Security

Application Layer Security

  • All communications use HTTPS between the browser and client devices. HTTP connections are not supported and will return a permanent redirect to the HTTPS equivalent.
  • DJ Manager accounts are protected by a secure login.
  • Users can only be added to the platform by existing users with Administrator level access.
  • Users can only be removed from the platform by existing users with Administrator level access.
  • Requests to DJ Manager applications and APIs require users to be authenticated.
  • Requests are subject to the following validation checks
    1. The token is valid and has not expired.
    2. The user has access to the tenant they are requesting data for/trying to update.
    3. The user has the appropriate privilege for the operation they are performing.
    4. The request is not a Cross Site Request.
  • Security and Coding Practices

  • We adhere to OWASP Secure Coding Practices:
  • Incoming Data

  • Incoming data is validated on a trusted system (the server) before the data is processed, including expected value, data range, data types
  • Incoming requests are validated to ensure they are coming from a trusted source.
  • Dangerous incoming requests that include hazardous characters are rejected where appropriate.
  • Outgoing Data

  • Outgoing data is sanitized to ensure no confidential data is returned.
  • Data is contextually encoded as it is returned.
  • Authentication and User Management

  • Authentication is required for all pages, except those specifically required to have public access.
  • Authentication is always enforced by the server.
  • Authentication systems always fail securely.
  • Passwords are encrypted at rest.
  • Authentication is only validated when all input has been completed.
  • Authentication failure does not reveal which part of the data was incorrect.
  • Passwords are not transmitted to the user via email (except initial credentials)
  • Passwords are obstructed on the user's screen e.g web forms have input type of 'password'
  • Passwords can only be reset by users of same user level or above, and a reset password is sent to the user with a secure and unique token.
  • Session Management

  • Session Management uses the server's framework session controls
  • Sessions are only created on the server
  • Session domain and path for cookies are restricted appropriately
  • Sessions are terminated both client and server side when the user logs out
  • Logout is available from all pages that are protected by authorization.
  • Session identifiers are not returned in urls, error messages/logs, only in cookies.
  • Access Control

  • Authorization is standardised against the DJ Manager environment.
  • Access controls all fail securely.
  • Application access is denied if the application cannot access the security information to validate a user
  • Authorization is enforced for every request
  • Users, application data, functions are restricted to authroized users.
  • Cryptographic Practices

  • All cryptographic processed are performed on the server.
  • The latest framework cryptographic procedures are used.
  • Error Handling/Logging

  • Sensitive information is not disclosed on error messages.
  • All application errors return a generic error message to the user.
  • Logging is implemented server side.
  • Sensitive information is not stored in logs, such as session identifiers or passwords.
  • Logs are only accessible to authorized individuals within the DJ Manager team.
  • All system exceptions are logged.
  • Data Protection

  • Sensitive data is encrypted in transit and at rest.
  • Server side code is not available to download by the user.
  • Sensitive data is not included in HTTP GET requests e.g. Passwords
  • Server access is only permitted by authorized DJ Manager Employees.
  • Communication Security

  • DJ Manager where possible enforces that clients use TLS for protection of data in transit.
  • Failed TLS connections do not fallback to insecure connections.
  • All authentication mechanisms require TLS.
  • Sensitive data is always transmitted using TLS.
  • System Configuration

  • Servers, frameworks and system components always use the latest approved/stable version.
  • Servers, frameworks and system components have all critical and high priority patches installed ASAP once verification has taken place, other patches are installed alongside platform updates.
  • Development, Testing, Staging and Production environments are isolated.
  • All changes to code are recorded internally and a sanitised user friendly version is made publicly available with each version release.
  • System Monitoring

  • DJ Manage uses New Relic and Sentry to monitor the infrastructure and application performance, any alerts are sent to our development and infrastructure team.
  • System Backup and Restoration

  • Databases are backed up on a daily basis and stored in a protected and isolated storage environment.
  • Databases backups and restorations are reguarly tested to ensure that in the event of a system failure, the solution can be recovered.
  • A backup of the production database is always taken prior to platform updates.