Ensuring Secure Staffing Processes with StaffingGo's Advanced SaaS Application Security Measures
Vulnerability Test(Security Testing)
STAFFINGGO applications are passed through various application vulnerability assessments and Risk identification test.
- • Cross Site Scripting
- • SQL Injection
- • Secure Transport Layer Protection
- • Blind XPATH Injection
- • Cross Site Request Forgery (CSRF)
- • Cache Poisoning
This is the lowest level of security provided by the application at the MS IIS level with digital certifications (HTTPS) that protect node to node level of encryption. Customers choose to either continue with HTTP or enable HTTPS depending on the requirement. HTTPS is not a necessity in most of the cases, because the data packets are encrypted by the application that protects the data from application to application than just node to node (network to network) level of encryption provided by HTTPS.
Encrypted Data Transmission:
Data transmitted over the network are encrypted using RSA Asymmetric encryption 2048 bit key pairs.
Login and Password Security:
Password Policy: All password are stored in database are encrypted and application supports all kind of password rules to adhere client password policy.
- • Configurable Password Policy in terms of character lengths, expiration, maximum incorrect attempts.
- • Login user system/IP information
- • Forgot password Mail
Single sign-on (SSO) allows a third party to authenticate a user for the STAFFINGGO System. STAFFINGGO app. support token based authenticate system where the third-party generates a secure token that allows the user (if validated) to automatically login.
Steps for SSO:
- 1. User authenticates on third-party website using the third-party’s username and password
- 2. Third-party website generates a secure token only if login is successful with a unique id for each user
- 3. The third-party website presents a link to log into STAFFINGGO App. with the secure token or can redirect the user to the STAFFINGGO App. The secure token must be in the URL or posted to the STAFFINGGO App.
- 4. STAFFINGGO App. verifies that the secure token is correct and automatically logs in the user.
STAFFINGGO maintains audit logging records attempted or complete actions. Those records should include when, where and by whom the action was taken (naturally, the ‘whom’ is provided by authentication). Logging user actions can help you improve security in a variety of ways.
Role Based Access Control
User Level Security: Each role user or application administrator will have to log onto the application using secure https://app.StaffingGo.in and with their own valid user id and password.
Access Levels and Security
STAFFINGGO provides robust/stringent/multi-layered security methods to ensure highest level of security is provided to the user who accesses the data. The different types of security standards provided by the application are described below starting from the system level to the user level.
All requests are authenticated against a token issued by a custom built JWT Server. Token-based Authentication no session is persisted server-side (stateless). Credentials are exchanged against a token which is then attached to every subsequent request. Token provided by the STAFFINGGO Server is stored and added to subsequent requests by using the browser’s storage capabilities. In addition to this, the token receipt procedure is encrypted using the FIPS-compliant RSA Algorithm.
Communication between Servers
All data transfer between the servers is done with TLS and ensures safety, in terms of a wiretap or a Trojan attack. In addition to this, the data is encrypted at rest on supported MYSQL Server installtions. The servers exchange data using specific TCP & UDP packets.
BCP will be in line with client BCP and Disaster Management, daily back up will be taken to ensure Database is secured as per client DB back up policy.
Policies & Personnel
A standard NDA template is executed with STAFFINGGO customers to assure confidentiality of customer information. The overall NDA signed by STAFFINGGO & customers covers confidentiality to be maintained by its employees also. STAFFINGGO maintains education and awareness training for Information Security that touches on issues addressed in the security policy that address security issues such as network, email, Internet, mobile computing, remote access, antivirus, physical security, access controls and secure coding practices.
STAFFINGGO network is connected with Router, Firewalls, Network separation with department wise and necessary security elements such as antivirus etc.
Remote access is limited to STAFFINGGO End Users where in take control of the system to troubleshoot issues/concerns with prior consent of the user, this is applicable and in line with the Master NDA signed by STAFFINGGO.