As a hub-and-spoke identity federation, SAFIRE directly handles the personal information of users. Recognising that security is a key concern, an external vulnerability assessment of SAFIRE’s publicly-visible infrastructure was recently undertaken by the SANReN Computer Security Incident Response Team (CSIRT). The purpose of this assessment was to ensure that SAFIRE’s web servers complied with best practices and to try and preemptively mitigate any security problems.
The resulting report raised a number of relatively minor concerns. As far as is practical, these have all been addressed — either by actively identifying the finding as a false positive (expected behaviour) or by altering configurations to remediate the problem. Some of the CSIRT findings resulted in patches being submitted back to the original software projects, allowing others to benefit from our discoveries.
SAFIRE’s web infrastructure also rates reasonably well on a number of publicly available metrics, such as those from Mozilla Observatory.
The SANReN CSIRT offers vulnerability assessments as a service to the South African NREN beneficiary community, which will include most identity providers within SAFIRE.