Labforward Security Center
> Secure
Security is a key component of cloud computing. Digital lab notebooks and online data processing services must have strong and reliable security features to guarantee maximum protection for raw data. In doing so, data quality and safety of research is ensured.
> Compliant
Scientific research is governed by a number of regulations and policies at the local, state or federal levels. Our tools are appropriate for compliant working environments using general guidelines and responsible research practices.
> Transparent
The integrity of research data is essential for advancing scientific, engineering and medical knowledge. Our products provide dedicated audit trails allowing users to see who has done what and when.
We are dedicated to ensuring reliable security
Labforward’s Commitment to Security and Privacy
Labforward is committed to achieving and maintaining the trust of our customers. Integral to this mission is that we always strive to provide robust security procedures and strictly adhere to the GDPR and our Privacy Policy. One example of how we achieve this is automated security testing on our applications, databases and assets, scanning for vulnerabilities including OWASP Top 10, CORS, Amazon S3 Bucket and DNS misconfigurations.
For our customers, we try to keep it simple and transparent:
- When security updates are made available, we publish them together with our release notes.
- When security vulnerabilities are discovered, we investigate their severity and exploitability, and publish a more detailed security update in our Security Centre.
- If our investigation shows that such a vulnerability was successfully exploited, we will disclose this in our security update after notifying the affected users and advising them on mitigation steps. In addition, we will also disclose the exploitation with the Berlin Commissioner for Data Protection and Freedom of Information.
General Recommendations
- All users should always use the latest version of our recommended browsers (Chrome, Firefox, Edge and Safari). In addition, make sure to always update your operating system to the latest version, and have an antivirus software in place to protect your devices and data.
- IT admins of our on-premise customers should update their systems as quickly as practical, especially when a new release includes a security patch.
- IT admins of our on-premise customers should keep the operating system and all components (i.e. Docker) of their on-prem servers up to date.
- While our classification system is intended to provide a broadly objective assessment of each issue, we strongly encourage customers to evaluate their own environments and make decisions about which updates are required to protect their systems.
Coordinated Vulnerability Disclosure
We believe in Coordinated Vulnerability Disclosure (CVD) as proven industry best practice to address security vulnerabilities. Through a partnership between security researchers and vendors, CVD ensures vulnerabilities are addressed prior to being made public. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.
Security researchers who would like to inform us of a potential vulnerability can contact us at security@labforward.io.
Classification of Severity and Exploitability
Since most of our customers and users do not come from a software background, it is important for us that we use easy-to-understand and transparent language instead of technical jargon. Therefore, our classification system is heavily inspired by Microsoft’s practices, as we believe they have done a great job at striking the right balance.
+ Severity
What is the worst theoretical outcome?
| Rating | Description |
| Critical | A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email. Labforward recommends that customers apply Critical updates immediately. |
| Important | A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt’s provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered. Labforward recommends that customers apply Important updates at the earliest opportunity. |
| Moderate | Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations. Labforward recommends that customers apply Moderate updates at the earliest opportunity. |
| Low | Impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component. Labforward recommends that customers evaluate whether to apply the security update to the affected systems. |
+ Exploitability
What is the likelihood that a vulnerability addressed in a security update will be exploited?
| Rating | Description |
| Exploitation Detected | Labforward is aware of an instance of this vulnerability being exploited. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with the highest priority. |
| Exploitation More Likely | Labforward analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Labforward is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority. |
| Exploitation Less Likely | Labforward analysis has shown that while exploit code could be created, an attacker would likely have difficulty creating the code, requiring expertise and/or sophisticated timing, and/or varied results when targeting the affected product. Moreover, Labforward has not recently observed a trend of this type of vulnerability being actively exploited in the wild. This makes it a less attractive target for attackers. That said, customers who reviewed the security update and determined its applicability within their environment should still treat this as a material update. If they are prioritizing against other highly exploitable vulnerabilities, they could rank this lower in their deployment priority. |
| Exploitation Unlikely | Labforward analysis shows that successfully functioning exploit code is unlikely to be utilized in real attacks. This means that while it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behavior, the full impact of exploitation will be more limited. Moreover, Labforward has not observed instances of this type of vulnerability being actively exploited in the past. Thus, the actual risk of being exploited from this vulnerability is significantly lower. Therefore, customers who have reviewed the security update to determine its applicability within their environment could prioritize this update below other vulnerabilities within a release. |
© 2023 labforward GmbH