Tell me about PaperCut's security

KB Home   |   Tell me about PaperCut's security

Main.Security History

Hide minor edits - Show changes to output

July 11, 2017, at 06:40 AM by peterf - Fixing minor typo
Changed line 13 from:
Our Security Response Team regularly reviews prospective and emerging security threats, and proactively works to add new (and harden existing) security features in line with best practice. As an example, support for [[https://www.owasp.org/index.php/Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-007)|HTTP Strict Transport Security (HSTS)]] was delivered in PaperCut NG and PaperCut MF version 17.1, in accordance with [[https://https.cio.gov/|Memorandum M-15-13]]. M-15-13 dictates that publically facing United States federal websites and web services must enforce secure connections over HTTPS, with HSTS included as a key requirement, so this addition has allowed US government bodies to run PaperCut NG or PaperCut MF and remain legally compliant. Similarly, PaperCut NG and PaperCut MF 17.2 introduces functionality to summarise and export all stored data concerning individual user accounts, as well as fully redact that data, enabling compliance with the [[http://www.eugdpr.org/|General Data Protection Regulations (GDPR)]] to be enforced within the EU from mid-2018. Not only does this bolster our information privacy offering, it also can help to minimise the potential magnitude and severity of data leaks in the event your environment is compromised. Data protection is also facilitated by our document watermarking feature, which can be used to inject a cryptographically generated unique digital signature into each printed page. This allows physical printing in highly secure environments to be traceable from the paper product back to the originating user and printer, rendering the direct dissemination of confidential information a much more difficult proposition.
to:
Our Security Response Team regularly reviews prospective and emerging security threats, and proactively works to add new (and harden existing) security features in line with best practice. As an example, support for [[https://www.owasp.org/index.php/Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-007)|HTTP Strict Transport Security (HSTS)]] was delivered in PaperCut NG and PaperCut MF version 17.1, in accordance with [[https://https.cio.gov/|Memorandum M-15-13]]. M-15-13 dictates that publically facing United States federal websites and web services must enforce secure connections over HTTPS, with HSTS included as a key requirement, so this addition has allowed US government bodies to run PaperCut NG or PaperCut MF and remain legally compliant. Similarly, PaperCut NG and PaperCut MF 17.2 introduces functionality to summarise and export all stored data concerning individual user accounts, as well as fully redact that data, enabling compliance with the [[http://www.eugdpr.org/|General Data Protection Regulation (GDPR)]] to be enforced within the EU from mid-2018. Not only does this bolster our information privacy offering, it also can help to minimise the potential magnitude and severity of data leaks in the event your environment is compromised. Data protection is also facilitated by our document watermarking feature, which can be used to inject a cryptographically generated unique digital signature into each printed page. This allows physical printing in highly secure environments to be traceable from the paper product back to the originating user and printer, rendering the direct dissemination of confidential information a much more difficult proposition.
July 11, 2017, at 03:51 AM by peterf - Updating to reference GDPR for version 17.2
Changed lines 13-15 from:
Our Security Response team regularly reviews prospective and emerging security threats, and proactively works to add new (and harden existing) security features in line with best practice. As an example, support for [[https://www.owasp.org/index.php/Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-007)|HTTP Strict Transport Security (HSTS)]] was delivered in PaperCut NG and PaperCut MF version 17.1, in accordance with [[https://https.cio.gov/|Memorandum M-15-13]]. M-15-13 dictates that publically facing United States federal websites and web services must enforce secure connections over HTTPS, with HSTS included as a key requirement, so this addition has allowed US government bodies to run PaperCut NG or PaperCut MF and remain legally compliant. Another example would be the [[https://github.com/codedance/GhostTrap|Ghost Trap]] project; a best practice security related project instigated by PaperCut.  The aim is to bring best-of-breed security to the Ghostscript interpreter by sandboxing it, utilising similar technology to that as featured in Google's Chrome web browser.

