DynamicWeb 10 Security
DynamicWeb 10 is a web application serving web pages on a webserver. Overall there are 2 areas of security when hosting a DynamicWeb solution:
- Infrastructure tier security (Firewall, Windows, IIS, SQL-Server, ASP.NET and related technologies)
- Application tier security (The DynamicWeb application).
This document primarily covers the application tier security. For infrastructure tier security, please refer to the hosting provider.
Below is a comprehensive view of the security measures and best practices implemented in DynamicWeb 10, incorporating information from official security reports, Microsoft security practices, and third-party security partnerships.
Infrastructure tier security
DynamicWeb relies on best-in-class infrastructure security for its web hosting, including:
- Firewalls
- Secure server configurations
- Stringent access control mechanisms
These measures help protect against unauthorized access to the system while maintaining compliance with GDPR and other data privacy laws. For additional protection, ECIT acts as our external security consultant, continuously monitoring our infrastructure, performing vulnerability scans, and helping implement the latest cyber protection tools to ensure the highest levels of security.
Application tier security
At the application level, DynamicWeb 10 has several integrated defenses designed to secure both the frontend and backend:
User Access Control (UAC)
DynamicWeb 10 implements multiple layers of User Access Control (UAC), which defines the scope of permissions:
- Anonymous users can browse the public areas of the site.
- Authenticated users have access to specific areas based on assigned roles.
- Administrators have full access to both frontend and backend interfaces, ensuring secure content management.
Security against common attacks
DynamicWeb is equipped to handle several common web application vulnerabilities by employing mitigation strategies for:
- Cross-Site Scripting (XSS)
- SQL Injection
- HTTP Header Injections
- Cookie Attacks
These safeguards are regularly tested using automated tools, which automates the detection of vulnerabilities related to SQL injections.
Secure coding practices
DynamicWeb aligns with Microsoft's secure coding guidelines, ensuring that developers use best practices in preventing vulnerabilities during the software development lifecycle. In Visual Studio, developers are required to:
- Run Static Code Analysis using built-in tools such as SNYK and Microsoft's Code Analysis to detect and resolve vulnerabilities early in the development process.
- Follow coding rules related to key security areas, including encryption, secure authentication, and data validation.
Moreover, compliance with OWASP Top 10 guidelines ensures that our application remains protected against the most prevalent security risks.
Security bug fix policy
To ensure continuous protection, DynamicWeb follows a well-defined security bug fix policy that categorizes vulnerabilities based on severity:
- Critical vulnerabilities are fixed within 2 business days.
- High and Medium severity issues are resolved within 5 to 20 business days, depending on the complexity.
Security reports, including any vulnerabilities discovered, are handled through an internal escalation process, and all reported issues are logged within Azure DevOps to track and resolve them efficiently.
Security report handling
DynamicWeb encourages responsible disclosure of security vulnerabilities and has a formalized process for security report handling:
- Submission: All security reports can be submitted through our Partner Support system or by directly contacting our team.
- Verification: Each report is assessed and verified for its validity.
- Response: Critical vulnerabilities are addressed as a matter of urgency, with fixes deployed as part of regular maintenance releases.
Third-party security audits
In addition to internal security measures, DynamicWeb partners with ECIT for external security audits, vulnerability scanning of internal systems, and employee training. ECIT's services ensure that our systems are continuously monitored for vulnerabilities, and their expertise in managing IT security helps bolster our internal processes.
NIS2 & Login security
The EU NIS2 Directive that will soon take effect requires organizations to keep their software up to date as part of their cybersecurity obligations. In alignment with the NIS2 Directive's emphasis on enhancing cybersecurity across affected sectors, we encourage our customers to reinforce the login security of DynamicWeb to ensure robust protection of user accounts and sensitive data.
NIS2 underscores the importance of implementing strong authentication mechanisms to safeguard access to network and information systems.
DynamicWeb supports a variety of secure login methods and other login-related security measures, such as:
- TOTP (Time-based One-time Passwords)
- Password Authentication with Magic Links
- MFA with email-based verifications codes
- Secure password policies
- Encryption of login credentials
These measures significantly reduce the risk of unauthorized access, ensuring that your organization's operations are secure and compliant with the stringent requirements set forth by NIS2. We encourage you to adopt these security enhancements to fortify your defense against potential cyber threats.