Security Governance

Do you have a security policy, is this policy enforced?

We follow all the rules of secure development. Including things such as:

• User HTTPS for domain entries
• Using only current encryption and hashing algorithms
• Not allowing for directory listing
• Not storing sensitive data inside cookies
• Strong password policy
• Not storing sensitive information in a form’s hidden fields
• Verify file upload functionality
• Setting secure response headers
• Make sure third party libraries are secured
• Hide web server information.
• Basically as much as we can do.

Do you perform yearly compliance audits?

We review all our policies at least once a year. 

https://staffwi.se/policies 

Do you perform routine pentests?

For pentests on the system we run detectify.com as frequently as daily to check for vulnerabilities. Detectify strive to be the very bleeding edge of web application security. They perform automatic penetration tests against web applications, based on the OWASP Top 10 specifications, seemingly magic fingerprinting of content management systems, and the very latest trends in vulnerability research. More information can be found on their website: https://detectify.com

Staffwise has the lowest possible threat score of 0, and a perfect 10/10 for the OWASP Top 10:

This scores pertains to Staffwise passing on each item below:

• A1. Injection
  • Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
• A2. Broken Authentication
  • Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities.
• A3. Sensitive Data Exposure
  • Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
• A4. XML External Entities (XXE)
  • Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
• A5. Broken Access Control
  • Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
• A6. Security Misconfiguration
  • Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
• A7. Cross-Site Scripting (XSS)
  • XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
• A8. Insecure Deserialization
  • Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
• A9. Using Components with Known Vulnerabilities
  • Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
• A10. Insufficient Logging and Monitoring
  • Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

If you are not familiar with the OWASP Top 10, click here to find out more: OWASP Top 10

Did you already suffer security breaches / data loss?

No

What's your internal notification / escalation procedure in case of breach? How would we be informed and how long would it take?

We are using Rackspace Managed Security and Snort.org. See more information here https://www.rackspace.com/en-gb/managed-security-services and here https://www.snort.org/ 

We would be alerted by either system and once we have assessed the situation we would then notify any customers affected and GDPR within 72 hours.

Would a third party be allowed to perform a functional or technical security audit of your service?

Yes

Does the contract describe a reversibility plan/ handover plan/ step in rights?

You would have constant 24 hour access to the web portal to view and retreive your data in real time as data is being submitted via the tablet or mobile devices. You can download as CSV or XLSX at any time.