eXpress badging® enforces strict authentication, password management, and session control policies across the Veonics® Portal and internal systems. All practices are aligned with OWASP recommendations and NIST CSF 2.0.
🔑 Public vs. Restricted Access
Q: Does the website design distinguish between public and restricted areas of the website?
-
Answer: Yes
-
Public expressbadging.com content (marketing site) and portal.veonics.com restricted content (Veonics® Portal login) are clearly separated.
-
Scoped data requires authenticated login.
📄 Supporting Documentation: Security Roles & Responsibilities in the Veonics Ecosystem
👤 Least-Privilege Service Accounts
Q: Does the application use least-privileged service accounts to connect resources such as databases, directory services, and others?
-
Answer: Yes
-
Service accounts operate under least-privilege IAM roles in AWS.
-
Access is reviewed quarterly during EOS Scorecard reviews.
📄 Supporting Documentation: Need-to-Know & Least-Privilege Access Policy
📨 Authentication Messages
Q: Does the application display generic authentication messages for failures?
-
Answer: Yes
-
Messages such as “Invalid username or password” do not disclose which part of the login failed.
🔐 Password Storage Protection
Q: Is cryptographic protection in place for passwords in storage?
-
Answer: Yes
-
Passwords are hashed and salted using industry-standard cryptographic algorithms.
📄 Supporting Documentation: Veonics Portal Cybersecurity & Compliance Overview
📡 Password Transmission Security
Q: Are passwords encrypted during transmission?
-
Answer: Yes
-
Enforced via TLS 1.2+ across all login endpoints.
🗄️ SQL Authentication & Database Access
Q: Does the application use SQL authentication to authenticate with the database?
-
Answer: Yes
-
Connection strings are encrypted and stored securely.
-
Database access is restricted to approved service accounts only.
📄 Supporting Documentation: The Veonics Portal History & System Architecture
🔑 Strong Password Enforcement
Q: Does your application enforce strong passwords?
-
Answer: Yes
-
Minimum length, complexity, and expiration rules are enforced.
-
Default Group Policy settings require 8+ characters, mixed case, numbers, and symbols.
📄 Supporting Documentation:
- First-time login to the Veonics Portal help
- Credentials Management Runbook
- Endpoint Protection Policy
📷 Supporting Evidence: Screenshots from Group Policy and credential management tools (available under NDA).
🚫 Failed Login Attempts
Q: Does your application restrict the number of failed login attempts?
-
Answer: Yes
-
Accounts are locked after repeated failed login attempts to mitigate brute-force attacks.
⏳ Periodic Password Changes
Q: Do the application enforce a periodic change of passwords?
-
Answer: Yes
- It is not automatic, so expiry dates are recommended to force a change if the date passes for any accounts requiring compliance.
-
Internal accounts follow quarterly password rotation policies.
-
Customer accounts are managed by Customer Admins, who may set their own rotation frequency.
❌ Compromised Accounts
Q: If an account is compromised, can you easily disable the account?
-
Answer: Yes
-
Accounts can be disabled within minutes by eXpress badging® Admins or Customer Admins.
📄 Supporting Documentation: Cybersecurity Incident & Breach Response Process
🔄 Tokenization for Form Submissions
Q: Does the application use random tokens or user-specific tokens for form submissions?
-
Answer: Yes
-
Veonics® Portal employs anti-CSRF tokens and user-specific session tokens for all form submissions that change system data.
📄 Supporting Documentation: Application Development & Maintenance Policy
📊 NIST CSF 2.0 Alignment
| Function | Practice |
|---|---|
| Protect (PR) | TLS, password hashing, RBAC, MFA, account lockout |
| Detect (DE) | SOC monitoring of login anomalies |
| Respond (RS) | Compromised accounts disabled immediately |
| Recover (RC) | Credential resets, user re-provisioning |
Last Update: 09/01/2025