The document watermarking feature included in PaperCut NG and PaperCut MF
can be used to inject a cryptographically generated unique digital signature into each printed page. This allows physical printing in highly secure environments to be traceable from the paper product back to the originating user and printer, rendering the direct dissemination of confidential information a much more difficult proposition.
to:
Our Security Response Team regularly reviews prospective and emerging security threats, and proactively works to add new (and harden existing) security features in line with best practice. As an example, support for [[https://www.owasp.org/index.php/Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-007)|HTTP Strict Transport Security (HSTS)]] was delivered in PaperCut NG and PaperCut MF version 17.1, in accordance with [[https://https.cio.gov/|Memorandum M-15-13]]. M-15-13 dictates that publically facing United States federal websites and web services must enforce secure connections over HTTPS, with HSTS included as a key requirement, so this addition has allowed US government bodies to run PaperCut NG or PaperCut MF and remain legally compliant. Similarly, PaperCut NG and PaperCut MF 17.2 introduces functionality to summarise and export all stored data concerning individual user accounts, as well as fully redact that data, enabling compliance with the [[http://www.eugdpr.org/|General Data Protection Regulations (GDPR)]] to be enforced within the EU from mid-2018. Not only does this bolster our information privacy offering, it also can help to minimise the potential magnitude and severity of data leaks in the event your environment is compromised. Data protection is also facilitated by our document watermarking feature, which can be used to inject a cryptographically generated unique digital signature into each printed page. This allows physical printing in highly secure environments to be traceable from the paper product back to the originating user and printer, rendering the direct dissemination of confidential information a much more difficult proposition.

Other initiatives have included the [[https://github.com/codedance/GhostTrap|Ghost Trap]] project; a best practice security related project instigated by PaperCut.  The aim is to bring best-of-breed security to the open source Ghostscript interpreter by sandboxing it, utilising similar technology to that as featured in Google's Chrome web browser
.
May 16, 2017, at 03:37 AM by peterf - Updated to reflect 17.1 release
Changed lines 3-13 from:
We have pooled our security knowledge and lessons learnt over the past two decades to bring you a new white paper: [[https://www.papercut.com/kb/Main/SecurityWhitepaper|Securing your Print System]]. This paper provides practical and tested advice on how to secure your print system end-end from before a print job is printed, through securing the print workflow to safeguarding your printed documents.

PaperCut has been developed from day one with security in mind.  With its roots in education and with the full understanding that college kids “like to hack”, PaperCut’s development processes continually focused on security.  At the core of this is the open source code based culture where
the majority of PaperCut’s source code is made available to customers.  The code has been reviewed by leading education organizations.  An example of this was an independent security expert working for a college found an [[http://en.wikipedia.org/wiki/Cross-site_request_forgery|XSRF]] (Cross-site request forgery) security issue during a review in 2008.  This issue was fully disclosed and quickly addressed in subsequent release by the PaperCut development team.

At a software-level PaperCut leverages Active Directory security groups for access control
.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.  Internal passwords, if used, are stored in a [[http://en.wikipedia.org/wiki/Bcrypt|BCrypt]] hashed format which is seeded by username and salted with a random salt.  All security related development is internally assessed and R&D is conducted to ensure we're meeting best practice. 

PaperCut also leverages a number of 3rd party components such as the [[http://jetty.codehaus.org/jetty/|Jetty HTTP Server]], [[http://tapestry.apache.org/|Apache Tapestry]], [[https://github.com/codedance/GhostTrap|Ghost Trap]] and [[http://db
.apache.org/derby/|Apache Derby]] database.  PaperCut actively works with the open source community backing these projects and has reported and assist with bugs and issues found over the years.  The security of 3rd party components are actively monitored and any security implications if relevant to PaperCut are openly addressed.  The PaperCut development team has also found security problems in copier/MFP firmware and has worked with leading vendors to address these issues.

PaperCut is developed in line with security best practices such as [[https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard|CERT Coding Standards]], [[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project|OWASP Top 10]],
and [[http://java.sun.com/security/seccodeguide.html|Oracle Java Security Guidelines]].  A number of our larger University customers have also had PaperCut subjected to full [[https://www.pcisecuritystandards.org/|PCI Security Audits]] prior to deployment for handling online payment. 

