Security

Third-party tests

• app.powermapper.com scores A+ on Mozilla Observatory
• app.powermapper.com scores A+ on securityheaders.com
• app.powermapper.com scores A- on SSL Labs tests

Cloud security

This section explains how the product performs against the NCSC Cloud Security Principles.

1. Data encryption

Data in transit

• Data in transit is encrypted using TLS 1.2 (TLS 1.1 and earlier is disabled)
• Certificate issuance is limited by DNS CAA records
• Certificates are managed by LetsEncrypt and rotated every 60 days
• HSTS is used with max-age set to 12 months
• HTTP requests are redirected to HTTPS
• TLS cyphers marked as weak by SSLLabs are disabled

Data at rest

• Data at rest is encrypted using AES 256

2. Authentication and access control

Privilege separation

User accounts are seperated into three levels of privilege:

• Administrators who can create or delete users, and can access billing details
• Standard User who can create or delete scan reports
• Read-only User who can only view scan reports

3. Security logging and incident management

Logging and event collection

The service records an audit log of all changes and important events, including account lockout and disabling two-factor authentication.

Availability of logs

Logs are available to administrators using the Audit History link in the app's navigation bar.

Incident response process

The service has a documented incident response process with identified responsibilities.

Security updates

Scheduled platform security updates are applied as soon as they're available on the second Tuesday of each month (Patch Tuesday). Unscheduled platform security updates are also applied as soon as they're available.

Vulnerability disclosure process

Reporting security issues should use the process in the vulnerability disclosure policy and referenced in the standard security.txt file.

4. Governance

Privacy policy

Our privacy policy explains how data is processed.

Data location and legal jurisdiction

Data is processed and stored in Azure data centers based in the UK.

Product security features

The following security features are available by default with no additional configuration:

• Password strength is checked when passwords are changed
• Changed passwords are checked against a list of 10,000 common passwords
• Audit log shows security incidents (failed logins, password resets, etc)
• Anti-CRSF tokens are used on all form POSTs (including login)
• Passwords are hashed by PBKDF2
• DDoS protection by Azure