Security Enhancements

During June 2022 we embarked on penetration testing for the system. This was conducted by an external party to strength test the application. As a result of this, a number of adjustments were made to the application to strengthen our security and protect your data.

Key changes are as follows:

Password complexity is now set as a default standard

Previously this was configurable within the application, however, now, passwords must now conform to the following rules:

Must contain at least one UPPERCASE character.
Must contain at least one numeric character (0-9).
Must contain at least one non-alphanumeric character.
Must be a minimum of 8 characters in length

Developer component libraries have been upgraded to use the latest available.

Where third party components are used, we have upgraded these so they use the latest versions available.

Current password must be entered before users can change their passwords

Previously users did not need to enter their current password before changing to a new one. Validation has been added so that within the ‘My Account’ page, a user must type in their existing password, before the application will save a new password.

The application logout mechanism is now more effective.

All cookies have the ‘secure’ flag set

User accounts are locked for 15 minutes after four failed log in attempts.

Changes have been made to bring in to line the response times for both valid users and invalid users.