Security¶
Below are a series of good practices and recommendations for securing either your cloud or self-hosted / on premise Spira installation.
Authentication¶
Go to the System Admin > Security Settings page to review the settings below. The recommendations are based on advice from the National Institute of Standards and Technology (NIST) and the Open Web Application Security Project (OWASP):
| Field | Recommended Value | Explanation |
|---|---|---|
| Minimum Required Password Length | 12 | Best practice standards recommend a minimum of 12 characters long. Anything less than 8 characters is considered weak by NIST 800-63B. |
| Minimum Required Special Characters | 1 | Best practice standards recommend a minimum of 1 special character when combined with the 12 character length requirement. |
| Maximum # Invalid Password Attempts | 5 | A maximum of 5 password attempts is recommended before the user is locked out. |
| Max Login Attempts Window | 10 | 10 minutes is recommended to apply to the previous standard of 5 password attempts. |
| Account Lockout Period | 10-15 | Best practice recommends that an account lockout period is typically between 10 and 15 minutes. This timeframe balances security against user inconvenience, allowing enough time to prevent brute-force attacks while not locking users out for excessively long periods. More sensitive environments may require longer periods. |
| Password Change Interval | 90 or 365 | Best practice NIST standards recommend a required password change at least once a year when combined with higher credential complexity standards and manual user input. Intervals that are too short are more cumbersome and harder to remember for the end user, resulting in more repetition and predictable patterns in credential formation. If your organization uses a password manager, it is more appropriate to use 90 days as credentials can be randomized and are not subject to manual complexity decreases. Note that this setting does not apply to organizations that utilize an identity provider or SSO solution. |
| Require Password Change on First Login | Yes | Best practice recommends that new credentials following appropriate complexity standards should be created upon first login. |
| Disallow Names in Passwords | Yes | Best practice recommends that passwords should never have easily guessable strings within the input value. Names are the easiest value to obtain via reconnaissance and therefore should never be allowed in a user’s credentials. |
| Enable 2-Step Authentication | Yes | It is strongly recommended that all accounts use some form of multi-factor authentication when possible. This functionality uses a one-time password (OTP) medium as an additional security check. |
| Enforce Provider Login | Yes (optional) | If utilizing an internal SSO standard, this ensures credential configuration is enforced through the appropriate medium. |
| Authentication Expiration | 30 | Best practice NIST standards recommend standard session termination to be set at a maximum of 30 minutes of inactivity. OWASP recommends that the most sensitive systems utilize even shorter inactivity windows of 5 minutes or less. |
| Keep Me Logged-In Expiration | 20160 | Best practices for Spira recommend that, upon the request of the end-user to remain logged in, a time period of approximately two weeks, or 20160 minutes, is acceptable for most instances. More sensitive systems may need even stricter standards dependent on the specific utility and institutional policies |
Application Security¶
Go to the System Admin > Security Settings page to review the settings below. The recommendations are based on advice from the National Institute of Standards and Technology (NIST) and the Open Web Application Security Project (OWASP):
| Field | Recommendation |
|---|---|
| HTTPS Only | This is only relevant to on-premise customers. This should be set to "Yes" to ensure that all sessions and actions are performed over an encrypted HTTPS connection. This additionally enforces the HSTS header and improves cookie security configuration. |
| Allowed Domains | If utilizing CORS (cross-origin) REST API calls, this list must be used to ensure domains are allowed such access. If possible, it is strongly recommended that you do not use broad wildcard asterisk (*) notation to follow the principle of least privilege. |
| Other considerations | Please make sure to update the default administrator account credentials upon initial instance configuration. Make sure these are accessible and securely stored for future reference. |
On premise server hardening¶
When utilizing a locally installed Spira instance, there are specific system configurations that are recommended for functionality and security.
-
Database Access Control
- Strong authentication and the principle of least privilege should be utilized for a local database configuration.
- The SQL Login that Spira uses to access the database should be linked to a Database User that has the role db_owner. No other user (except SA accounts) should have this permission level.
- Limit permissions granted to non-administrator accounts if applicable, carefully considering access to functions and key folders/files.
- Limit physical access to the server hosting the database to authorized personnel.
-
Server Configuration
- Always keep your IIS and Windows Server OS updated with the latest available security patches.
- Enable SSL/TLS encryption and ensure that all utilized certificates are valid and up-to-date.
- Disable versions older than SSL/TLS 1.2
- Disable weak cypher suits
- More information available here
- Disable unnecessary services, features, handlers and modules, and close unneeded ports that are not required for system or application functionality.
- Consider adding a Web Application Firewall (WAF) or an equivalent protection layer for internal or external traffic patterns.
- Always keep logging enabled for auditability and diagnostic purposes.
-
Server Anti-Virus Utility
- Spira allows for a wide range of attachments and file storage mediums. As these are all stored within the local filesystem, we recommend that an anti-virus node is installed and running on the primary host. This should be configured to regularly scan the attachments folder (default = C:\Program Files\SpiraPlan\Attachments) as a standard security configuration.
- Keep Antivirus definitions and heuristics updated with the latest available signatures.
-
Database Backups: Regularly schedule automated backups of your database to enable restoration in case of hardware or loss issues.
-
Other considerations
- It is advisable to remove HTTP headers which identify details and version information on the server and application.
-
More information on this here:
-
Follow all other best practices for IIS configuration as detailed here: