-
Notifications
You must be signed in to change notification settings - Fork 1
Security
Maintaining security standards for Hale Platform, a web application, involves a comprehensive approach to safeguard against vulnerabilities and ensure data protection, with a focus on proportionality. This means implementing security measures that are appropriate to the level of risk and the sensitivity of the data being protected, ensuring a balanced approach that avoids both over-securing and under-securing the platform. 🔒✅
Our key practices:
Conduct regular security audits to identify and address potential vulnerabilities. This includes code reviews, penetration testing, and vulnerability assessments to ensure the application is resilient against attacks (Cymulate report).
Adopt secure coding practices to minimise risks from the development phase. Implement input validation, output encoding, and avoid using insecure functions. Ensure that all developers are trained in secure coding techniques. Log and securely manage access control when deploying to the platform.
Implement robust authentication mechanisms. Ensure proper authorisation checks are in place to prevent unauthorised access to sensitive data and functionalities.
Encrypt sensitive data both in transit and at rest. Use industry-standard encryption protocols such as TLS for data transmission (1.3 or higher) and AES for storing data securely if required.
Keep the platform and its dependencies up to date with the latest security patches. Regularly update third-party libraries and frameworks (WordPress) to mitigate risks from known vulnerabilities.
Establish comprehensive monitoring and logging mechanisms to detect and respond to suspicious activities. Analyse logs regularly to identify and mitigate potential security threats. We use an industry leading WAF in front of our platform and have monitoring of the ingress/egress running though.
Develop and maintain an incident response plan to address security breaches promptly. This should include steps for containment, eradication, recovery, and post-incident analysis.
Educate users about security best practices, such as recognising phishing attempts and using strong, unique passwords. User training can significantly reduce the risk of security incidents caused by human error.
Implement strict access control policies to ensure that users only have access to the data and functionalities necessary for their roles. Regularly review and update access controls to align with current roles and responsibilities. These include limiting who can publish code and have access to deploy to our platform.
Ensure compliance with relevant Government regulations and standards, such as GDPR, NCSC, to avoid legal repercussions and enhance the platform's security posture.
By adhering to these security standards, Hale Platform can significantly enhance its resilience against cyber threats, protect user data, and maintain trust with its user base.