Information security

Access control and authentication

Role and rights concept

A customizable role and rights concept is a prerequisite for restricting access to data or information to authorized persons.
 

Single sign-on

BCS supports authentication via SAML, Active Directory (LDAP/KERBEROS) or OAuth 2.0 with OpenID Connect.

Guidelines for passwords

Projektron BCS supports guidelines for passwords regarding password complexity and frequency of changes.

2-factor authentication

The login can be additionally secured by a second factor generated according to the TOTP procedure.

Passkeys

BCS supports Passkeys, a password-free authentication method that replaces passwords with an asymmetric procedure, thereby increasing user-friendliness and eliminating vulnerabilities such as phishing, password theft and weak passwords.

Data security and protection mechanisms

Encrypted connections

Encrypted communication is possible for secure data transfer between Projektron BCS and users or external systems (https, imaps, smtps).

Password vault

Passwords needed for third-party systems can be stored cryptographically secure in a password vault.

Secure passwords

Passwords are secured in Projektron BCS with the PBKDF2 algorithm as well as salt and pepper.

Brute force attacks

User accounts are protected by waiting times or account lockout after multiple failed login attempts. Access to individual accounts can be restricted to certain IP addresses and IP ranges.

Testing and review

Vulnerability scanning

The software is regularly scanned for known security vulnerabilities.

Pentests

Pentests are regularly carried out in collaboration with our customers. The results of these tests are continuously incorporated into the development and protection of Projektron BCS.

Automated testing

Projektron BCS is tested for both functionality and user-friendliness. Common attack patterns can be checked automatically. Automated tests are integrated into the Continuous Integration (CI) pipeline to ensure that every change to the code is tested immediately.

Integration tests

We perform integration tests to ensure that different components of the software work together securely and that no new security vulnerabilities arise.

Unit testing

For each user story, we develop unit tests to verify correct functionality and security at the code level.

Test coverage reports

We create test coverage reports that show the coverage of user stories by the tests and ensure that no security-critical areas remain untested.

End-to-end testing

We create end-to-end tests that cover the entire user story and ensure that the application works as expected and is secure.

Internal security measures

Definition of security requirements

Security objectives and requirements are clearly defined at the beginning of the project.

Security planning

We follow a detailed security plan that describes security measures and procedures.

Team of experts in product development

A specialized team continuously deals with current IT security issues and implements the latest security measures in Projektron BCS. This ensures that our software always meets the highest security standards.

Internal guideline “Secure Software Development”

The internal guideline aims to minimize security deficits and vulnerabilities in the development of Projektron BCS and to respond appropriately to them. This is done by taking into account the SANS 25, which lists the 25 most dangerous and relevant vulnerabilities in software, as well as the OWASP Top 10, which describes the ten most widespread and important vulnerabilities for web applications.

Staff training

Our developers receive regular training and are made aware of security aspects and best practices.

Awareness programs

We run programs to promote security awareness throughout the development team.

Security documentation

All security requirements, measures and tests are documented in detail.

Reporting

We regularly report on the security status and any incidents that have occurred to relevant stakeholders.

Secure programming and development guidelines

Coding standards and guidelines

We adhere to proven coding standards and guidelines to avoid security vulnerabilities.

Code reviews and peer reviews

The code is regularly reviewed by colleagues to identify potential security issues at an early stage.

Static Code Analysis

Tools are used for static code analysis to find vulnerabilities in the source code.

Risk Assessment

Potential security risks are identified and assessed throughout the entire development process.

Vulnerability Management

A process has been implemented to detect, assess and remediate security vulnerabilities.

Version Control and Configuration Management

Version control

We use version control systems (e.g. Git) to track changes in the code and ensure traceability.

Configuration management

We ensure that all configurations are securely managed and documented.

Incident response and emergency planning

Contingency plans

Contingency plans have been created and are continuously maintained to enable a quick and effective response in the event of a security incident.

Incident response

We have established a process for responding to security incidents, including analyzing and rectifying the causes.

