Table of Contents
Overview
Security Assessments
Monitoring
Infrastructure
Code
Connection Security
Data Security
Related Articles
Overview
Coursedog is a cloud-native application running on Amazon Web Services (AWS) and therefore does not store any sensitive data (e.g. PII, Student Data, credit cards, etc.).
We have a modern application architecture and utilize a series of security best practices which are outlined below.
Security Assessments
For more in-depth information, please visit our publicly available HECVAT.
An external audit of our application from SecurityScorecard is attached at the bottom of this page. SecurityScorecard allows you to sign up and monitor applications for security updates.
Monitoring
We audit our infrastructure regularly, ensuring deployments are up-to-date and are indeed required to run.
Coursedog uses industry-best tools to monitor our infrastructure and is notified of anomalies and attacks. Coursedog has over 15 metrics in place to detect DDoS, fish for data, penetration testers, slowdowns in response times, etc.
The Coursedog backend engineering team also follows AWS best practices for server-level penetration testing.
Infrastructure
Coursedog is fully hosted in the AWS cloud and leverages their best practices. See the AWS controls and SOC documentation page for more information.
Coursedog uses a separate Virtual Private Cloud (VPC) for each environment with private and public subnets. The app servers are placed in private subnets and load balancers on public subnets.
Coursedog has placed WAF in front of all applications, which in turn protects our APIs against bots and exploits that consume resources, skew metrics, or cause downtime.
Coursedog uses an automated configuration management tool and automated deployments to minimize errors.
Coursedog uses immutable infrastructure to avoid having to manage and update our services on our own. Instead, we upgrade them.
Coursedog database (DB) clusters are backed up every 8 hours, and Coursedog performs test recoveries monthly.
Each customer has its own database within a single MongoDB instance to prevent data leakage.
Coursedog encrypts all communication between clients, servers, and internal infrastructure. All sensitive data like passwords and session tokens are encrypted, and Coursedog never stores the plaintext representation of them.
Coursedog logs API calls, DB queries, and calls to internal services. Coursedog centralizes the logs and monitors them. Each month Coursedog stores over 3GB of logs, which are analyzed to gain extra insights into the well-being of the app.
Coursedog monitors the performances of the server, DB, etc., and receives alerts when something wrong is going on. Atop that, Coursedog scales up and down our resources.
Coursedog uses rate limiter to prevent API's abuses
You can learn more about our infrastructure here.
Code
Coursedog follows OWASP best practices.
All endpoints have a well-defined, strict schema that validates and sanitizes users' input.
Every dependency is evaluated. Coursedog uses as few dependencies as possible, applying security patches whenever these are released to minimize the surface area of a possible attack.
Coursedog runs security linters on the code and Coursedog uses test automation tools. The code spends 28000 minutes in CI monthly.
Coursedog uses security headers for all HTTP requests.
Every addition to the code base is peer-reviewed and assessed with a security checklist which includes:
Ensuring all of the user input is validated and sanitized.
HTTP endpoints are behind an auth layer.
Role access control is in place.
No vulnerable dependency has been introduced.
No fishing for data is possible.
Connection Security
Coursedog uses HTTPS to encrypt traffic between the web server and the user’s browser. We do not serve any resources over insecure HTTP.
Coursedog uses HSTS (HTTP Strict Transport Security) to ensure that browsers will only allow opening a secure connection to our servers. This protects against protocol downgrade and cookie hijacking attacks.
Coursedog supports almost all University-supported authentication techniques and prefers Shibboleth/CAS single sign on.
Data Security
Our database is encrypted with AES-256, an industry standard encryption algorithm.
Coursedog encrypts all user information before we store credentials in our database.
Coursedog uses randomly generated session tokens to identify users, which are sent over HTTPS in every request so we can ensure that data is only accessible by users with the correct privileges. We implement session timeouts consistent with industry best practices.
The Coursedog database and backups are managed by MongoDB, a reputable industry leader. Only our servers are IP whitelisted to access the database, and the connection between our server and database is encrypted. Coursedog takes advantage of MongoDB's expertise in creating a strong security profile.