EgoWeb 2.0 Security Features
EgoWeb 2.0 has various safety features to ensure secure data storage and transmission and prevent unauthorized access. EgoWeb 2.0 has been tested for OWASP 10 Most Critical Web Application Security Risks using OWASP ZAP. Security vulnerabilities have been addressed including implementation of encryption and secure login procedures. EgoWeb 2.0 encryption uses Yii’s CPasswordHelper. Database and application can be set up on different servers to enhance security. Each EgoWeb 2.0 server can be set up with a unique encryption key, making the database secure and difficult to decrypt without access to the application server. EgoWeb 2.0 should meet many researchers' and organizations’ standards for software security but users have to make the determination of the security acceptability. EgoWeb 2.0 code is provided on an “as is” basis and the user assumes responsibility for its use. This code has not been peer-reviewed or otherwise evaluated beyond the development team, and is made available here without guarantee. EgoWeb 2.0 developers are not responsible for errors and is not committed to maintenance, updates or support. EgoWeb 2.0 security features include:
- All (potentially sensitive) survey response data is encrypted in the database. This includes encryption of all response data and personally identifying information (such as names of alters), as well as user names.
- Brute force login attempts are prevented by forcing a captcha image verification input after a certain number of bad logins.
- Malicious cross site scripting attacks are prevented by passing a randomly generated token with each request that's validated to ensure it comes from the EgoWeb 2.0 site.
- Upload file sizes are limited to prevent crashing the site and gaining malicious access.
- Access to (potentially sensitive) survey response data in the web UI requires appropriate role-level access.
- API level access requires API key.
Most security feature are configured in app/protected/config/main.php:
- The data encryption key and algorithm are configured in the “securityManager” and “params” sections.
- “maxLoginAttempts” is configured in the “securityManager” section.
- “enableCsrfValidation” and “noCsrfValidationRoutes” are configured in the “request” section.
- “maxUploadFileSize” is configured in the “params” section.
- “apiKey” is configured in the “params” section.
Furthermore, SQL injection is prevented via the data layer through ORM and prepared statements.
Discussion
Control Deficiency
Non PHI EgoWeb server cannot have JQuery and OpenSSL software updated because it utilizes the deprecated code within these libraries.
Can these be updated and the system still operate?
Thanks