OWASP, SAMM and Hasura

The goal of the Open Web Application Security Project, or OWASP, is to help ensure that the exploding web-first market can develop with a security-first mindset. For nearly 20 years, OWASP has evolved into an extensive set of best practices, community resources, open tooling, and more - all in pursuit of this goal.

Today, OWASP is most famous for the “Top Ten” framework on structuring secure applications. As the industry expands into a micro-service driven approach, it’s important for organisations to validate all of their dependencies according to the OWASP framework.

When you abstract these micro-services into hosted products - “SaaS”, the one-time-compliant status with OWASP is not enough. Modern companies need to be assured that the business in question will maintain a security-first mindset, which is where SAMM, the Software Assurance Maturity Model, comes into play.

Hasura provides developers the data and API platform for developers to make better apps, faster. We provide industry-standard security for everything we make. Once you start using Hasura Cloud with VPC, or self-hosted Hasura Enterprise, we provide in-depth training and tutorials to ensure that you are able to maintain the same rigorous security standards we maintain ourselves. Being an open-source software company dependent on other open source components and standards, there is a high degree of community scrutiny that ensures any new issues have multiple layers of checks where they can be caught and appropriately handled. There’s no black-box of magic running any of our services.
This document will outline Hasura’s security-first approach to running our own services, the security tooling we provide that allows our customers to pursue OWASP compliance and our commitment to achieving high marks according to the SAMM maturity model.

1. Injection
   Hasura doesn’t allow for literal string substitution and all queries are escaped during the query planning and compilation pipeline that processes and executes API requests. There’s no opportunity for untrusted code to execute in the Hasura application.
   
2. Broken Authentication
   Hasura supports two authentication strategies: either through JWT or through a webhook call to a trusted service. In both situations, the authentication is handled behind the Hasura service and not open to manipulation from the client.
   
3. Sensitive Data Exposure
   Hasura has industry-leading access control capability. We can lock down access for both roles and records. With our granular access checks and access controls for remote schemas, you can maintain the observability of access controls in a single platform.
   Additionally, the paid Hasura offerings enforce HTTPS by default (our open source offering is up to the implementation strategy of the development team.) Available for early access is our audit log utility which provides in-depth information about all actions occurring within the platform and across data access - whether reads or writes.
   
4. XML External Entities
   While not one of the more common data-types we see passed through our service, all XML reads and writes are escaped.
   
5. Broken Access Control
   Because we have fine-grained access controls, we support extensive tooling to ensure that those access controls are tightly monitored. There’s observability on individual tables as well as a general overview. With full support for migrations, you can generate access controls programmatically and enable “safety check” queries and mutations as part of a CI/CD process.
   
6. Security Misconfiguration
   Our configuration files are validated as part of our type-checking process, which reduces the overall surface area for programmer error. The audit log will also allow for quick isolation of where changes occurred to identify and proactively deal with any risks.
   
7. Cross-Site Scripting XSS
   We don’t allow session-based access which mitigates a large array of attack vectors. That said, it’s still possible to have mistakes in your services. We provide code-gen templates and a wide array of technical resources to help you embrace best practices in your infrastructure.
   
8. Insecure Deserialization
   We do not run untrusted code. The only user-supplied JSON that gets executed is our declarative configuration metadata (that is supplied by the team that owns and manages Hasura), which is strictly parsed by our type-checking system. All other deserialisation conforms to industry standards for delivering JSON from a server.
   
9. Using Components with Known Vulnerabilities
   We self-host all of our libraries in the critical path and perform regular audits to ensure no vulnerabilities are present in our hosted applications and downloadable binaries.
   
10. Insufficient Logging & Monitoring
    All of our paid services come with extensive logging options and the tooling itself allows for trivial custom logging solutions through database triggers and logging events. Hasura’s paid offering provides deep insight into what was queried, what the performance metrics were as well as offering fine-grained control for rate-limiting and more.

SAMM, like any good maturity model, is a barometer for a company’s security aptitude and wherewithal. Broken down into five categories, SAMM provides a helpful framework to compare a company’s “security readiness” to ensure that current OWASP standards are products of intention and not a coincidence. While our security process was not designed according to the SAMM model intentionally, it aligns as they are both derived from industry best practices and therefore acts as a good evaluation of Hasura’s commitment to security.

Governance

As a certified SOC2 Type 1 and HIPAA compliant service provider (Hasura Cloud), we have undergone extensive security planning. Additionally, as part of our ongoing compliance, we are required to train our employees to comply with the standards of SOC2 & HIPAA in order to maintain these certifications.

Design

We have a threat assessment team with regular audits on our critical path to ensure that no vulnerabilities are introduced. We also run regular reviews of our architecture with the express purpose of looking for, finding, and eliminating new risks and threats.

Implementation

We have a completely managed build system and deploy targets for all our services. Our software goes through an extensive public beta program allowing for additional threat assessment. We also follow blue-green deploys to ensure that we can roll back to a previous release with no down-time.

Verification

We continue to hire and maintain major industry contributors to review the security of our application. The afore-mentioned beta program ensures that there are many eyes and many deployments testing a release before it ever goes into production.

Operations

We have versioned environments and a multi-tier incident response team with rotating schedules clearly defined as per compliance with our other certifications.

Hasura sits between your data and your application. It’s a responsibility we take seriously and any compromise in this regard would be an existential threat to our business. We have built a tremendous amount of trust with our community over the last 100 million plus downloads of our product. It’s something we prize above all else and will continue to be essential to the Hasura DNA.