The goal of the Open Web Application Security Project, or OWASP, is to help ensure that the exploding web-first market can develop with a security-first mindset. For nearly 20 years, OWASP has evolved into an extensive set of best practices, community resources, open tooling, and more — all in pursuit of this goal.
Today, OWASP is most famous for the “Top Ten” framework on structuring secure applications. As the industry expands into a micro-service driven approach, it’s important for organisations to validate all of their dependencies according to the OWASP framework.
When you abstract these micro-services into hosted products — “SaaS”, the one-time-compliant status with OWASP is not enough. Modern companies need to be assured that the business in question will maintain a security-first mindset, which is where SAMM, the Software Assurance Maturity Model, comes into play.
Hasura provides developers the data and API platform for developers to make better apps, faster. We provide industry-standard security for everything we make. Once you start using Hasura Cloud with VPC, or self-hosted Hasura Enterprise, we provide in-depth training and tutorials to ensure that you are able to maintain the same rigorous security standards we maintain ourselves. Being an open-source software company dependent on other open source components and standards, there is a high degree of community scrutiny that ensures any new issues have multiple layers of checks where they can be caught and appropriately handled. There’s no black-box of magic running any of our services.
This document will outline Hasura’s security-first approach to running our own services, the security tooling we provide that allows our customers to pursue OWASP compliance and our commitment to achieving high marks according to the SAMM maturity model.
- Sensitive Data Exposure
Hasura has industry-leading access control capability. We can lock down access for both roles and records. With our granular access checks and access controls for remote schemas, you can maintain the observability of access controls in a single platform.
Additionally, the paid Hasura offerings enforce HTTPS by default (our open source offering is up to the implementation strategy of the development team.) Available for early access is our audit log utility which provides in-depth information about all actions occurring within the platform and across data access — whether reads or writes. - Insufficient Logging & Monitoring
All of our paid services come with extensive logging options and the tooling itself allows for trivial custom logging solutions through database triggers and logging events. Hasura’s paid offering provides deep insight into what was queried, what the performance metrics were as well as offering fine-grained control for rate-limiting and more.
SAMM
SAMM, like any good maturity model, is a barometer for a company’s security aptitude and wherewithal. Broken down into five categories, SAMM provides a helpful framework to compare a company’s “security readiness” to ensure that current OWASP standards are products of intention and not a coincidence. While our security process was not designed according to the SAMM model intentionally, it aligns as they are both derived from industry best practices and therefore acts as a good evaluation of Hasura’s commitment to security.
Governance
As a certified SOC2 Type 1 and HIPAA compliant service provider (Hasura Cloud), we have undergone extensive security planning. Additionally, as part of our ongoing compliance, we are required to train our employees to comply with the standards of SOC2 & HIPAA in order to maintain these certifications.
Design
We have a threat assessment team with regular audits on our critical path to ensure that no vulnerabilities are introduced. We also run regular reviews of our architecture with the express purpose of looking for, finding, and eliminating new risks and threats.
Implementation
We have a completely managed build system and deploy targets for all our services. Our software goes through an extensive public beta program allowing for additional threat assessment. We also follow blue-green deploys to ensure that we can roll back to a previous release with no down-time.
Verification
We continue to hire and maintain major industry contributors to review the security of our application. The afore-mentioned beta program ensures that there are many eyes and many deployments testing a release before it ever goes into production.
Operations
We have versioned environments and a multi-tier incident response team with rotating schedules clearly defined as per compliance with our other certifications.
Hasura sits between your data and your application. It’s a responsibility we take seriously and any compromise in this regard would be an existential threat to our business. We have built a tremendous amount of trust with our community over the last 100 million-plus downloads of our product. It’s something we prize above all else and will continue to be essential to the Hasura DNA.
Originally published at https://hasura.io on March 26, 2021.