Location and availability

Data center in Germany

The data center is located in Germany and is subject to high security levels. It belongs to the Tier IV class with redundant ISP POP.

Backup and recovery

The hosting offers backups and, if necessary, a quick recovery.

Certified

Our data center and Projektron's security-related areas are certified according to ISO 27001. The data center also has other certificates: VdS ISO 9001 NSL and IS, DIN 14675 for BMA and DIN EN 50518.

Availability

We guarantee the agreed availability, which is permanently monitored.

Physical security and access control

Access control

The data center may only be accessed by authorized persons who have been entrusted with the fulfillment of tasks and who have registered in advance.

Security

The data center is guarded on-site 24/7, 365 days a year. 

Security tests and updates

Automated updates

The virtual machines and Projektron BCS are updated automatically so that they are always up to date and secure.

Maintenance window

There are regularly scheduled maintenance windows for importing updates and patches. In the event of an acute security breach, unscheduled updates will be carried out, with two hours' notice.

Pentest

Our hosting is subjected to a pentest annually.

Data and access security

Separate database servers

Customer data is stored on separate database servers. This enables better performance and the setup of individual interfaces.

SSL

When hosting, you access Projektron BCS via encrypted access with an SSL certificate.

VPN tunnel

The virtual machines cannot be accessed via the Internet. Projektron only accesses these via VPN tunnels.

Firewall

A centralized firewall with strict filter rules individually for each customer protects you from external attacks. A firewall for web applications can be provided upon request.

Secure connections via HTTPS/SFTP/SSH & SCP

You generally only access your virtual machine via secure connections (via HTTPS/SFTP/SSH) and create backups or data copies (via SCP) in this way, for example.

Additional services and training

CMS

Our customers are automatically connected to the Configuration Management Service (CMS). This means that their configurations are managed within an SVN repository.

Further training

Employees receive further training tailored to their needs in the security of hosting services.

Support portal

Transport security

Transport security in the support portal is ensured by the optional but recommended use of HTTPS.

Message exchange and authentication

Messages are exchanged via SOAP, with authentication being ensured by username and password in the SOAP header. The synchronization user should be protected with a strong password because it has extensive rights. This password should be stored in the password

Configuration of the Attributes to be Synchronized

The attributes to be synchronized can be configured, whereby sensitive attributes can be excluded from synchronization.

Port Restrictions

Port restrictions can be applied to specifically restrict the HTTP exchange between the systems involved.

Web App

Transport security

The transport security of the web app is guaranteed, as it can only be used in conjunction with HTTPS.

Authentication and cookie management

Authentication is carried out via a username and password, followed by the use of a long-lasting cookie that is stored securely in the memory and removed from the app when you explicitly log out.

Rights application during synchronization

When synchronizing from the Web app to Projektron BCS, the rights set in BCS are applied.

Microsoft Exchange On-Premises

Transport security

Transport security for Microsoft Exchange on-premises is ensured by the optional but recommended use of HTTPS.

Authentication

Projektron BCS supports the BASIC, DIGEST and NTLM authentication types, which are, however, vulnerable to certain attack patterns. BCS does not yet support the modern AD FS authentication type, which is based on OAuth 2.0 and is used by Exchange 2019.

Microsoft Exchange Online

Transport security

When using Microsoft Exchange Online, transport security is guaranteed by the exclusive use of HTTPS.

Authentication

Secure, token-based authentication provides additional protection when using Exchange Online.

Jira On-Premises

Transport security

Transport security for Jira On-Premises is guaranteed by the optional but recommended use of HTTPS.

Message exchange

The message exchange is done via SOAP, where the password of the sync user must be securely protected.

Impersonation and security

After logging in via the sync user, impersonation is used to store actions in the context of the logged-in user.

Jira Cloud

Authentication

In Jira Cloud, authentication is done via an API key on the user via the REST interface in BCS, whereby the API key is securely created and stored.

Security recommendation

It is recommended that Jira Cloud and Projektron BCS be installed on the same system to be able to block ports through a firewall.

User management

Only the administrator can manage the user assignment mappings in BCS.