Development security

  1. Technologies & updates
    1. Indicate technologies involved
    2. Indicate technical data flows involved (ingress, egress)
    3. Are sources available, can we access source code repositories?
    4. Describe your software update policy/frequency
    5. Do you commit to correct security vulnerabilities detected on your code in less than a week after detection, and at no additional cost?
    6. Do you commit to update third party components in less than a week after publication of security updates, and at no additional cost?
  2. Security in development
    1. (If visitors can create their own accounts) Describe how user accounts are managed in your code and the components you use
    2. Describe how admin accounts are managed in your code and on components you use
    3. How are client accounts created?
    4. Does your service allow central authentication? (SSO, SAML, ADFS…)
    5. Does your service allow strong, multi-factor authentication?
    6. Are there generic admin accounts?
    7. Describe web services exposed on the internet
    8. Describe web services exposed on your intranet

Indicate technologies involved

LAMP server. Linux, Apache, MySQL and PHP.

Indicate technical data flows involved (ingress, egress)

HTTPS for all web portal traffic

Are sources available, can we access source code repositories?

No

Describe your software update policy/frequency

As is necessary

Do you commit to correct security vulnerabilities detected on your code in less than a week after detection, and at no additional cost?

Yes, always.

Do you commit to update third party components in less than a week after publication of security updates, and at no additional cost?

Yes, always.

(If visitors can create their own accounts) Describe how user accounts are managed in your code and the components you use

Visitors are not able to create their own accounts

Describe how admin accounts are managed in your code and on components you use

They will be given admin permissions. Password should be min 6 chars. No lockout. They can use forgotten password page or we can reset their password manually. Account can be deactivated or removed if it needs to

How are client accounts created?

Through an admin web portal.

Does your service allow central authentication? (SSO, SAML, ADFS…)

Upon request

Does your service allow strong, multi-factor authentication?

We can use:

  • One factor auth
  • Two factor auth (Google authenticator)
  • SSO (Azure and Okta)

Are there generic admin accounts?

No

Describe web services exposed on the internet

We only have the main web portal exposed on the web. Access will be via:

  • https://youragencyname.staffed.it - staffwise
  • https://youragencyname.getwise.io - surveywise

Describe web services exposed on your intranet

Not applicable