Technical Security Practises

The Tapt platform is built to follow standard security practises, as outlined below and cover all items in the OWASP Top Ten Web Application Security Risks:

  • User Authentication

    • Only password hashes are stored in the database. Hashes are generated using the Argon2id algorithm.

    • Authentication is via JWT session tokens with a 10minute TTL, utilising a refresh token mechanism. This is built on the open source Guardian library for Elixir.

  • Encryption in motion

    • All communication to and from Tapt servers enforce HTTPS using TLS 1.2. Non HTTPS traffic is not allowed.

  • Encryption at rest

    • Data stored within Tapt PosgreSQL servers are encrypted at rest using AWS' built in encryption using AWS managed keys.

  • Storage Location

    • For the moment, all production data is stored and hosted in AWS in the Sydney region.

  • Vulnerability Scanning

    • The tapt backend is deployed as docker images utilising AWS’s ECR and ECS. This includes utilising their automatic Image Scanning service to notify us of any publically known vulnerabilities with any libraries, frameworks and utilities that are used but the platform.

    • In addition, external scanning tools such as found on Vulnerability Scanning Tools | OWASP are utilised to ensure the infrastructure configuration is not misconfigured.

  • Penetration Testing

    • From time to time, 3rd party pen-testing will be performed as required to meet 3rd party integration requirements. One is currently planned for the end of September 2021 as part of an integration with Officeworks by the Officeworks IT team.

  • Monitoring

    • Monitoring of the platform leverages both AWS’s Cloudwatch and http://sentry.io to pro-actively alert on any external attacks for swift action if necessary.

  • AWS Infrastructure

    • Access to the Tapt Platform is via an Application Load Balancer within AWS, with no container imagers, databases or s3 buckets being directly accessible to the public internet. Access is controlled via AWS Security Groups.

    • All direct public links to user’s images or files hosted on s3 utilise temporary AWS signed links generated by our server.

    • The API server is CORS enabled for the tapt domains only.

  • Database and Code Access

    • Access to the underlying database and code repositories is restricted to authorised developers within Tapt’s technical team, which is updated as required with staff changes.

  • Code Review

    • As the platform has been developed, all code is subject to peer code review, with an eye for both reliability and security. This include items such as, but not restricted to:

      • Data injection attacks, such as SQL Injection

      • All required API end points are adequately protected by verifying session tokens

  • PII

    • User and Organisation names and details stored within the Tapt system (in AWS’s PostgreSQL) is governed by Tapt’s Privacy Policy.

    • It should be noted however, that a core value of the tapt system is providing publically viewable profiles of a person and their organisation. These links, whilst served via hashed urls, are publically available by nature, and can easily be shared without restriction. Thus any PII entered into the system for this purpose must be considered as publically available information. Tapt does not support nor recommend storing any sensitive data on its platform.

  • Vulnerability Reporting

    • For any found vulnerabilities or security concerns please contact us via the contact form at Contact Us