OWASP top 10
How NovuDialog handles the most critical security risks
Security does not stop at the application level. For that reason we handle best practices such as the OWASP top 10 - 2021 for the configuration of the application and infrastructure.
The OWASP top 10 - 2021 is list consisting an overview of the most critical concerns for web application security:
- Broken Access Control: The risk that an attacker can access unauthorized data, is very small in NovuDialog. By default, user data is not stored in the NovuDialog application. By means of code reviews, unit testing, PEN testing and the use of standard components we prevent broken access control from happening.
- Cryptographic Failures: For the whole NovuDialog application we enforce the use of HTTPS, so transmitted data is always secure. Out of the box, the NovuDialog application does not store user data for later use. If it is nevertheless desired to store data, we use Azure SQL Database encryption and Azure Storage service encryption to ensure that sensitive data remains protected. In NovuDialog it is also possible to keep user data on the server, in an encrypted model, and to never make the data visible on the client.
- Injection: Injection is a vulnerability where input is improperly handled. Injection allows malicious users to enter data to gain access to information or systems to which they are not authorized. In NovuDialog we prevent this by not allowing certain characters, by validating fields and by always taking text literally so that it can never be misused.
- Insecure Design: Development never stops and that also applies to new vulnerabilities that arise, which is why we at Novusoft stay up-to-date with the latest developments to keep our framework secure.
- Security Misconfiguration: Most of the security configuration mistakes are made because the default settings are not the most secure. The NovuDialog application prevents this by using the most secure settings as its default. For optimal security we also regularly conduct PEN tests, perform automatic deployments and actively follow Azure’s security recommendations. All communications for internal and external links are rigorously validated and checked before being act upon.
- Vulnerable and Outdated Components: Each component is evaluated on possible security issues before use. With each new release of the NovuDialog application, the components are updated to the latest versions.
- Identification and Authentication Failures: If functions related to session management and authentication are implemented incorrectly in an application, it can occur that hostile users take over other users’ identities.
By means of code reviews, unit testing and the use of standard components (e.g. Identity Server) we prevent broken authentication from happening.
- Software and Data Integrity Failures: NovuDialog uses a variety of libraries such as JQuery and Bootstrap. These libraries can also contain vulnerabilities, so it is ensured that these libraries are always up-to-date in the NovuDialog application.
- Security Logging and Monitoring Failures: The NovuDialog application uses Application Insights monitoring to detect anomalies. On any anomaly alerts will be triggered, notifying Novusoft in real time.
- Server-Side Request Forgery (SSRF): SSRF is a vulnerability where malicious users exploit fields by entering malicious information, thus gaining access to internal systems or redirecting information to an incorrect endpoint. The NovuDialog application ensures that the input in fields is always checked before being processed.