How does the application access the database? What privileges are assigned to accounts that access the application database?

The database is accessed using standard Java, Python, and Node.js drivers, which support authentication and SSL/TLS. Unravel needs privileges to manage its schema in the database (tables, indexes, relations, functions, etc.). For details on Architecture, see here.

Does the application support SSO for authentication? Is Single Sign-On (SSO) to be used?

SaaS is supported via SAML2.0 and OAuth.

Does the application use cookie-based session management or token-based session management such as JWT, OAuth, SAML, and API keys?

The application uses token-based session management. We support JWT (JSON Web Tokens) for stateless authentication, OAuth for delegated access control, and SAML for single sign-on (SSO). API keys are also used to secure API endpoints. Cookie-based session management is not utilized, ensuring that session informa

Do stateless session tokens (JWT) use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks?

Yes, the stateless session tokens (JWT) use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks.

Is the secure flag or HttpOnly set for session cookies?

No, the secure flag or HttpOnly is not set for session cookies, as the application does not use cookie-based session management.

Is the application using custom authentication? If 'Yes', where are the user credentials stored? Will authentication be facilitated via integration?

Yes, custom authentication is supported. The user credentials are stored in the database in hashed form. We only support Unravel’s native authentication with username and password.

Do any credentials need to be hard-coded in scripts, files, etc.?

No.

Is this application integrated with other applications?

Yes, it has many integrations. Some include CI/CD pipeline, Slack, email, SSO, etc.

Does the application enforce Two-Factor Authentication (2FA)? Is MFA implemented in the application?

No.

Are any Forgot password/Password reset features implemented in the application?

No.

Is account lockout enabled for multiple incorrect login attempts?

The SSO service enables account lockout functionality. This is not applicable if you are using the internal login method.

Does the application enforce step-up authentication for sensitive transactions?

No.

What are the password policies being applied? What controls are in place for password strength? i.e., Length, Numbers, Symbols, uppercase, minimum lifetime, and use of previous passwords. Required to keep passwords confidential, use complex passwords, and change passwords at periodic intervals?

Password policies are managed by SSO service.

How is the database accessed from the application? Through direct SQL queries or parameterized queries?

Parameterized queries.

Is the database shared with other applications?

No.

Does the application pass unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to an OS system shell?

No.

Is authorization based on roles? If so, describe the users in terms of roles and the capabilities of each role.

Yes, authentication is based on roles. For more details see here.

How are any temporary files protected from unauthorized disclosure, alteration, and destruction?

Temporary files are written to <unravel-install-location>/tmp which is owned by and restricted to the user running Unravel.

What is the process of obtaining a user account?

This is typically managed by SSO; however, if you are using Unravel's built-in authentication, please contact Unravel support.

Is Unravel SOC compliant?

Yes, Unravel is SOC2 compliant. See here for more information.

Is Unravel GDPR compliant?

Yes, Unravel is GDPR compliant.

How does Unravel ensure data is secured when sending to Unravel Cloud?

We use TLS encryption, which is the same standard secure websites use to secure data in transit.

What ports do I need to open?

Port - 443.

Is the user input validated for special characters like '<> to prevent attacks like XSS, SQL Injection, etc.?

Yes, it is validated. We also do it after receiving any vulnerability report from internal security or penetration tests from a third-party vendor.

Do input validation routines consider equivalent (canonicalization) names such as Unicode or URL-encoded equivalents? File paths and URLs are particularly prone to canonicalization issues, and many well-known exploits directly result from canonicalization bugs.

Yes, our input validation routines consider equivalent names such as Unicode or URL-encoded equivalents. This helps prevent canonicalization issues which can lead to exploits. We perform these validations as part of our security measures, incorporating them into our regular internal security tests and third-party penetration tests.

Does the design require input validation on all input received from other systems, including form fields, query strings, cookies, and headers?

Yes. We do it after receiving any vulnerability report from internal security tests or penetration tests from a third-party vendor.

Does the design require input validation on all input received from other systems, including form fields, query strings, cookies, and headers?

Yes. We do it after receiving any vulnerability report from internal security tests or penetration tests from a third-party vendor.

Does the server rely on JavaScript or other client-side means for validation?

Yes.

Is untrusted data encoded before it is reflected back to the output stream?

We do it after receiving any vulnerability report from internal security tests or penetration tests from a third-party vendor.

Does this application have file upload functionality? Is there a file upload or download component to the system? For example, can a user upload a file from their desktop/laptop to the application? What data elements are expected to be uploaded–e.g., email addresses, full names, etc.? What is the classification of this data?

Yes. With the app store feature, a user can upload a file from their laptop to the application. The data element expected to be uploaded is a micro-app given by Unravel for customized reports. File download is also supported for certain functionalities. CSV file download is used to download tabular data of jobs, users, clusters, queries, etc.

Where are the files stored? Database or file system?

File system.

What events are logged and audited?

Our system logs and audits a variety of events to ensure security and operational oversight. These include errors, exceptions, Spark workload statuses, configuration calls, Unravel CLI commands, and failed and successful login attempts.

Is a commercial-off-the-shelf (COTS) product being used? If yes, have all default passwords been de-activated?

We do not use commercial off the-shelf product

What is the sensitivity of the information assets that the software will store and process?

We process mainly the usage metrics and information exposed by the data platform at the runtime of these SQL and Spark jobs.

Is any sensitive information/token going to be included as a part of the GET request?

No. No sensitive info is included in the GET request.

Are unused methods like TRACE, PUT, DELETE, etc., disabled?

Yes, they are disabled.

Is the communication between the components, such as between the application server and database server, encrypted?

No.

How are exceptions handled in the application? Are there any custom error pages designed?

We use standard Java error packages. We do not have a custom error page.