The Dapresy Pro application requires users to be logged in to access any data. All interactions with the system are logged and stored separately, allowing Dapresy to see which user visited which page.
The security model is based on sessions, in which a correctly authorized session is required for the end-user to make HTTP POST/GET requests. Every user session is identified by a unique ID and authentication cookie. No sensitive information is ever stored in the URL and is never used to set access rights. Dapresy Pro is protected against SQL injection attacks, largely due to the use of stored procedures and parameterized queries.
All client administrators must agree to the Acceptable Usage Policy before starting to use the system.
- The Portal Administration licensee is completely responsible for any External Code that might cause errors in their projects. Dapresy does not accept liability for errors caused by user defined external code.
- The Portal Administration licensee is responsible for any licenses needed for the use of “third party” components they might add to the system through External Code.
- Any questions about Custom Code that the Portal Administrator asks Dapresy, Support will be sent to our Designer and charged by the hour.
Dapresy takes considerable pride in working with clients and independent third parties to make sure that Dapresy Pro has a trusted application security. The application is not vulnerable to SQL injection attacks, and a variety of other common attacks. Our independent third-party tests consist of manual testing as well as automated testing that uses tools like Nessus and Saint. The foundation for the testing is always theOWASP checklist and does include penetration testing. Dapresy Pro has protection against password guessing attacks (brute force), which are stopped by blocking the user for 10 minutes after 4 incorrect password guesses.We have also taken into consideration any type of information leakage like the web browser autocomplete feature, which is disabled everywhere in Dapresy Pro.
Encryption and Session Protection
As part of keeping client data safe, Dapresy Pro is only available via HTTPS with strong encryptions like TLS 1.2 while weaker ciphers used in TLS 1.0,TLS 1.1, SSLv2, SSLv3 have been disabled. The SSL certificates have been issued by RapidSSL. By Qualys SSL LABs(ssllab.com) Dapresy Pro is graded with A grade. Session cookies are HTTPOnly and flagged as secure. Furthermore, the Strict-TransportSecurityHTTP header is used, to force HTTPS even if a resource is available over HTTP.
Dapresy Pro stores user passwords as hashed strings with salt. This makes it impossible for anyone, including Dapresy, to retrieve the passwords as readable text. A password complexity policy exists in Dapresy Pro that requires a minimum of 8characters, of which at least one is a number, one is in uppercase and one is in lowercase (password rules are configurable on customer level). Client administrators can change end-user passwords, while users can reset their password by having Dapresy Pro send out a reset-link to the registered email account.
Dapresy logs all requests made in a Dapresy Pro installation for support and development purposes. Any errors encountered by the user in the system are logged and allows our developers to access detailed error reports.
Development, Release Process and Patch Process
Dapresy uses a software development model based on the waterfall model. Dapresy Pro is continuously being developed with daily development builds available for quality control personnel. The QA process is thus tightly integrated in the development process, with quick feedback. As a Software-as-a-Service, Dapresy can easily push new versions to the production environment. However, we have decided to have two to four major releases per year with minor patches being made continuously. During new releases and patch releases the system undergoes rigorous testing. Clients are notified in advance when such new versions cause system downtime.
For software based flaws, the remediation process begins by filing a support ticket to Dapresy Global Support. After which it will be reviewed, and appropriate feedback will be provided to the ticket creator. For server or security based concerns or flaws, you can contact your AccountManager. They will then work together with the Dapresy IT department to answer your questions or set up a time frame when server or security issues will be remedied.
Dapresy AB has policies and procedures in place to:
- Maintain integrity and security of Company’s “Confidential Information.”Confidential information includes, but is not limited to, (a) patent and patent applications, (b) proprietary information in any form or media – data, ideas, techniques, sketches, drawings, works of authorship, models, inventions, knowhow, algorithms, software programs, software source documents, and formulae related to the current, future, and proposed products and services, including, without limitation, financial statements, financial information, business plans, business strategies, organisational information, operational information, customer lists, supplier lists, processes, policies, procedures, systems, applications, internal affairs, legal affairs, any and all information entrusted to the Company by third parties, (c) any and all information defined as “Trade Secrets” under the Uniform Trade Secrets Act and (d) any and all materials labeled as “Confidential Information.”
- Maintain integrity and security of the Company’s information technology and telecommunication systems and resources (Systems).These policies are mandatory for all Dapresy AB staff and they apply to all ConfidentialInformation, whether in paper, stored voice or electronic form or any other form or media, and to anyone who has access to the Systems. Access to ConfidentialInformation and Systems is predicated upon one's agreement to comply with this policy.
Dapresy AB employees are not allowed to access Company Systems, and/or Confidential Information until the non-disclosure agreement has been signed.