Below are the few answers to Session security:
- How is the session token constructed (i.e. data elements)? What steps have been taken to ensure that it is effectively non-forgeable? If encryption is used, provide algorithm and key length.
In Ephesoft, session is maintained by Tomcat Application server. Ephesoft does not construct any other custom session token.
2. Is a session table used to manage sessions? If so, does it exist in memory on the web server, or is it stored further back in the system hierarchy? Does it contain passwords (either plain text or encrypted)?
As the session is managed by Tomcat Application server, no session table is used to manage sessions. In Ephesoft all the passwords can be either plain text or encrypted.
3. What session management controls are used to end a session or log off a user after a period of session inactivity? What are the time limit thresholds and are they customizable?
Session timeout settings are configurable in Ephesoft. Before the user’s session is about to expire, user is prompted a warning with timer for continue for a configurable time. Once session timeout happens, user is shown the Home page and has to login again.
4. What security policy and standards does the application follow (eg Bs7799 or ISO27001 etc)
Ephesoft security has been tested on IBM Security AppScan tool.
5. What certificates/assurance frameworks are maintained by Ephesoft (eg Soc2, ISO27001, PCI-DSS etc)
We do not currently hold any certifications. We do try to adhere to the OWASP standards but we do not hold and certifications.
Just to add, Ephesoft has support for HTTP over SSL (HTTPS), PIV/CAC, LDAP over SSL. Further information related to these is available on Ephesoft wiki.