Does the application support SSO for authentication? Is Single Sign-On (SSO) to be used?

SaaS is supported via SAML2.0 and OAuth.

Does the application use cookie-based session management or token-based session management such as JWT, OAuth, SAML, and API keys?

The application uses token-based session management. We support JWT (JSON Web Tokens) for stateless authentication, OAuth for delegated access control, and SAML for single sign-on (SSO). API keys are also used to secure API endpoints. Cookie-based session management is not utilized.

How does Unravel handle LDAP authentication?

For LDAP, we take the password from the user once and store it in the unravel.properties file for initial authentication to the LDAP server. This password is encrypted and input into the property to ensure it remains secure at rest.

Does Unravel store credentials for AAD (Microsoft Entra ID) authentication?

No credentials are stored on the Unravel side for AAD (now called Microsoft Entra ID).

Do stateless session tokens (JWT) use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks?

Yes, the stateless session tokens (JWT) use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks.

Is the secure flag or HttpOnly set for session cookies?

No, the secure flag or HttpOnly is not set for session cookies, as the application does not use cookie-based session management.

Is the application using custom authentication? If 'Yes', where are the user credentials stored? Will authentication be facilitated via integration?

Yes, custom authentication is supported. The user credentials are stored in the database in hashed form. We only support Unravel’s native authentication with username and password.

Do any credentials need to be hard-coded in scripts, files, etc.?

No.

Is this application integrated with other applications?

Yes, it has many integrations. Some include CI/CD pipeline, Slack, email, SSO, etc.

Does the application enforce Two-Factor Authentication (2FA)? Is MFA implemented in the application?

No.

Are any Forgot password/Password reset features implemented in the application?

No.

Is account lockout enabled for multiple incorrect login attempts?

The SSO service provides the account lockout functionality. This functionality is enabled if you are using an SSO service.

Does the application enforce step-up authentication for sensitive transactions?

No.

What are the password policies being applied? What controls are in place for password strength? i.e., Length, Numbers, Symbols, uppercase, minimum lifetime, and use of previous passwords. Required to keep passwords confidential, use complex passwords, and change passwords at periodic intervals?

Password policies are managed by SSO service.

How is the database accessed from the application? Through direct SQL queries or parameterized queries?

Parameterized queries.

Is the database shared with other applications?

No.

Does the application pass unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to an OS system shell?

No.

Is authorization based on roles? If so, describe the users in terms of roles and the capabilities of each role.

Yes, authentication is based on roles. For more details see here.

How are any temporary files protected from unauthorized disclosure, alteration, and destruction?

Temporary files are written to <unravel-install-location>/tmp which is owned by and restricted to the user running Unravel.

What is the process of obtaining a user account?

SSO typically manages this; however, if you are using Unravel's built-in authentication, please contact Unravel support.

Which compliance standards does Unravel adhere to?

Unravel is compliant with several major standards, including SOC 2, GDPR, and HIPAA. This ensures that the platform meets stringent security, privacy, and data protection requirements. See here for more information.

How does Unravel assist in regulatory compliance and reporting?

Unravel provides detailed logs and audit trails that help organizations maintain compliance with regulatory requirements. It also offers reporting tools that can generate compliance-related reports on-demand.

How does Unravel ensure data is secured when sending to Unravel Cloud?

We use TLS encryption, which is the same standard secure websites use to secure data in transit.

How does Unravel handle data encryption at rest and in transit?

Unravel uses industry-standard encryption protocols to secure data both at rest and in transit. Data at rest is encrypted using AES-256, while data in transit is protected using TLS 1.2 or higher.

Does Unravel support role-based access control (RBAC)?

Yes, Unravel supports RBAC, allowing for granular control over user access and permissions based on their roles within the organization.

What ports do I need to open?

Port - 443.

Is the user input validated for special characters like '<> to prevent attacks like XSS, SQL Injection, etc.?

Yes, it is validated. We also do it after receiving any vulnerability report from internal security or penetration tests from a third-party vendor.

What measures are in place to protect against insider threats?

Unravel implements strict access controls, audit logs, and real-time monitoring to detect and mitigate any potential insider threats. It also supports integration with SIEM systems for enhanced security management.

How frequently are security updates and patches applied to Unravel?

Unravel follows a proactive approach to security updates. Critical patches are applied as soon as they are available, and regular updates are scheduled quarterly to ensure the platform remains secure and up-to-date.

Do input validation routines consider equivalent (canonicalization) names such as Unicode or URL-encoded equivalents? File paths and URLs are particularly prone to canonicalization issues, and many well-known exploits directly result from canonicalization bugs.

Yes, our input validation routines consider equivalent names such as Unicode or URL-encoded equivalents. This helps prevent canonicalization issues which can lead to exploits. We perform these validations as part of our security measures, incorporating them into our regular internal security tests and third-party penetration tests.

Does the design require input validation on all input received from other systems, including form fields, query strings, cookies, and headers?

Yes. We do it after receiving any vulnerability report from internal security tests or penetration tests from a third-party vendor.

Does the design require input validation on all input received from other systems, including form fields, query strings, cookies, and headers?

Yes. We do it after receiving any vulnerability report from internal security tests or penetration tests from a third-party vendor.

Does the server rely on JavaScript or other client-side means for validation?

Yes.

Is untrusted data encoded before it is reflected back to the output stream?

We do it after receiving any vulnerability report from internal security tests or penetration tests from a third-party vendor.

Does this application have file upload functionality? Is there a file upload or download component to the system? For example, can a user upload a file from their desktop/laptop to the application? What data elements are expected to be uploaded–e.g., email addresses, full names, etc.? What is the classification of this data?

Yes. With the app store feature, a user can upload a file from their laptop to the application. The data element expected to be uploaded is a micro-app given by Unravel for customized reports. File download is also supported for certain functionalities. CSV file download is used to download tabular data of jobs, users, clusters, queries, etc.

Where are the files stored? Database or file system?

File system.

What events are logged and audited?

Our system logs and audits a variety of events to ensure security and operational oversight. These include errors, exceptions, Spark workload statuses, configuration calls, Unravel CLI commands, and failed and successful login attempts.

What types of data sources and platforms does Unravel support?

Unravel supports a wide range of data sources and platforms, including Hadoop, Spark, Kubernetes, and various cloud-native data services. It integrates seamlessly with popular databases and data warehouses such as PostgreSQL, MySQL, and Snowflake.

Is a commercial-off-the-shelf (COTS) product being used? If yes, have all default passwords been de-activated?

We do not use commercial off the-shelf product

What is the sensitivity of the information assets that the software will store and process?

We process mainly the usage metrics and information exposed by the data platform at the runtime of these SQL and Spark jobs.

Is any sensitive information/token going to be included as a part of the GET request?

No. No sensitive info is included in the GET request.

Are unused methods like TRACE, PUT, DELETE, etc., disabled?

Yes, they are disabled.

Is the communication between the components, such as between the application server and database server, encrypted?

No.

How are exceptions handled in the application? Are there any custom error pages designed?

We use standard Java error packages. We do not have a custom error page.