OWASP top 10
How NovuDialog handles the most critical security risks
Security does not stop at the application level. For that reason we handle best practices such as the OWASP top 10 for the configuration of the application and infrastructure.
The OWASP top 10 is list consisting an overview of the most critical concerns for web application security:
Injection: SQL injection can occur when untrusted user data is sent in a command or query. This could, for example, lead to an attacker gaining access to data without proper authorization.
SQL injection is not possible in the NovuDialog application because we never include user input in SQL text statements. If we do use SQL text statements, without user input, we always include parameters that only accept literal values.
Broken authentication: If functions related to session management and authentication are implemented incorrectly in an application, it can occur that hostile users take over other users’ identities.
By means of code reviews, unit testing, PEN testing and the use of standard components (e.g. Identity Server) we prevent broken authentication from happening.
- Sensitive Data Exposure: For the whole NovuDialog application we enforce the use of HTTPS, so transmitted data is always secure. Out of the box, the NovuDialog application does not store user data for later use. If it is nevertheless desired to store data, we use Azure SQL Database encryption and Azure Storage service encryption to ensure that sensitive data remains protected. In NovuDialog it is also possible to keep user data on the server, in an encrypted model, and to never make the data visible on the client.
- XML External Entities (XXE): The NovuDialog framework does not use XML for communication to and from the client. All calls are in JSON format and are not vulnerable for XML External Entities attacks. In connections with external services we sometimes do use XML. In .NET Core, the use of XMLDocument is safe by default. Therefore, the risk of XML External Entities attacks is very limited in NovuDialog.
- Broken Access Control: The risk that an attacker can access unauthorized data, is very small in NovuDialog. By means of code reviews, unit testing, PEN testing and the use of standard components (for example Identity Server) we prevent broken access control from happening.
- Security Misconfiguration: Most of the security configuration mistakes are made because the default settings are not the most secure. The NovuDialog application prevents this by using the most secure settings as its default. For optimal security we also regularly conduct PEN tests, perform automatic deployments and actively follow Azure’s security recommendations.
- Cross-Site scripting (XSS): Cross-site scripting (XSS) is an application security flaw that prevents user input from being handled correctly. XSS allows a malicious user to execute scripts in another user’s browser. In NovuDialog XSS is partly prevented by only allowing characters in an input field that you would expect in that type of input field. Additionally, if users replace placeholders with text, the data in NovuDialog is always escaped properly. This way, text is always literal text and cannot be executed as a script.
- Insecure Deserialization: Flaws in deserialization often lead to remote code execution. To avoid insecure deserialization, we do not allow serialized objects from untrustworthy sources and we deserialize to objects with strict data types. Should something go wrong with deserialization, it will be logged.
- Using components with known vulnerabilities: Each component is evaluated on possible security issues before use. With each new release of the NovuDialog application, the components are updated to the latest versions.
- Insufficient Logging & Monitoring: The NovuDialog application uses Application Insights monitoring to detect anomaly’s. On any anomaly alerts will be triggered notifying Novusoft in real time.