Passenger Transport Software Limited86-90 Paul Street, London EC2A 4NETel: +44 (0) 0333 9202149Web: www.passengertransportsoftware.comEMail: [email protected] Transport SoftwareWeb Security FeaturesPassenger Transport Software – PTS, is a fully hosted secure private cloud solution. We are penetration tested annually by every client and these tests are carried out by CREST certified companies that we have no association with.They test for access to the systems and for the reliability of the system if accessed by a malicious user. In this document we have listed some of the features we are tested on and that we secure against.
Passenger Transport Software, 8Web: www.missionmps.com EMail: inSecurity Feature Description of how MPS handles thisAny Broken Authorisations Access control checks are performed wheresource. For example:User Type \"User\" CANNOT create new AdUser Type \"Guest\" CANNOT create new UExcel Formula Injection We enforce appropriate user input saniti+, -, @, /We have an administrator override to bafrom Mission (tblParameters \"No EXCEL\" We also have a constant scanning SQL pra Special Character and edits/changes/reWe also scan all data imported into the sInsecure Direct Object Reference Access control checks are performed wheresource. In url’s we encrypt all ID numbeCross-site Scripting (Stored) We sanitise all input and output by escapthat an attacker may use. We prevent edConfidential data sent on URL We transmit session tokens, such as HTTPWe never store Usernames Passwords anSSL/TLS Vulnerabilities We configure SSL/TLS settings to secure csoon as we can.Cookie SECURE Flag Not Set We use the SECURE attribute in all cookietransmitted over the insecure HTTP protoWeb Server Banner Information DisclosureWe always either remove or obfuscate thWe do not show system information in H
86-90 Paul Street, London EC2A [email protected] Tel: +44 (0) 333 920 2149enever a resource is requested to ensure the user is authorised to access the dmin Users (OR ANY OTHER USERS)Users or Admin users (OR ANY OTHER USERS)isation. Ensuring that no text field can begin with any of the following characters: =, an all Excel & CSV exporting. It is then not possible to create any EXCEL or CSV files must be set to TRUE).rocedure that tests every single text or ntext field to find where the first character is emoves it.system and cleanse prior to adding to live tables.enever a resource is requested to ensure the user is authorised to access the ers & regularly rotate these codes to prevent anyone “working out” ID numbers.ping common HTML tags, HTML entity encoding, script tags and special characters diting of Javascript code in forms. P cookies or hidden fields in forms using the POST method.nd other info in HTML headers. configurations and always upgrade to the latest version of SSL vendor software as es to track a user's session. This ensures that it is not possible for the cookie to be ocol. We always ensure that we set Cookie flags properlyhe HTTP header information.HTML Banner headings.
Passenger Transport Software, 8Web: www.missionmps.com EMail: inSecurity Feature Description of how MPS handles thisWeak Password Policy We force users to create passwords that Passwords must meet the following requ Minimum of 10 and Maximum of 128 cha At least one Upper case character (e.g., [A At least one Lower case character (e.g., [a At least one Number (e.g., [0-9]) At least one Symbol (e.g., [*!@#\\\\$%*()_ Not more than 2 identical characters in aUsers cannot reuse a previous password.Passwords Never Stored in CleartextMPS encrypts passwords and stores the rThere are no user password editing optioNo Unrestricted File Upload MPS implements file content and extensiWe control File Upload in every single pabe manipulated to upload ANY \"not allowAvoid Outdated Software We download, test and install the latest sWe install (and constantly update) ASP.Nsingle server. We have a regular scheduleDirectory Listing We disable automated directory index lispossible to do this on ALL of our systems.Username Enumeration We ensure error messages are generic soFrameable Website (Clickjacking) We configure X-Frame-Options to the valWe prevent layers being added to forms Security Headers We include all HTTP security headers in HEvery single form/report etc has property
86-90 Paul Street, London EC2A [email protected] Tel: +44 (0) 333 920 2149 adhere to a strong password policy.uirements: aracters in length.A-Z])a-z])_+^&}{:;?.])a row (e.g., 111,AAA,aaa not allowed).resulting ciphertext.ons.ion filtering before saving the file on the server.art of the system. We stop editing of any buttons/Code/Javascript and forms cannot wed\" file types.stable version available of any 3rd party software we use.NET, Jquery, Javascript libraries and Bootstrap in every single system and on every e to do these checks.stings to ban and directory listing. We test every single form regularly to see if it .o that any attacker cannot gain any information from pop up messages.lue of DENY or SAMEORIGIN. to counter any Clickjack attempts.HTTP/HTTPS responses.y security headers.
Passenger Transport Software, 8Web: www.missionmps.com EMail: inSecurity Feature Description of how MPS handles thisServer Side Input Validation Any and all user input is validated and sanWe ban special characters and users cannVerbose Error Messages We ensure internal server errors are hanWe have an intelligent error handling sysSQL Injection SQL injection vulnerabilities can allow anTo counter this we have multiple featureon a second server behind a highly configWe also filter and sanitise all user input aCross Domain Scripts Wherever we use 3rd party components wGeotrust SSL logo Banner – fully tested anAjax Google API's – fully tested and securjQuery code – fully tested and securedMaxcdn Bootstrap – fully tested and secuSession Timeout User ConfigurableThis can be set to 15 minutes or less - useTLS Fallback TLS_FALLBACK_SCSVWe are monitoring when we can implemeContent Security Policy Headers The Mission system uses Content-SecuritLatest Javascript Libraries These are always kept up to date with theValidating Client Requests Mission ensures that applications validatprivilege is required prior to permitting a
86-90 Paul Street, London EC2A [email protected] Tel: +44 (0) 333 920 2149nitised at the server side.not use Find and Replace to replace existing data with special characters.ndled gracefully and only local users are able to see detailed error pages.stem in every single form and report and log errors in SQL tables as well.n attacker to read, delete or modify data in the database.es in place to completely stop SQL Injection attempts. Our databases are in a DMZ gured firewall.and ensure errors are correctly handled.we ensure there are no lookups or content stored on other servers. We have:nd securedredureders control thisent tls_fallback as it is not currently supported by IIS.ty-Policy header where possiblee most recent “possible” version we can use.te all client requests, and that an authenticated session and authorised user access to any restricted functionality or data.
Passenger Transport Software, 8Web: www.missionmps.com EMail: inScripts From Untrusted Domains Scripts are not permitted from untrustedPort 135 Blocking We block Port 135 where possible so thafirewall rules to enforce suitable restrictioEncrypting URL’s We currently use randomly generated/eThese extensions change dailyWe test any error reports to see if the brmachine.We test to see the likelihood of being ab
86-90 Paul Street, London EC2A [email protected] Tel: +44 (0) 333 920 2149d domainsat access from the wider public internet to TCP port 135 is blocked. We implement ons.encrypted URL extensions that the system regularly changesrowser was displaying \"cached\" data from another Self Service login on the same ble to work out these random masked URL codes