OWASP Top 10

OWASP (The Open Web Application Security Project) is an organization that aims to provide advice on the safety principles in all sorts of applications. During the development of Ubivox we often consulted their recommendations to ensure that our system is as secure as possible.

Read more about OWASP and their current top 10  

Here we review the current top 10 application security risks and what we have done to secure Ubivox.

A1: Injection

We use a secure interface in the form of a database ORM, which, without exemptions, cleans all user input before it hits the database.

A2: Cross-Site Scripting (XSS)

All HTML sent to users are run through a filter that replaces various characters of importance to their harmless alternative. If we need to send raw HTML or Javascript directly to a browser, it needs needs to be marked up specially, to be allowed in the system.

A3: Broken Authentication and Session Management

All user passwords is stored unreadable in the form of a one-way hash. Our session IDs found only in HttpOnly cookies and is protected against changes. Thus, a session ID is never written or read directly in HTML or Javascript. In addition, all sessions communications encrypted, as it happens over a SSL connection.

A4: Insecure Direct Object References

To secure ourselves against the mistake that a customer will be able to access other customers' objects, we make all calls through a special client proxy to verify that the current customer will only be able to access their data. Thus it is not possible to disclose other customers' data.

A5: Cross-Site Request Forgery (CSRF)

All POST forms in Ubivox is CSRF validated on the basis of a cookie on the particular machine that requested form. This makes it impossible for other pages to trick you to into POST'ing forms to the system.

A6: Security Misconfiguration

All servers that are part of the Ubivox environment is updated weekly with security updates for server software. All system services that are not used is disabled. The Ubivox system will never present you or your users with an error page containing compromising system data, but instead show a neutral error page informing you that the request was not successful (error 500).

A7: Insecure Cryptographic Storage

The database backup of Ubivox is, when stored outside the secure hosting facilities, encrypted with a strong algorithm.

A8: Failure to Restrict URL Access

All pages in Ubivox is reviewed for access restrictions and unauthenticated requests only have access to unauthenticated pages.

A9: Insufficient Transport Layer Protection

All communication between our customers and the system takes place over SSL. The same applies to recipients. We use HSTS to inform browsers that they should never make unencrypted requests to the Ubivox system. The certificate is issued annually by RapidSSL and renewed at least 30 days before expiration.

A10: Unvalidated Redirects and Forwards

We do not use parametized URLs in redirects from any sites. All redirects will be sent directly from the system itself.

Did you mean: 

Sorry, couldn't find any results.

Get a free Ubivox trial

In the trial period, every function is available. However, you can only send to a max. of 50 recipients per delivery.

When you create your account, you confirm that you will also follow our anti spam policy and business terms.

Subscriptions and payment

Turn your trial into a full subscription by activating it. This is done by adding credit card details, in the account administration, and choosing a subscription.

No minimum contact period or risks

If you choose to not activate your account, the trial will automatically be closed after 10 days. You will only be invoiced if you actively subscribe.