The development team regularly review security and add features proactive in line with best-practice (for example
, the introduction of `HTTPOnly cookie headers added in version 11.2).  Another example would be the [[https://github.com/codedance/GhostTrap|Ghost Trap]] project.  This is a best practice security related project instigated by PaperCut.  The aim is to bring best-of-breed security to the Ghostscript Interpreters by sandboxing it with the same technology used in the Google Chrome browser.
to:
We have pooled our security knowledge and lessons learnt over the past two decades to bring you a new white paper: [[https://www.papercut.com/kb/Main/SecurityWhitepaper|Securing your Print System]]. This paper provides practical and tested advice on how to secure your print system end-to-end, from before a print job is printed, through securing the print workflow, all the way to safeguarding your printed documents. This white paper continues to be improved and expanded upon, drawing from our ongoing research, as well as through feedback sought directly from industry experts.

PaperCut NG and PaperCut MF have been developed from day one with security in mind.  With its roots in education and with
the full understanding that college kids “like to hack”, our software's development process has continually focused on security.  At the core of this is our open source code-based culture, with large amounts of our source code being made available to customers.  The code has been reviewed by leading education organizations, an undertaking which has proven to bear fruit; during one such review in 2008, an independent security expert working for a college discovered an [[http://en.wikipedia.org/wiki/Cross-site_request_forgery|XSRF]] (Cross-site request forgery) security issue. This issue was fully disclosed and quickly addressed in a subsequent release by the PaperCut development team, accordingly.

At a software-level, PaperCut NG
and PaperCut MF leverage Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all application features, whilst office staff could be limited to running reports and accessing only a subset of all features, such as Shared Account management. PaperCut NG and PaperCut MF use SSL/HTTPS for communication and remote web based administration, ensuring sensitive data like passwords and account information is secured over the network, and session cookies are securely flagged so as to prevent their interception or modification for malign purposes. Internal passwords, if used, are stored in a [[http://en.wikipedia.org/wiki/Bcrypt|BCrypt]] hashed format which is seeded by username and salted with a random salt.  All security related development is internally assessed and R&D is conducted to ensure we're meeting best practice. 

PaperCut NG and
PaperCut MF also leverage a number of 3rd party components such as the [[http://jetty.codehaus.org/jetty/|Jetty HTTP Server]], [[http://tapestry.apache.org/|Apache Tapestry]], [[https://github.com/codedance/GhostTrap|Ghost Trap]], and the [[http://db.apache.org/derby/|Apache Derby]] database.  PaperCut actively works with the open source community backing these projects and has reported and assisted with bugs and issues found over the years.  The security of these 3rd party components is actively monitored, and any resulting security implications relevant to our software are openly addressed.  The PaperCut development team has also worked to find security problems within copier/MFP firmware, and has teamed with leading vendors to address these issues as found.

PaperCut NG and PaperCut MF are developed in line with security best practices such as
[[https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard|CERT Coding Standards]], [[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project|OWASP Top 10]], and [[http://java.sun.com/security/seccodeguide.html|Oracle Java Security Guidelines]].  A number of our larger university customers have also had our applications subjected to full [[https://www.pcisecuritystandards.org/|PCI Security Audits]] prior to deployment for handling online payments. 

Our Security Response team regularly reviews prospective and emerging security threats, and proactively works to add new (and harden existing) security features in line with best practice. As an example, support for [[https://www.owasp.org/index.php/Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-007)|HTTP Strict Transport Security (HSTS)]] was delivered in PaperCut NG and PaperCut MF version 17.1, in accordance with [[https://https.cio.gov/|Memorandum M-15-13]]. M-15-13 dictates that publically facing United States federal websites and web services must enforce secure connections over HTTPS, with HSTS included as a key requirement, so this addition has allowed US government bodies to run PaperCut NG or PaperCut MF and remain legally compliant. Another example would be the [[https://github.com/codedance/GhostTrap|Ghost Trap]] project; a best practice security related project instigated by PaperCut.  The aim is to bring best-of-breed security to the Ghostscript interpreter by sandboxing it, utilising similar technology to that as featured in Google's Chrome web browser.

