The Open Web Application Security Project (OWASP) maintains a list of what they regard as the Top 10 Web Application Security Risks.

These are listed below, together with an explanation of how hiboo deals with them.

1. Injection

• SQL - Prevented by design: All access is limited to authenticated users and can only be performed through the Hiboo API. Raw SQL is not supported. All requests to the database is made through Hiboo API and we use Sequelize, the open-source node.js standard.
• OS - There is no shell execution performed from within the application.

2**. Broken Authentication and Session Management**

We use open-source best practices. Today we use JWT authentication

3**. Sensitive Data Exposure**

Our databases are encrypted at rest with AES-256, block-level storage encryption. All connections to the application or API use HTTPS.

4. XML External Entities (XXE)

We uses up-to-date XML processors and SOAP 1.2 or higher. We limit the uses of XML in favor of JSON

5. Broken Access Control

All access is denied by default, access control mechanisms are implemented once and re-used.

JWT tokens are invalidated on logout

6. Security Misconfiguration

We uses Heroku platform to simplify and minimize the misconfiguration. Our deployment process is automated and only the necessary employees have access to the production environment.

7**. Cross-Site Scripting (XSS)**

We use framework that escape XSS by design (React JS) and limit the user input

8. Insecure Deserialization

We enforce a strict type constraints during deserialization. We log all deserialization exceptions and failures and alert when needed.