|
|
Tell me about PaperCut's security
PaperCut has been developed from day one with security in mind. With its roots in education and with the full understanding that college kids “like to hack”, PaperCut’s development processes continually focused on security. At the core of this is the open source code based culture where the majority of PaperCut’s source code is made available to customers. The code has been reviewed by leading education organizations. An example of this was an independent security expert working for a college found an XSRF (Cross-site request forgery) security issue during a review in 2008. This issue was fully disclosed and quickly addressed in subsequent release by the PaperCut development team.
At a software-level PaperCut leverages Active Directory security groups for access control. Administrators can be setup with different levels of access. For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network. Internal passwords, if used, are stored in an MD5 hashed format which is seeded by username and salted with a random salt. All security related development is internally assessed and R&D is conducted to ensure we're meeting best practice.
PaperCut also leverages a number of 3rd party components such as the Jetty HTTP Server, Apache Tapestry, and Apache Derby database. PaperCut actively works with the open source community backing these projects and has reported and assist with bugs and issues found over the years. The security of 3rd party components are actively monitored and any security implications if relevant to PaperCut are openly addressed. The PaperCut development team has also found security problems in copier/MFP firmware and has worked with leading vendors to address these issues.
PaperCut is developed in line with security best practices such as CERT Coding Standards and Oracle Java Security Guidelines. A number of our larger University customers have also had PaperCut subjected to full PCI Security Audits prior to deployment for handling online payment. The development team regually review security and add features proactive in line with best-practice (for example, the recent introduction of HTTPOnly cookie headers added in version 11.2).
See also
Categories: Security, Architecture
Keywords: security policy, security management
Comments
Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.