On this page information is provided concerning the Survey Project webapplication and its compliance to (international) rules and regulations (law) and the security/ accessibility measures applied.
Main reason to start documenting the information is to assist 'Data Controlers' and 'Data Processors' to comply with:
General Data Protection Regulation (May 25th 2018)
New EU regulation (law) concerning the use and processing of personal data that will become (formally) active as of May 2018.
Sources on GDPA
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
http://ec.europa.eu/justice/data-protection/
http://www.eugdpr.org/
- Information Commissioners Office (UK)
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- GDPR Summit Series (YouTube videos)
https://www.youtube.com/channel/UCwlTq3gRfiKtSsK787gMtMQ/featured
The GDPR rules apply inside and outside the EU (in case of processing personal data of EU citizens).
OWASP - Application Security Verification Standard
The Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) v. 3.0.1 is used to review and audit compliance of the SP webapplication with (international) security standards.
Results will be published in detail separately. The overall and summarized results will be presented as follows:
| Code |
Section |
Level 1 Opportunistic |
Level 2 Standard |
Level 3 Advanced |
Achieved |
| |
|
C |
NC |
PC |
MET |
C |
NC |
PC |
MET |
C |
NC |
PC |
MET |
level |
| V1. |
Architecture, design and threat modelling |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V2. |
Authentication |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V3. |
Session management |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V4. |
Access control |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V5. |
Malicious input handling |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V7. |
Cryptography at rest |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V8. |
Error handling and logging |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V9. |
Data protection |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V10. |
Communications |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V11. |
HTTP security configuration |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V13. |
Malicious controls |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V15. |
Business logic |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V16. |
File and resources |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V17. |
Mobile |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V18. |
Web services (NEW for 3.0) |
|
|
|
|
|
|
|
|
|
|
|
|
|
| V19. |
Configuration (NEW for 3.0) |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Legend
C= Compliant (yes/ no)
NC = Not Compliant (yes/ no)
PC = Partial Complaint (%)
MET = +, -, !
Achieved = overall level
More soon....