Application Security

Multi-factor authentication
All Benify administrators have individual accounts. Multi-factor authentication is enabled for all administrators and access is only granted when authenticated with at least two factors.

Multi-factor authentication for end-users can be enabled via Google Authenticator. For Swedish clients, it’s possible to use multi-factor authentication through BankID.

Access can also be managed through single sign on (SSO) using SAML 2.

Passwords
End-users have individual user accounts and must be authenticated with at least password. Password policy can be customized to fit specific customer requirements.

Password reset is done by request and is sent to the user accounts pre-registered email address. Reset links includes a temporary password that needs to be changed at first login. Old reset links expire upon generation of a new reset link.

The application only allows one password reset request per 30 minutes.

User accounts will be locked after five failed log-on attempts. Accounts will be locked for 24 hours, until a new password is set or when an account is manually opened by a Benify administrator.

User inactivity
All users are automatically logged off after 30 minutes of inactivity.


Separation of customer data
All customer data is logically separated for each customer to ensure confidentiality and integrity between customers. Every customer has a unique company key which is used to separates data.


Sensitive data
All customer’s personal data is according to Benify’s information classification policy classified as Strictly confidential. In addition to this, information such as salary, bonuses etc. are classified as sensitive in the Benify application.

Access to sensitive information is only allocated according to the principle of least privilege.

Sensitive information is by default masked for all Benify administrators. Permissions to view masked information is controlled by the role permissions.

Access to sensitive information is a part of annual role permission review.


Event logs
All activities in the application are logged. Our logs include information about the user, time and dates, user activity and critical security events (such as authentication attempts to violate the rules of authentication).

To protected our logs against tampering the logs are protected by an integrity check mechanism and access rights are strictly limited.

Application time is synchronized using Network Time Protocol (NTP).


Encryption – Data in transit
Communications between end-user computer clients and Benify’s servers are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS) over public networks.


Encryption – Data at rest
Production- and backup-data are encrypted at rest using AES 256-bit encryption.


Encryption – Integrations
Benify strongly recommends that all customer integrations and file transfers are protected using SFTP/HTTPS and file encryption such as PGP.


Protection of authentication information
All stored passwords are hashed using SHA512 and a salt.


Web application vulnerability scans
Automated web application vulnerability scans (including OWASP top 10) are conducted against the Benify application each week.

All vulnerabilities are classified and mitigated according to internal policies and procedures.


Third party library vulnerability scans
To identify project dependencies and check for any known, publicly disclosed vulnerabilities in third party libraries, Benify regularly performs OWASP Dependency-Checks.


Penetration testing
Benify uses an independent security company to perform full application penetration tests every quarter. I addition to this all application releases are tested continuously. Penetration tests are performed using automated and manual testing and includes testing towards international benchmarking projects and standards such as OWASP Top Ten and WASC.