Coursedog is a cloud-native application running on Amazon Web Services (AWS) and therefore does not store any sensitive data (e.g. PII, Student Data, credit cards, etc.). We have a modern application architecture and utilize a series of security best practices which are outlined below.
Coursedog audits their infrastructure regularly, ensuring deployments are up-to-date and are indeed required to run.
Coursedog uses industry best tools to monitor our infrastructure and is notified of anomalies and attacks. Coursedog has over 15 metrics in place, to detect DDoS, fish for data, penetration testers, slowdowns in response times, etc.
The Coursedog backend engineering team also follows AWS best practices for server-level penetration testing.
Coursedog uses automated configuration management tool and automated deployments to minimize errors
Coursedog uses immutable infrastructure to avoid having to manage and update our services on our own. Instead, they upgrade them.
The Coursedog DB clusters are backed up every 8 hours, and Coursedog performs test recoveries monthly
Each customer has its own database to prevent data leakage
Coursedog encrypts all communication between clients, servers, and internal infrastructure. All sensitive data like passwords and session tokens are encrypted, and Coursedog never stores the plaintext representation of them.
Coursedog logs API calls, DB queries, and calls to internal services. Coursedog centralizes the logs and monitors them. Each month Coursedog stores over 3GB of logs, which are analyzed to gain extra insights into the well-being of the app.
Coursedog monitors the performances of the server, DB, etc., and receives alerts when something wrong is going on. Atop that, Coursedog scales up and down our resources.
Coursedog uses rate limiter to prevent API's abuses
Coursedog Follows OWASP best practices.
All endpoints have a well-defined, strict schema that validates and sanitizes the users' input
Every dependency is evaluated. Coursedog uses as little dependencies as possible, applying security patches whenever these are released to minimize the surface area of a possible attack
Coursedog runs security linters on the code and Coursedog uses test automation tools. The code spends 28000 minutes in CI monthly.
Coursedog use security headers for all HTTP requests
Every addition to the code base is peer-reviewed and assessed with a security checklist which includes:
Ensuring all of the user input is validated and sanitized
HTTP endpoints are behind auth layer
role access control is in place
no vulnerable dependency has been introduced
no fishing for data is possible
- Coursedog uses HTTPS to encrypt traffic between the web server and the user’s browser. We do not serve any resources over insecure HTTP.
- Coursedog uses HSTS (HTTP Strict Transport Security) to ensure that browsers will only allow opening a secure connection to our servers. This protects against protocol downgrade and cookie hijacking attacks.
- Coursedog supports almost all University-supported authentication techniques and prefers Shibboleth/CAS single sign on.
- Our database is encrypted with AES-256, an industry standard encryption algorithm.
- Coursedog encrypts all user information before we store credentials in our database.
- Coursedog uses randomly generated session tokens to identify users, which are sent over HTTPS in every request so we can ensure that data is only accessible by users with the correct privileges. We implement session timeouts consistent with industry best practices.
- The Coursedog database and backups are managed by MongoDB, a reputable industry leader. Only our servers are IP whitelisted to access the database, and the connection between our server and database is encrypted. Coursedog takes advantage of MongoDB's expertise in creating a strong security profile.
- Coursedog Application Architecture
- Data Backup Policy
- Coursedog Higher Education Cloud Vendor Assessment Tool (HECVAT)
- Load, Stress & Performance Testing Results
- Coursedog Application Accessibility