Get your API keysLogin

OWASP

The Open Web Application Security Project (OWASP) maintains a list of what they regard as the Top 10 Web Application Security Risks.

These are listed below, together with an explanation of how hiboo deals with them.

1. Broken Access Control

Description: Improper enforcement of user permissions can lead to unauthorized information disclosure, modification, or destruction of data.

Mitigation Strategies:

  • All access is denied by default, access control mechanisms are implemented once and re-used.

  • JWT tokens are invalidated on logout

  • RBAC is implemented

2. Cryptographic Failures (Sensitive Data Exposure)

Description: Inadequate protection of sensitive data due to weak cryptographic algorithms or improper implementation.

Mitigation Strategies:

  • Use strong, industry-standard encryption algorithms (e.g., AES-256).

  • All data in transit and at rest are encrypted.

  • Our databases are encrypted at rest with AES-256, block-level storage encryption.

3. Injection

Description: Injection flaws, such as SQL, NoSQL, or command injection, occur when untrusted data is sent to an interpreter as part of a query or command.

Mitigation Strategies:

  • SQL - Prevented by design: All access is limited to authenticated users and can only be performed through the Hiboo API. Raw SQL is not supported. All requests to the database is made through Hiboo API and we use Sequelize, the open-source node.js standard.

  • OS - There is no shell execution performed from within the application.

  • Cross-Site Scripting (XSS). We use framework that escape XSS by design (React JS) and limit the user input

4. Insecure Design

Description: Insecure design issues arise from a lack of security considerations during the design phase.

Mitigation Strategies:

  • We work using agile methodologies allowing us to respond quickly

  • We perform annual regular security reviews by an external company

  • We have a continuous security training and awareness programs thanks to Elba

5. Security Misconfiguration

Description: Security misconfigurations occur when systems are not securely configured, leaving them vulnerable to attacks.

Mitigation Strategies:

  • We uses AWS platform and Infrastructure as Code to simplify and minimize the misconfiguration. Our deployment process is automated and only the necessary employees have access to the production environment.

  • We uses up-to-date XML processors and SOAP 1.2 or higher. We limit the uses of XML in favor of JSON

6. Vulnerable and Outdated Components (Using Components with Known Vulnerabilities)

Description: Using components with known vulnerabilities can compromise the security of the application.

Mitigation Strategies:

  • We periodically remove all unused components and librairies. We update our dependencies periodically and they are installed only from NPM after checking the author.

  • We use Datadog library monitoring

7. Identification and Authentication failure (Broken Authentication)

Description: Weak authentication mechanisms can lead to unauthorized access to systems.

Mitigation Strategies:

  • We use open-source best practices. Today we use JWT authentication

  • We enforce password with the following policy:

    • At least one digit

    • At least one lowercase letter

    • At least one uppercase letter

    • At least one special character

    • At least 12 characters long

  • We have a continuous security training and awareness programs thanks to Bastion.tech

8. Software and Data Integrity Failures (Insecure Deserialization)

Description: Integrity failures occur when code and data are not adequately protected from unauthorized alterations.

Mitigation Strategies:

  • We enforce a strict type constraints during deserialization. We log all deserialization exceptions and failures and alert when needed.

  • We have CI/CD pipelines with build, lint, unit tests, integration tests and E2E tests

  • All merge requests are reviewed by a peer

  • We enforce strict access to the code repositories and data stores (MFA and periodic review)

9. Security Logging and Monitoring Failures (Insufficient Logging & Monitoring)

Description: Insufficient logging and monitoring can prevent the detection of breaches and suspicious activity.

Mitigation Strategies:

  • We uses AWS platform for low-level logging and monitoring

  • All logs are centralized in Datadog to monitor our platform.

  • Alerting is setup on Datadog for critical events.

10. Server Side request Forgery (SSRF)

Description: SSRF vulnerabilities allow attackers to induce the server to make HTTP requests to arbitrary domains.

Mitigation Strategies:

  • Our application is server by Amazon Cloudfront through Cloudflare

  • We restrict user inputs at the minimum and inputs are validated and sanitized

  • We implement CORS policy to acceptable domains

PreviousSecurityNextIntroduction

Last updated

Was this helpful?