Encryption & Secrets

Secrets

An application can contain several secrets for example secrets that are used to connect to an external service or sign a certain payload. All secrets should be stored in a secure environment. This environment should adhere to the following requirements:

Have the secrets encrypted at rest
Have a form of access control on the secrets

Passwords

For the requirements with regards to passwords, please refer to the VolkerWessels Authenticatiebeleid (attachment to the VolkerWessels Informatiebeveiligingsbeleid, note that this document is only accessible for Recognize employees at the moment).

SSL

All websites can only be accessible through a connection that is encrypted with TLS. The TLS versions supported by the web server should be 1.2 or larger. It is prohibited to use TLS 1.0 or 1.1 as they have been marked as insecure.

The list of ciphers that the web server should support can be found on the website of the NCSC (Nationaal Cyber Security Centrum), in the document named 'IT security guidelines for TLS'. In principle, only good ciphers should be supported. In some cases, for backward compatibility reasons, it is not possible to only support good ciphers. Then, sufficient ciphers are allowed. However, it is never allowed to support weak ciphers.