BountySite has been built with security in mind, and has gone through several iterations. BountySite tries to educate users that technology is not Security, although it is only a small aspect.
You can have the best of technology in place, but if you loose your FTP credentials(say written on desk note or snooped or shoulder surfed) there is no tool that can protect your website. Security is wisdom. The key is to understand and have best practises to mitigate each and every step.
BountySite has been built by asking several questions at different stages - what if this happens. Here are some of the aspects that can be shared.
Frontend web and backend storage are separate and communicate only via SSL REST API. When user logs in, session tokens are provided by BountySite token server, through which storage REST API is communicated. The session token is valid for upto 2 hours.
With custom control panel and storage, each setup environment is isolated without compromising on features. Frontend only stores users and password hashes. Default password hash uses 1000 iterations of pbkdf2 algorithm combined with SHA512 to produce 20byte hash.
Password hashes can be customized per setup. Password strength can be also customized per setup. It is better to have stronger and unique passwords than change password hashes.
Following layers of security are available for frontend login:-
- 2 Step verification with one time password over email
- 2FA with external mobile app
- Restrict with specific IPs
- Restrict login to specific hours
- Multi user account provisioning
- FTP hosts have to be allowed in firewall for backups
- Reverse shell are difficult
- Even if an user account is compromised, it is difficult to cause any damage upstream with PaX, ASLR, PIE and stack protection
- All jobs for a website run as the individual provisioned user
Frontend is built on python using web2py, which provides reasonable amount of security as a foundation.
WAF protection adds few layers of security to the frontend, preventing anomalous traffic to the web stack. This can prevent 0day attacks on the platform.
Security is a practise, not a product. BountySite will constantly go through auditing and layers of security.