Jun 28, 01 / Jun 17, 17 18:30 UTC
Basic Levels of Security ¶
My initial observations are that there is plenty of room for improvement regarding basic security.
I'll try to refrain from turning my first post into a rant of ALL observations, but I will start with a few things very basic.
> User Authentication: The initial registration process does not allow the user to set a password of their choice. This is okay, but the initial password (which is emailed so should not be considered secure) needs to be changed at first login. In fact registration should time-out and not considered valid until this initial password has been changed, limiting access to only the completion of the registration process. NOTE: Voting is allowed prior to the completion and verification of the registration process. This can make the voting process invalid as it is not required to validate registration from a unique email address prior to voting.
Two factor authentication also needs to be at least an option. Many people tend to re-use passwords or have very week passwords. Also the fact is that some Asgardians subscribe to many forms of public media sites whilst using the same username and password; if any of those sites become compromised the use of a static password becomes a problem. Multiple forms of two factor authentication exist therefore there should be multiple options (YubiKey, Duo, Authy, Onlykey, etc. )
> Password Storage: Simply put; the following should be a guideline -https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
> Data at rest/transit/use: Data needs to be encrypted in a way which prevents all or parts of data in a database from being exposed if compromised. One solution that may be considered is ZeroDB / NuCypher.
Asgardia, if not already, will be a target by not only drive by attackers but also Nation State actors. Due diligence will need to be adapted as soon as possible to ensure current and digital security. Espionage, sabotage and drive-by attacks will be some of the purposes for Asgardia to come under digital attack. We must be ready.
Other parts of this same discussion:
> Security Auditing and Penetration Testing need to be scheduled on a regular basis and need to be built into pre-release process of all public and private networks and applications.