Server. It has been developed from the beginning according to best practices in the industry and security concerns. Some examples of the security controls include: Multi-tiered application development. Encryption of passwords. Role-based login, to restrict users’ rights. Use of a security certificate for secure communications. Backups are made regularly and stored encrypted in a secure, offsite location. Until now, ReloTracker has never experienced a security problem. It is regularly tested both internally and externally against common web application vulnerabilities. The last two bullets only apply if your hosting meets these requirements. We certainly do not require that you mention ReloTracker as the name of your system; you can simply replace references to ReloTracker with “our system”. Privacy Privacy issues are often confused with security issues. Until there is a need for a separate Privacy Policy document beyond those in your ReloTracker License, we state our privacy policy here: ReloTracker Application Security © 2013 ReloTracker Page 3 1. You, the ReloTracker Licensee, are the Data Owner. The information in the Data Owner’s ReloTracker system and related files and databases are completely the Data Owner’s property. We have no right to use that information in any way except to support your use of the application. We fall under strict European Union regulations regarding the use of personal information. We will notify the Data Owner by email or other means within 24 hours if the Data Owner’s information has been or will be seized by a third party or government entity, or if we suspect that it has otherwise been compromised. 2. Privacy policy toward users is completely the Data Owner’s responsibility. We can support you in the display of “opt-in” or privacy agreement pages. It is up to the Data Owner to establish and implement privacy policies in accordance with applicable laws. ReloTracker Application Security © 2013 ReloTracker Page 4 Appendix A: Best Practices That You Control There are many security aspects that we do not control. In many cases these are left under our customers’ control for business reasons. When a customer asks how you maintain the confidentiality and integrity of customer data, they are also asking what policies and procedures you have in place. 1. Hosting security It is important that the system is hosted at a facility that has good security practices in place. For the systems that we host, please see the document, “ReloTracker Hosting and Backup”. 2. Security certificate A security certificate allows your system to run under Secure Sockets Layer (SSL, https://), which means that all information communicated between users’ machines and the server are encrypted. Wi-Fi connections to the internet using public hotspots are not secure, which mean that information which is not encrypted could be intercepted. We have been recommending strongly that ReloTracker only be hosted using a security certificate. 3. Password complexity In ReloTracker passwords must be at least six characters long, but the length of the password is not the most important matter. KBZ*42 is a good password; princess1973 is not. A good password should be neither predictable nor common. a. People that know you should not be able to predict your password. Ann2013 is a terrible password, as is anything involving the names of your partner or children, and birth years. b. Hackers have lists of the top million passwords, gained from systems that they have hacked. Almost anything you can construct, like peterj56, will likely be included in that million that they might try. c. Random letters, numbers, and punctuation are much better passwords. Think of a sentence, like, “5 flying fishes eat 7 insects. Yum!” A password based on that could be 5ffe7i.Y! – a great password! d. ALL users of the system should be given complex passwords. 4. Shared passwords We have seen systems in which several Internal Users have the same password. What happens when you need to fire someone, and they become upset? It should be absolutely against your policy to use the same password, or to allow users to tell others their password. We cannot be responsible for security issues caused by this. 5. Administrator rights Users that are part of the Administrator Role can view and change passwords and other secret company information. You should only allow a very small number of people to have Administrator rights. It is possible to allow a non-Administrator to view certain Administration pages, like Currencies. Contact Support for more information. 6. Menus/Rights It is under your control and responsibility to ensure that internal and external users have appropriate rights to view and change information. This is discussed in the ReloTracker Administrator’s Guide. Please contact Support with any questions. ReloTracker Application Security © 2013 ReloTracker Page 5 7. Limit login attempts It is possible, although not the default setting, to limit the number of login attempts by users. This can be used to prevent “brute force” attempts, where hackers try many passwords. This setting is found on the Main>Administration>Settings page, near the top of the page. The Default setting is 0, which means unlimited login attempts. You can set it to five, ten, or whatever number you think is reasonable. ReloTracker Application Security © 2013 ReloTracker Page 6 Appendix B: OWASP 2013 Top 10 Vulnerabilities Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Application functions related to authentication and session management are A2-Broken often not implemented correctly, allowing attackers to compromise Authentication and passwords, keys, or session tokens, or to exploit other implementation flaws Session Management to assume other users’ identities. A3-Cross-Site Scripting XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to (XSS) execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. A direct object reference occurs when a developer exposes a reference to an A4-Insecure Direct