This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again.


Subject İnformation
Author starwolf Replies 0
Share Views 16163
Security policy
#1
Security Policy
Security related information regarding Star Wolves product development and self-managed services.

Domain names
The domain names make use of DNSSEC.

Email postmaster
The email postmaster that sends emails to users for verification and recovery options only sends SSL-encrypted emails.

Server security
Server installations are deployed on Linux and have undergone routine security measurements. From intrusion prevention software, to whitelisting only specific static IP addresses with firewalls and by making proper use of Linux users, permissions systems and administrators use password vaults with randomly generated passwords and two factor authentication.
Services run on secure servers inside data-centers with optimal geographic positions. These data-centers are secured and only physically and remotely accessible by trusted people.

Service security
Web services are offered as HTTPS-only.
User and admins ervices that provide login portals have sets of minimum password requirements. Login functionality of our services comes either as rate limited or with captchas to protect against bots. Or both!
Backups are performed every month and are only accessible by persons of high authorization.

1. MyBB (starwolves.io forum)
MyBB is a free open source BulletinBoard project that has existed and matured for many years. It has undergone a lot of security analyses and updates. For this instance the security advises have been heard and many security related settings have been tweaked. The MySQL database has been secured.

2. Gitlab (gitlab.starwolves.io)
Gitlab community edition is an open source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more. The security advises have been heard and security tweaks have been made to it as well. Gitlab is mature and backed by big business.

3. Matrix (comms.starwolves.io)
Dendrite is a new Matrix homeserver written in Go. It is free open source and currently still in an early development state. Matrix is a very secure messaging system and messages are only stored in encrypted forms inside the databases.

4. Store (store.starwolves.io)
The store is a custom Node.js solution that accepts credit card payments with Stripe. We do not store any sensitive payment or personal information on our servers, instead these are stored on the servers of Stripe. The store has rate limiters installed and user passwords are hashed using Argon2. Input on all POST and GET methods are validated server-side. SQL queries that involve input are escaped. Sensitive endpoints are whitelisted by IP address. The store is exclusively served over a secure https connection. Server-side API keys have been stripped of as much permissions as possible.

Security of high authorization persons
Persons with high levels of access are expected to practice digital hygiene. This is reserved for server maintainers, administrators, DevOps and the like.
Required digital hygiene points:
  1. Manage your device(s) accounts with access to high authorization accounts(1) responsibly, professionally and maturely and only entrust it to people that you explicitly entrust with all this data (people whose full identity you know) and people that have to your estimations a low chance of maliciously making use of your device(s).
  2. Usage of two-factor authentication for all relevant accounts(1). Two factor authentication secrets must be stored inside a password protected ENCRYPTED application (like Android app Aegis) or other secure password vaults with TOTP features.
  3. Usage of a password vault with randomly generated strings as passwords for the relevant authorized accounts(1).
  4. Usage of device and disk encryption supplied as features with operating systems for devices that have access to relevant authorized accounts(1). For Windows users, this includes BitLocker + character PIN on boot.

For persons with such access: A full identity exchange including verification of legal personal identification documents through trusted services (ie electronicid.eu) are required. 


Footnotes:
  1. Accounts that have high levels of authorization to one or more of our servers, services or products. ↩2 ↩3 ↩4
Reply




Users browsing this thread:
2 Guest(s)