Coursedog

Submit a Ticket My Tickets
Welcome
Login  Sign up

Coursedog Security Overview

Coursedog is a cloud-native application running on Amazon Web Services (AWS) and therefore does not store any sensitive data (e.g. PII, Student Data, credit cards, etc.). We have a modern application architecture and utilize a series of security best practices which are outlined below.

For more in depth information, please visit our publicly available HECVAT. An external audit of our application from SecurityScorecard is available as an attachment at the bottom of the page.

Monitoring

  • Coursedog audits their infrastructure regularly, ensuring deployments are up-to-date and are indeed required to run.

  • Coursedog uses industry best tools to monitor our infrastructure and is notified of anomalies and attacks. Coursedog has over 15 metrics in place, to detect DDoS, fish for data, penetration testers, slowdowns in response times, etc.

  • The Coursedog backend engineering team also follows AWS best practices for server-level penetration testing.

Infrastructure

  • Coursedog is fully hosted in the AWS cloud and leverages their best practices. See the AWS controls and SOC documentation page for more information. 

  • Coursedog uses automated configuration management tool and automated deployments to minimize errors

  • Coursedog uses immutable infrastructure to avoid having to manage and update our services on our own. Instead, they upgrade them.

  • The Coursedog DB clusters are backed up every 8 hours, and Coursedog performs test recoveries monthly

  • Each customer has its own database to prevent data leakage

  • Coursedog encrypts all communication between clients, servers, and internal infrastructure. All sensitive data like passwords and session tokens are encrypted, and Coursedog never stores the plaintext representation of them.

  • Coursedog logs API calls, DB queries, and calls to internal services. Coursedog centralizes the logs and monitors them. Each month Coursedog stores over 3GB of logs, which are analyzed to gain extra insights into the well-being of the app.

  • Coursedog monitors the performances of the server, DB, etc., and receives alerts when something wrong is going on. Atop that, Coursedog scales up and down our resources.

  • Coursedog uses rate limiter to prevent API's abuses

Code

  • Coursedog Follows OWASP best practices.

  • All endpoints have a well-defined, strict schema that validates and sanitizes the users' input

  • Every dependency is evaluated. Coursedog uses as little dependencies as possible, applying security patches whenever these are released to minimize the surface area of a possible attack

  • Coursedog runs security linters on the code and Coursedog uses test automation tools. The code spends 28000 minutes in CI monthly.

  • Coursedog use security headers for all HTTP requests

  • Every addition to the code base is peer-reviewed and assessed with a security checklist which includes:

    • Ensuring all of the user input is validated and sanitized

    • HTTP endpoints are behind auth layer

    • role access control is in place

    • no vulnerable dependency has been introduced

    • no fishing for data is possible

Connection Security

  • Coursedog uses HTTPS to encrypt traffic between the web server and the user’s browser. We do not serve any resources over insecure HTTP.
  • Coursedog uses HSTS (HTTP Strict Transport Security) to ensure that browsers will only allow opening a secure connection to our servers. This protects against protocol downgrade and cookie hijacking attacks.
  • Coursedog supports almost all University-supported authentication techniques and prefers Shibboleth/CAS single sign on.

Data Security

  • Our database is encrypted with AES-256, an industry standard encryption algorithm.
  • Coursedog encrypts all user information before we store credentials in our database.
  • Coursedog uses randomly generated session tokens to identify users, which are sent over HTTPS in every request so we can ensure that data is only accessible by users with the correct privileges. We implement session timeouts consistent with industry best practices.
  • The Coursedog database and backups are managed by MongoDB, a reputable industry leader. Only our servers are IP whitelisted to access the database, and the connection between our server and database is encrypted. Coursedog takes advantage of MongoDB's expertise in creating a strong security profile.

Related Articles


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.