internal implementation object, such as a file, directory, or database key. Object References Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. Good security requires having a secure configuration defined and deployed A5-Security for the application, frameworks, application server, web server, database Misconfiguration server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. Many web applications do not properly protect sensitive data, such as credit A6-Sensitive Data cards, tax IDs, and authentication credentials. Attackers may steal or modify Exposure such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. Most web applications verify function level access rights before making that A7-Missing Function functionality visible in the UI. However, applications need to perform the Level Access Control same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. A8-Cross-Site Request A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically Forgery (CSRF) included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. A9-Using Components Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, with Known such an attack can facilitate serious data loss or server takeover. Applications Vulnerabilities using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. Web applications frequently redirect and forward users to other pages and A10-Unvalidated websites, and use untrusted data to determine the destination pages. Without Redirects and proper validation, attackers can redirect victims to phishing or malware sites, Forwards or use forwards to access unauthorized pages. Source: https://owasp.org/index.php/Top_10_2013-Top_10 A1-Injection ReloTracker Application Security © 2013 ReloTracker Page 7 Appendix C: Penetration Testing Process ReloTracker Application Security © 2013 ReloTracker Page 8 Appendix D: Frequently Asked Questions Here are examples of questions that have been asked by employers and RMCs in RFPs/RFQs, and the appropriate responses. Technologies and Development What code development tools and technology do you use? The application is mainly written in C#, with some JavaScript. We use Microsoft Visual Studio as the development environment. Which application server technologies are used? Microsoft ASP.NET 3.5 or later. Which database server technologies are used? Microsoft SQL Server 2008 or later. What is the application architecture? It is a three-tier architecture. User input is not sent straight to the database, but is replaced by parameters in the business layer. Is a Software Development Life Cycle (SDLC) process in place? It is documented and formally adopted. ReloTracker is developed according to Agile Development principles. Do error conditions that occur during normal operation limit display of detailed system information? Yes, tracing, debugging, and verbose error messages are turned off by default. Authentication How is application authentication performed? There are defined roles for internal and external users. Each role is associated with the ability to see certain information and perform certain actions. There is no default role, so when a user logs in, the system must be able to positively identify their rights. Are application account passwords stored encrypted? Yes, using AES Encryption with SALT Does the application use cookies? Yes, an application like this must use cookies. Our cookie is encrypted so that it can only read by the application. Does the application mark cookies as secure? ReloTracker Application Security © 2013 ReloTracker Page 9 Yes. Do the application URLs contain login IDs and/or password hashes? No, this information is never included in the URLs. Are users are required to re-authenticate before performing sensitive transactions? The system does not include highly sensitive transactions, like the processing of credit card payments. Is the application compatible with Windows Integrated Security or other Single-Sign-on (SSO)? No, because these methods require that all users be part of a single organization or network. Users of ReloTracker (Transferees, HR, field consultants) are members of different organizations, and so cannot be managed under this system. Is it possible to force password changes? Not currently, but scheduled for implementation in 2013. Information Security Has the application code undergone internal and third-party security review? Yes, internal security reviews are conducted monthly. The application has had an independent thirdparty security review within the last six months. What do the security reviews cover? The top-ten OWASP issues, including user input validation, error and exception handling, SQL and SSI injection, JavaScript injection, XSS (Cross-site scripting), predictable resource location and path traversal. Does the application run with administrator or root privileges? No, it runs with web user privileges. Do any fields have any additional protection (for example, repeated data entry, cross checked calculations, etc.)? In accordance with database design standards, many fields contain redundant data to prevent important information, like invoice details, from being overwritten. What is the process for changes to the application software? Major changes – those that involve development rather than simple customizations – must be approved by the Director of Operations. They are assigned to a software engineer, with notes on implementation. The software engineer makes the changes and passes them back to the Director of Operations for acceptance testing, including security review. Can you provide access to logs to detect all actions performed by administrators or users? ReloTracker Application Security © 2013 ReloTracker Page 10 High-level activities like adding or deleting a transferee and status updates are logged by user. Low-level changes, like changing a field are not always logged. If there were an incident, we would cooperate by providing logs to help uncover the extent of the activity. ReloTracker Application Security © 2013 ReloTracker Page 11