WingArc Australia does not generally carry out formal third-party security audits or penetration testing of the SuperSTAR suite. The infrastructure and configuration of each deployment plays a significant role in the overall security of the solution, so any testing that might be carried out on the SuperSTAR suite in isolation would not provide complete assurance of the security of a real-world deployment.
Customers should arrange their own third-party audit of the full solution that they have implemented, including SuperSTAR. If you require assistance or advice with security matters, please contact support.
Should your audit identify any security issues, please bring these to our attention via our support channels. We address any issues exposed by these audits with a high priority.
Following is some information about security measures within SuperSTAR that may assist with your audit:
|Credential Security||Passwords are hashed with PBKDF2, using 240 bit keys, 64,000 iterations and SHA-256 HMAC, and independently salted.|
It is the customer's responsibility to ensure that the server is correctly configured so that only HTTPS protocols are used for access to the SuperWEB2 client by end users. Options for configuring SuperWEB2 to use HTTPS include:
Traffic between SuperWEB2, SuperSERVER, and SuperADMIN
Dataset and application security
All traffic between SuperWEB2 and SuperSERVER, as well as the applications themselves and the SXV4 datasets, are assumed to be properly protected via the infrastructure on an internal or isolated network where these components are installed.
OS permissions and infrastructure configuration should be set up so that no unauthorised users can gain access to the datasets or configuration files. Customers may choose to apply encryption at the OS or hardware level.
End user interaction is with SuperWEB2 only, via the web, and should be restricted to HTTPS only.