Skip to content

Security: brandemix/18F-identity-idp

Security

docs/SECURITY.md

Security

Security architecture

We are utilizing the industry's best security practices with guidance from NIST and the latest Digital Authentication Guidelines.

Our application is continuously monitored for CVE, OSVDB, XSS, SQL injection and many other types of vulnerabilities using Snyk.

Encryption at rest

All PII is encrypted at rest with a symmetric key derived from the user's passphrase, using a NIST-approved pbkdf2 algorithm that relies on an AWS Key Management Service (KMS) which are NIST PUB 140-2 validated HSMs.

Encryption in transit

Every assertion of PII (Personally Identifiable Information) is encrypted during transit using TLS (transmitted over HTTPS) and additionally using industry standard XML encryption at the application layer to further protect against pilfered payloads.

Our XML encryption approach uses the xmlenc gem with AES-256-CBC for the PII and RSA-OAEP-MGF1P for the key. The encrypted PII is signed with the Service Provider's public key.

Network security

We use Rack::Attack to throttle abusive requests and brute-force authentication attempts.

Operations

The application and server-level health and availability is monitored using New Relic and incident response is handled using Opsgenie.

We implemented our own independent monitoring and transaction testing for accurate monitoring of system and key transaction health without relying on third parties.

There aren’t any published security advisories