Security questionnaire from large customer

[dberesford]

The following is a snippet from a customers security document, this is something all new apps for this company have to fill in. Please indicate what concorda supports out of the box, and anything it doesn't, consider to be a requirement :-)

Authentication

• What authentication measures are used for accessing the application? (Username/password, One time token, IP Whitelisting, host based certificate etc.)

ANSWER: user/password

• Does the application provide Single Sign On (SSO) authenticated for the users?

ANSWER: Not at the moment

• Which of the following technologies is used for SSO authentication mechanism: ADS / ITDS / Domino ?
  If the application does not use SSO, please complete the following questions:
• Does the application implement the password policy?

Password must be at least 8 characters long and meet at least two of the following conditions: 
Mix of letters and numbers 
Mix of upper and lower case letters 
Special characters (e.g., # & * ! $)

ANSWER: YES, configurable

• Describe account provision process. (self-registration or system generation or manual admin creation)

ANSWER: self-registration or manual admin creation

• Is the user required to change their password after the first logon?

ANSWER: Yes, configurable

• Is the password displayed in clear text?

ANSWER: NO

• Are credentials stored in clear text?

ANSWER: NO

• Is the Auto-Complete feature turned off on login page?

ANSWER: NO

• Are user credentials transmitted over an encrypted channel?

ANSWER: NO

• Is an account lockout feature implemented? How many failed attempts will trigger account lockout?

ANSWER: NO

• What is the process to unlock an account?
• Do the application configuration files store the username or password?

ANSWER: DB credentials are stored in config file or environment variable

• Does the application have a 'Logout' feature on every page?

ANSWER: Logout is part of menu which is displayed in the header.

• Describe how passwords are communicated to users? Is the password sent together with the username?

ANSWER: No password is communicated to the user. Application is not storing clear text password. User can reset passwords.

• How does a user recover a forgotten password? Please describe the process.

ANSWER: access the Forgot password in login page. In the Reset password page user must complete its email. An email with a reset password is sent to that email address. The user will use the reset url to change its password.

User password can be changed also from Concorda dashboard, but new password is not sent to the user.

• Does the application show a generic error message when an incorrect username and/or password are entered without revealing which one is incorrect?

ANSWER: the message is: "Incorrect login information"

• What is the cache header for a login request and response? Does the browser cache a user’s login?

ANSWER: It is used session cookies.

[mirceaalexandru]

@dberesford In order to make it simpler to respond I added my responses directly in your questionnaire.

I will take all these as priority tasks and change my answer as I am implementing them.

[mirceaalexandru]

@dberesford

This:

Is the user required to change their password after the first logon?

should be also implemented at the client application level. Concorda can signal this situation as part of login response but implementation should be done on the client app.

[mirceaalexandru]

• Is the user required to change their password after the first logon?

Yes, in the next version.

• Password policy

Now is implemented with hardcoded rules: min 8 chars, at least one lowercase/uppercase. Configurable in near future.

• User should activate account, by using an url received in the email - those validating the email.
• Does the application show a generic error message when an incorrect username and/or password are entered without revealing which one is incorrect?

Now the message is: "Incorrect login information"