Cybersecurity for websites and eCommerce stores, is becoming mandatory with stricter government regulations, but also avoids downtime, safeguards sensitive data and protects against spreading malware and viruses.
Low on dependencies Security is not better than the weakest link, we keep track of security breaches and limit dependencies and unknowns.
SBOM available At Cradle CMS we work with SBOM (software bill of materials) as a way to increase security and as a part of software supply chain risk management.
Self-managed hosting Hosting is under your control, deploy in the cloud, on premise or a mixture.
No need to use CDN The application handles performance and storage of data. There is no need for offloading with CDN.
Service oriented architecture
Security is a priority for us. To enable a secure systems setup we have arranged services into separate layers, which makes it possible to adapt to different security requirements. Cradle CMS and eCommerce software is build with loosely coupled services in a service oriented architecture (SOA), where the services can be separately deployed and with a messages bus in the center for event handling. Our architecture enables the possibility of physical separation of services, storage and databases.
The physical separation combined with encryption on rest both on storage and the databases protects against data theft during ransomware attacks, hardware theft or unauthorised access to your servers.
Multi-server setup possible The services, databases and storages can be deployed separately, making it possible to, for example, secure admin access behind a firewall.
Security by TLS The message bus can be configured with security by TLS requiring encryption and authorisation with SSL from all connected services.
SSL-certificates Supports automatic https certificates from Let’s Encrypt and other ACME compliant providers and compiles the code with a cryptographic method using FIPS 140-2 certified crypto library.
Structured logging Logging and monitoring are important security features that can help detect and respond to security incidents. They involve keeping track of user activity and system events, and analyzing them for signs of suspicious behavior.
Role based access control (RBAC)
Access Control Roles with different level of permissions. Human errors are considered to be a weak link for security and limiting privileges to only those who need them reduces the risks considerably.
Client-side security
Taking responsibility for safe usage of your site is best done by knowing your frontend code and serving everything from servers under your control and with a backend you can trust.
Content Security Policy (CSP) CSP is a security feature that helps prevent cross-site scripting (XSS) attacks and other code injection attacks. It allows website owners to specify which sources of content are allowed to be loaded on their site, such as scripts, stylesheets, and images.
Form input validation Form input validation is a security feature that helps prevent attacks, it checks user input for malicious code or invalid data before processing it.
ISO 27001
ISO 27001 is a information security management system that aids organizations in creating a structured framework for preventing unauthorized access, maintaining data integrity, and ensuring information availability to authorized users.
ISO 27001 technical controls and Cradle software
8 Technological controls
8.1 User end point devices
Control
Cradle software
Information stored on, processed by or accessible via user end point devices shall be protected.
Yes, possible as Cradle software is self-hosted, the level of protection can be decided by the venture and a SOA architectures enables more options on security.
8.2 Privileged access rights
Control
Cradle software
The allocation and use of privileged access rights shall be restricted and managed.
Yes, the system has privileged access right levels.
8.3 Information access restriction
Control
Cradle software
Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.
Yes, cradle software has access management.
8.4 Access to source code
Control
Cradle software
Read and write access to source code, development tools and software libraries shall be appropriately managed.
Possible, It is possible to buy a licence to Cradle software including the source code.
NOTE that source code is not included in regular licences.
8.5 Secure authentication
Control
Cradle software
Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.
The whole admin can be placed behind a firewall and only allow access to specific IP-addresses.
Access to admin is with passwords.
8.6 Capacity management
Control
Cradle software
The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.
Yes, Cradle software is self-hosted which enables full control.
8.7 Protection against malware
Control
Cradle software
Protection against malware shall be implemented and supported by appropriate user awareness.
Yes, The SBOM is checked for known vulnerabilities, the form postings has input validation and CSP (Content Security Policy) can be used. The theme code has full access only for specific user roles in the system.
8.8 Management of technical vulnerabilities
Control
Cradle software
Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.
Yes, the system has a SBOM accessible.
8.9 Configuration management
Control
Cradle software
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
Yes, Cradle software can be configured to the needs of the organization.
8.10 Information deletion
Control
Cradle software
Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
Yes, Cradle software is self-hosted and leaves full control of data deletions.
8.11 Data masking
Control
Cradle software
Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
Yes, Cradle software enables data masking on sensitive data.
8.12 Data leakage prevention
Control
Cradle software
Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.
Yes, Cradle software is self-hosted and leaves many options through configuration and server setup for leakage prevention.
8.13 Information backup
Control
Cradle software
Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
Yes, Cradle software is self-hosted and allows for backups.
8.14 Redundancy of information processing facilities
Control
Cradle software
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
Yes, Cradle software is self-hosted and built with a service oriented architecture leaving many options for redundancy.
8.15 Logging
Control
Cradle software
Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.
Yes, Cradle CMS has strutured logs in json format and streamed over the message bus so it’s easy to store and filter every event.
8.16 Monitoring activities
Control
Cradle software
Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
Possible, the logs from Cradle software can be connected to such services as Grafana to monitor activities.
8.17 Clock synchronization
Control
Cradle software
The clocks of information processing systems used by the organization shall be synchronized to approved time sources.
Not related to the software itself but server setup.
8.18 Use of privileged utility programs
Control
Cradle software
The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.
Yes, the API can grant read or write access on a granular level.
8.19 Installation of software on operational systems
Control
Cradle software
Procedures and measures shall be implemented to securely manage software installation on operational systems.
Not related to the software.
8.20 Networks security
Control
Cradle software
Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.
Not related to the software.
8.21 Security of network services
Control
Cradle software
Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.
Not related to the software.
8.22 Segregation of networks
Control
Cradle software
Groups of information services, users and information systems shall be segregated in the organization’s networks.
Yes, Cradle software provides options to server segregation.
8.23 Web filtering
Control
Cradle software
Access to external websites shall be managed to reduce exposure to malicious content.
Not applicable
8.24 Use of cryptography
Control
Cradle software
Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.
Not applicable
8.25 Secure development life cycle
Control
Cradle software
Rules for the secure development of software and systems shall be established and applied.
Not applicable, as the rules needs to be set by the organization.
8.26 Application security requirements
Control
Cradle software
Information security requirements shall be identified, specified and approved when developing or acquiring applications.
Not applicable
8.27 Secure system architecture and engineering principles
Control
Cradle software
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.
Not applicable, as the principles needs to be set by the organization.
8.28 Secure coding
Control
Cradle software
Secure coding principles shall be applied to software development.
Yes
8.29 Security testing in development and acceptance
Control
Cradle software
Security testing processes shall be defined and implemented in the development life cycle.
Dependent on the project
8.30 Outsourced development
Control
Cradle software
The organization shall direct, monitor and review the activities related to outsourced system development.
Dependent on the project.
8.31 Separation of development, test and production environments
Control
Cradle software
Development, testing and production environments shall be separated and secured.
Yes, the software is self-hosted and enables these options to the organization.
8.32 Change management
Control
Cradle software
Changes to information processing facilities and information systems shall be subject to change management procedures.
Dependent on the project.
8.33 Test information
Control
Cradle software
Test information shall be appropriately selected, protected and managed.
Not applicable as the system is self-hosted
8.34 Protection of information systems during audit testing
Control
Cradle software
Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.