The document watermarking feature included in PaperCut NG and PaperCut MF can be used to inject a cryptographically generated unique digital signature into each printed page. This allows physical printing in highly secure environments to be traceable from the paper product back to the originating user and printer, rendering the direct dissemination of confidential information a much more difficult proposition
.
March 23, 2017, at 06:02 AM by 139.130.165.134 -
Changed line 3 from:
We have pooled our security knowledge and lessons learnt over the past two decades to bring you a new white paper: [[https://go.papercut.com/security-whitepaper|Securing your Print System]]. This paper provides practical and tested advice on how to secure your print system end-end from before a print job is printed, through securing the print workflow to safeguarding your printed documents.
to:
We have pooled our security knowledge and lessons learnt over the past two decades to bring you a new white paper: [[https://www.papercut.com/kb/Main/SecurityWhitepaper|Securing your Print System]]. This paper provides practical and tested advice on how to secure your print system end-end from before a print job is printed, through securing the print workflow to safeguarding your printed documents.
March 08, 2017, at 02:29 AM by 59.167.198.48 -
Changed line 16 from:
* [[https://www.papercut.com/download/?http=https://cdn.papercut.com/docs/security/papercut-security-whitepaper.pdf|Securing your Print System - Print Security white paper]]
to:
* [[https://www.papercut.com/kb/Main/SecurityWhitepaper|PaperCut Security Whitepaper]]
March 08, 2017, at 02:15 AM by 59.167.198.48 -
Changed line 16 from:
* [[https://go.papercut.com/security-whitepaper|Securing your Print System - Print Security white paper]]
to:
* [[https://www.papercut.com/download/?http=https://cdn.papercut.com/docs/security/papercut-security-whitepaper.pdf|Securing your Print System - Print Security white paper]]
March 07, 2017, at 05:56 AM by 139.130.165.134 -
Added lines 3-4:
We have pooled our security knowledge and lessons learnt over the past two decades to bring you a new white paper: [[https://go.papercut.com/security-whitepaper|Securing your Print System]]. This paper provides practical and tested advice on how to secure your print system end-end from before a print job is printed, through securing the print workflow to safeguarding your printed documents.
Added line 16:
* [[https://go.papercut.com/security-whitepaper|Securing your Print System - Print Security white paper]]
Changed line 11 from:
The development team regularly review security and add features proactive in line with best-practice (for example, the introduction of `HTTPOnly cookie headers added in version 11.2).  Another example would be the [[https://github.com/codedance/GhostTrap|Ghost Trap]] project.  This is a best practice security related project instigated by PaperCut.  The aim is to bring best-of-bread security to the Ghostscript Interpreters by sandboxing it with the same technology used in the Google Chrome browser.
to:
The development team regularly review security and add features proactive in line with best-practice (for example, the introduction of `HTTPOnly cookie headers added in version 11.2).  Another example would be the [[https://github.com/codedance/GhostTrap|Ghost Trap]] project.  This is a best practice security related project instigated by PaperCut.  The aim is to bring best-of-breed security to the Ghostscript Interpreters by sandboxing it with the same technology used in the Google Chrome browser.
April 12, 2016, at 12:01 PM by 109.147.66.152 -
Changed line 5 from:
At a software-level PaperCut leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.  Internal passwords, if used, are stored in an [[http://en.wikipedia.org/wiki/Bcrypt|BCrypt]] hashed format which is seeded by username and salted with a random salt.  All security related development is internally assessed and R&D is conducted to ensure we're meeting best practice. 
to:
At a software-level PaperCut leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.  Internal passwords, if used, are stored in a [[http://en.wikipedia.org/wiki/Bcrypt|BCrypt]] hashed format which is seeded by username and salted with a random salt.  All security related development is internally assessed and R&D is conducted to ensure we're meeting best practice. 
April 12, 2016, at 12:00 PM by 109.147.66.152 -
Changed line 5 from:
