Over the last 2 months we have been working on bringing our product up to the standard required by the NZISM.
We have found it’s easy to say that you build software with security in mind. It’s another thing entirely to dig into every service and lock them down. From starting our own internal assessments, to bringing in an external vendor to carry out a full Security and Risk Assessment, this process has consumed our team since early November.
Working off a check list provided by our vendor, we proceeded to lock down text fields, encrypt local files, enforce time outs across the site (fun with Angular), and apply password policies to every field where a customer can change their password.
Along the way we found a stack of surprises such as:
- Windows Communication Foundation (WCF) has to be specifically configured to support TLS 1.2. If not, it runs TLS 1.0 which is easily crackable.
- SQL Server 2014 doesn’t work with TLS 1.2 enabled. This is fixed by applying the latest patch, but I would assume that older versions of SQL don’t support TLS 1.2 either.
- Securing our own system isn’t enough, we also have to require our customers to run .NET 4.5 which supports TLS 1.2. This would also apply to older browsers that don’t support the standard.
Why don’t cloud applications talk more about security?
After going through this process, we noticed that other companies in our sector don’t make a big deal about the security. It’s one thing to say you use HTTPS and payload encryption, but its something entirely different to dig out the hundreds of little things that add up to big problems. And if you had spent two months of runway to meet a government manual on security, why wouldn’t you shout that as loud as you can?