This summer, the security of Casebox’ code and servers has been externally audited by Cure53, an expert software security company. Our software for human rights information management has become much more secure as a result of this, and we have made organisational changes to incorporate lessons learned into the software development process.
“We were hoping to be challenged, and we were not disappointed”, Daniel D’Esposito, HURIDOCS Executive Director said. “The best thing about our auditors, Cure 53, is how they handled the process in a capacity-building way, with a lot of interaction. The tests were carried out in sprints, with the development team receiving live feedback and fixing the bugs on the fly, and the fixes were then also immediately reviewed. It was really intense and positive learning experience for all of us.”
What are the outcomes?
Casebox is not only more secure in its current state, but also the developer team has learned a lot to build security stronger into the application in the future. “We realised that we needed to ramp up our approach to security, which we now understand to be an ongoing process in software development”, Daniel D’Esposito said. To oversee and implement this, HURIDOCS has added its first ever Chief Technology Officer to the team, and increased its boards capacity in the field.
HURIDOCS has fixed all identified issues on all instances where Casebox is hosted.
What was the process?
First, Casebox’ code was audited. Examples of successful attacks have been shown to the software development team that went out of their way to fix them immediately. The report of the code audit can be accessed on Cure53’s website.
Secondly, Casebox deployment was audited. This is the server setup on which a Casebox instance is hosted. Additionally, implementation of issues has been verified and advice on feasibility of hosting scenarios has been included. The report is also accessible on Cure53’s website.
The process was overseen and managed by independent consultants.
How secure is Casebox then?
Casebox is a lot more secure than it used to be, and this is why we are truly thankful for the work Cure53 has done. We also are confident that it will be more secure in the future – in fact, we have since summer worked to make security an inherent part of the development process.
However, even with this, there can be no absolute guarantee with systems like Casebox. Cure53 is one of the best auditors available, but that does not mean they could cover all eventualities, despite certainly trying. This is why we recommend to encrypt highly sensitive information, before uploading it to Casebox, or not uploading it at all, and instead, for example, using codes that refer to information that is stored offline.
It should also not be forgotten that probably the most common attack on human rights organisations is not attacking their systems, but targeting their people. A recent Citizen Lab report has underscored the challenge posed by social engineering attacks, that is, emails or other messages that trick staff into giving up their passwords, or accidentally downloading viruses onto their computer.
Aware users, with strong and unique passwords and two-factor authentication are the basis the security for organisations using Casebox rests on.
Why it is important to audit?
The premise of open source software is that the code is open for everyone to check. But who has the time and ability to do so, especially when the software has thousands lines of code, like Casebox does?
To protect the people and organisations running Casebox, often with the goal of storing sensitive data, expert audits are absolutely indispensable. They need to be conducted regularly, as the software undergoes development and threats become ever-more sophisticated.
HURIDOCS aims to undergo independent code audits before every major release.
HURIDOCS is truly grateful for the Open Technology Fund’s support of the audit process, for the Open Society Foundations’ support in managing it, and for the consultants’ oversight.