Medium

The (web-)application is subject to automated vulnerability scanning at least once per quarter. Scanning occurs authenticated as much as possible.

Network connected IT systems are subjected to automatic vulnerability scanning at least once per month. Scanning occurs authenticated where possible.

The organization has a published Coordinated Vulnerability Disclosure Policy to encourage security researchers and individuals to ethically find and report vulnerabilities.

IT services run in their own virtual environments, vulnerabilities in one service cannot give access to other services. This includes no multiple websites on the same webserver unless they share the same Security Capability Level and purpose, the same applies to databases between different services.

Services run under their own account with minimal necessary privileges . Only necessary services run on production servers, and are only accessible to necessary interfaces using Host-based Firewalls. All services are maintained and kept up-to-date. For each running service on servers, hardening guides are followed and deviations from hardening guides due to business requirements are documented.Local Firewall rules limit service traffic to ports filtered as restrictive as possible.

IT systems have standard configurations that follow recommended hardening guidelines. Before new systems are taken into production, the systems are tested for adhering to the hardening guidelines. The standard images are tested for security vulnerabilities during regular vulnerability management process and are updated accordingly. Systems are periodically checked against the hardening baseline, preferably automatically.

Document a security configuration baseline for the system based on current best practices from vendors and desired functionality. The baseline must be updated at least annually. Use this baseline for all new and recovered systems.

The system scans attachments, uploads and links for malware and filters content identified as harmful by these scans.

Description Mobile Applications use certificate pinning to prevent MitM attacks on apps and Open WiFi. Mobile applications have protections for the binaries that users can download. Mobile apps preferably store information encrypted and containerised. Sensitive information must be stored server-side unless specifically needed for functioning of the application.

Appropriate secrets management is applied to confidential information needed to develop and deliver the service. No hardcoded credentials and configurations are present in source code, only in separate configuration files with appropriate security protections. No sensitive information can be found in versioning information and older releases in version management systems. Configuration is stored in environment variables or in versioned scripts that generate the configuration based on user input.