This topic describes general security aspects in software development, and specific considerations when developing solutions for Episerver Digital Experience Cloud Service.
Security and Episerver
Security and privacy are built into the Azure platform, and any feature that Episerver develops must meet the highest quality standards. This is ensured by various coding guidelines that have to be met before the code is considered for inclusion in the platform.
Guidelines include performance considerations, security concerns, and globalization and localization aspects. Episerver bases much of its platform-related security efforts on the Open Web Application Security Project (OWASP).
The Episerver platform is tested against:
- Cross-site scripting (XSS)
- Broken authentication and session management
- Insecure direct object references
- Cross-site request forgery (CSRF)
- Security misconfiguration
- Insecure cryptographic storage
- Failure to restrict URL access
- Insufficient transport layer protection
- Unvalidated redirects and forwards
See Security in the CMS Developer Guide for more information.
The information below describes specific security aspects related to DXC Service.
DDoS (Distributed Denial of Service) attacks are common and complex, and traditional on-premise solutions cannot handle these. Episerver DXC Service offers advanced protection at the network edge through its CDN provider including UDP and ICMP protocols, DNS amplification, Layer 7 and 3/4, SYN/ACK, and SMURF (refer to information on the net for this terminology).
Microsoft Azure also protects against attacks generated from outside and inside the platform.
Web Application Firewall
A Web Application Firewall (WAF) sits in front of web applications to filter out malicious traffic at the application layer (Layer 7 of the Open Systems Interconnection (OSI) Model, including HTTPS and HTTP traffic). A WAF stops attacks at the network edge, protecting your website from common web threats and specialized attacks before they reach your servers.
WAF is included as part of the Episerver DXC Service, see Web Application Firewall for details.
SSL (Secure Sockets Layer)
SSL is commonly used for encrypted integration and communication with other services through REST and Web Service APIs. All domains in DXC service are protected by SSL by default. SSL termination is at the CDN for the editorial/administrative views as well as the public website. Commerce packages also include SSL termination at the CDN for Commerce Manager.
VPN (Virtual Private Network)
VPN may be used for example to allow a secure connection to an internal corporate resource. Note that communication is one-way to the on-premise system.
Azure Web Apps do not use the traditional version of Microsoft Windows, but rather a purpose built version with a smaller attack surface and reduced vulnerability. Each customer solution uses isolated resources, with independent databases and Web Apps.
Episerver DXC Service relies on Microsoft's standard approach for Azure antimalware to provide real-time protection and content scanning.
Service window and patching
DXC Service uses Azure Web Apps to run Episerver applications and thus aligns with the Microsoft patch release cycle. Microsoft is responsible for patch management. Episerver works closely with Microsoft for any edge cases involving patching.
Product updates and upgrades
Episerver follows a continuous release cycle with new releases on a weekly basis. Releases include both new features and fixes, and you can upgrade your solution at a cadence that makes sense for your business. Note that you are responsible for installing appropriate software updates to the Episerver platform in your solution.
Episerver DXC Service leverages the Microsoft Azure platform, therefore the underling infrastructure follows Microsoft Azure compliance standards, certifications, and supporting processes. Episerver Find leverages the Amazon AWS platform and therefore the underlying infrastructure follows Amazon AWS compliance standards, certifications, and supporting processes.
Microsoft and their Red Team regularly pen test the underlying infrastructure of DXC Service. The Episerver platform is also subject to regular penetration tests conducted by customers and partners.
However, any implementation on top of the Episerver platform could unexpectedly introduce a security hole, therefore you need to ensure that your solution is thoroughly tested before going live.
You can either conduct your own tests using tools or security services of your choice, or you can order this service through Episerver Expert Services.
If you plan to perform your own penetration tests, you need to notify Episerver at least 10 business days before the planned testing.
To notify Episerver about your test, submit a ticket to Episerver with your test plan including:
- Test type and approach
- Contact information for emergency issues
- Expected start and end times
- Listing of IP addresses and DNS names from where the tests will originate