Security audit of account and payment services
Assured AB were contracted to perform a security assessment of our account and payment services between 2022-11-07 and 2022-11-29.
Quoting the report:
No critical, high or medium rated issues were identified during the penetration test and the overall security of the API is deemed good.
Read the full audit report on Assured’s website.
Issues of note
Most issues were patched while the report was being finished and were noted as such in the final version. A few issues require a larger redesign however but we consider them low risk enough that we decided to publish the report.
3.1 (Low) Unencrypted network traffic to Redis
As the description of the issue points out, the traffic is encrypted on the network layer but the auditors were right to point out that encryption on the application layer would be a good addition. We will follow their recommendation to add server TLS for connections to Redis.
3.3 (Note) Secrets in docker-compose.yml and environment variables
These services run on dedicated hardware with full disk encryption so we feel that these credentials are adequately protected. We are aware that this could be improved and have been working towards a better long-term solution based on storing credentials with a more suitable secrets management tool.
4.3 (Low) IP blocking can be circumvented
This is also something we are aware and know that there is room for improvement. We’re constantly monitoring all our API endpoints for signs of abuse and adjusting our rate-limit policies as needed. Certain public-facing endpoint tend to attract more abuse and therefore require stricter policies while more internal ones can be more relaxed for ease of use.
4.4 (Low) Sensitive information in URL
Most endpoints that reference accounts in this way are internal and have very strict logging policies to make sure nothing sensitive is persisted. We are moving away from this approach however and will follow the auditors’ recommendation to only send account numbers in POST requests.
4.5 (Low) Admin password change does not enforce policy
The policies we have are enforced but they are not strict enough to prevent Sommar2022!. This admin UI is limited to a small group of staff users who all use very strict password policies so it’s very unlikely that any weak passwords have been used. It’s also worth pointing out that this web interface is also protected by client certificate validation and bastion IP white lists. There is no reason not to actually enforce the stricter policies we already follow though so we have increased the minimum password length to 48 characters.
We wish to thank Assured AB for their thorough work and excellent collaboration throughout the audit.