Security Considerations When using Watch My Domains SED

Basic Application Architecture

Application Security

Logins are protected by passwords and multiple failed login attempts will cause the corresponding IP address to be blocked. You can configure the maximum number of failed attempts that are allowed and IP address block duration.

For additional security you can enable Two factor authentication. Currently 'Duo Security' and 'Google Authenticator' are supported.

If your organization already uses an identity provider service you can use it for Single Sign On (SSO) using SAML (Security Assertion Markup Language) by configuring the identity provider details in the application.

Additionally you can add Apache "htaccess" password authentication on top of the existing authentications. This will require SSH access to the server if the application is hosted by us. SSH access is available by providing us the public key that should be setup on the server.

You can also add IP addresses that are allowed to access the application using Apache directives.

Application Source Code

The professional edition includes 100% of the source code and is recommended for larger organizations.

The standard edition has a small portion of the code encrypted. This part is used for license verification. License verification doesn't connect to our servers or send information back to us. It simply verifies the integrity of the license code entered by the end-user.

Server Access (Managed SaaS Cloud Installations)

We will respond to requests about the application installation only from approved domains and emails. Any server side alteration requests will be carried out only after we independently verify the request by a second email confirmation from the authorized contact at the customer organization.

Customers can make configuration changes from within the user interface or by accessing the server using SSH.

The managed installations are usually hosted on a dedicated Digital Ocean Debian droplet (latest stable x64). A single Debian user account is created on this server to host the application. No other user accounts are created on the server. Customers can obtain access to this user account by providing us the public keys that should be installed on the server. Password based SSH logins to the server are always disabled.

You may contact us if you require a different Linux distribution.

Some Softnik employees have access to the server for routine maintenance and backup. However Softnik or its employees will never access the installation or its data for any purpose unless specifically instructed to do so by the customer.

Automated scripts will backup the data daily to a separate folder on the server. Customers can setup their own scripts to further backup this data.

On-premise vs SaaS Cloud

Watch My Domains SED can also be installed on your own servers and accessed from within your intranet. The Professional edition includes the entire source code while the standard edition contains a very small portion of encrypted code.

We recommend that extremely security conscious organizations obtain the Professional License, fully inspect the source code and then install the application within their own premises instead of using the SaaS cloud option.

Third Party Libraries and Code

Here is the list of third party libraries included with and used by Watch My Domains SED.

Doctrine DBAL & Common

https://github.com/doctrine/dbal/blob/2.12.x/LICENSE
https://github.com/doctrine/common/blob/3.1.x/LICENSE
https://www.doctrine-project.org/projects/dbal.html
https://www.doctrine-project.org/projects/doctrine-orm/en/2.8/reference/security.html

JShrink

https://github.com/tedious/JShrink
https://github.com/tedious/JShrink/blob/master/LICENSE

KLogger

https://github.com/katzgrau/KLogger
Scroll to the end for LICENSE details.

PHPMailer

https://github.com/PHPMailer/PHPMailer
https://github.com/PHPMailer/PHPMailer/blob/master/LICENSE

"PHPMailer versions 6.1.5 and earlier contain an output escaping bug that occurs in Content-Type and Content-Disposition when filenames passed into addAttachment and other methods that accept attachment names contain double quote characters, in contravention of RFC822 3.4.1. No specific vulnerability has been found relating to this, but it could allow file attachments to bypass attachment filters that are based on matching filename extensions. Recorded as CVE-2020-13625."

Watch My Domains SED doesn't use the attachment option in PHPMailer.

PHP QR Code

https://sourceforge.net/projects/phpqrcode/
https://sourceforge.net/p/phpqrcode/code/HEAD/tree/trunk/LICENSE

PSR Log

https://github.com/php-fig/log
https://github.com/php-fig/log/blob/master/LICENSE

Duo Security

https://github.com/duosecurity/duo_php
https://github.com/duosecurity/duo_php/blob/master/LICENSE

Google Authenticator

https://github.com/sonata-project/GoogleAuthenticator
https://github.com/sonata-project/GoogleAuthenticator/blob/2.x/LICENSE

OneLogin SAML PHP Toolkit

https://github.com/onelogin/php-saml
https://github.com/onelogin/php-saml/blob/master/LICENSE

Split JS Library

Used in v4, removed in v5

https://github.com/nathancahill/split
https://github.com/nathancahill/split/blob/master/LICENSE

DateJS

Used in v4, removed in v5

https://github.com/datejs/Datejs/blob/master/LICENSE
https://github.com/datejs/Datejs

Day.js

Used in v5

https://day.js.org/

Bootstrap 4.5.2

Used in v4, removed in v5

https://getbootstrap.com/
https://getbootstrap.com/docs/4.0/about/license/

jqGrid Free

Used in v4, removed in v5

https://github.com/free-jqgrid/jqGrid
https://github.com/free-jqgrid/jqGrid/blob/master/LICENSE.md

jQuery UI

https://jqueryui.com/
https://github.com/jquery/jquery-ui/blob/master/LICENSE.txt

jQuery

https://jquery.com/
https://github.com/jquery/jquery/blob/main/LICENSE.txt

Chart.js

https://github.com/chartjs/Chart.js