At a software-level PaperCut leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.  Internal passwords, if used, are stored in an [[http://en.wikipedia.org/wiki/MD5|MD5]] hashed format which is seeded by username and salted with a random salt.  All security related development is internally assessed and R&D is conducted to ensure we're meeting best practice. 
to:
At a software-level PaperCut leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.  Internal passwords, if used, are stored in an [[http://en.wikipedia.org/wiki/Bcrypt|BCrypt]] hashed format which is seeded by username and salted with a random salt.  All security related development is internally assessed and R&D is conducted to ensure we're meeting best practice. 
August 12, 2014, at 05:40 AM by 203.222.91.204 -
Added line 17:
* [[PCICompliance|+]]
Changed lines 9-10 from:
PaperCut is developed in line with security best practices such as [[https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard|CERT Coding Standards]] and [[http://java.sun.com/security/seccodeguide.html|Oracle Java Security Guidelines]].  A number of our larger University customers have also had PaperCut subjected to full [[https://www.pcisecuritystandards.org/|PCI Security Audits]] prior to deployment for handling online payment. 
to:
PaperCut is developed in line with security best practices such as [[https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard|CERT Coding Standards]], [[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project|OWASP Top 10]], and [[http://java.sun.com/security/seccodeguide.html|Oracle Java Security Guidelines]].  A number of our larger University customers have also had PaperCut subjected to full [[https://www.pcisecuritystandards.org/|PCI Security Audits]] prior to deployment for handling online payment. 
Changed lines 11-12 from:
The development team regularly review security and add features proactive in line with best-practice (for example, the recent introduction of `HTTPOnly cookie headers added in version 11.2).  Another example would be the [[https://github.com/codedance/GhostTrap|Ghost Trap]] project.  This is a security related project and was started by PaperCut.  The aim is to bring best-of-bread security to the Ghostscript Interpreters by sandboxing it with the technology used in the Google Chrome browser.
to:
The development team regularly review security and add features proactive in line with best-practice (for example, the introduction of `HTTPOnly cookie headers added in version 11.2).  Another example would be the [[https://github.com/codedance/GhostTrap|Ghost Trap]] project.  This is a best practice security related project instigated by PaperCut.  The aim is to bring best-of-bread security to the Ghostscript Interpreters by sandboxing it with the same technology used in the Google Chrome browser.
Changed lines 7-10 from:
PaperCut also leverages a number of 3rd party components such as the [[http://jetty.codehaus.org/jetty/|Jetty HTTP Server]], [[http://tapestry.apache.org/|Apache Tapestry]], and [[http://db.apache.org/derby/|Apache Derby]] database.  PaperCut actively works with the open source community backing these projects and has reported and assist with bugs and issues found over the years.  The security of 3rd party components are actively monitored and any security implications if relevant to PaperCut are openly addressed.  The PaperCut development team has also found security problems in copier/MFP firmware and has worked with leading vendors to address these issues.

PaperCut is developed in line with security best practices such as
[[https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard|CERT Coding Standards]] and [[http://java.sun.com/security/seccodeguide.html|Oracle Java Security Guidelines]].  A number of our larger University customers have also had PaperCut subjected to full [[https://www.pcisecuritystandards.org/|PCI Security Audits]] prior to deployment for handling online payment.  The development team regually review security and add features proactive in line with best-practice (for example, the recent introduction of `HTTPOnly cookie headers added in version 11.2).
to:
PaperCut also leverages a number of 3rd party components such as the [[http://jetty.codehaus.org/jetty/|Jetty HTTP Server]], [[http://tapestry.apache.org/|Apache Tapestry]], [[https://github.com/codedance/GhostTrap|Ghost Trap]] and [[http://db.apache.org/derby/|Apache Derby]] database.  PaperCut actively works with the open source community backing these projects and has reported and assist with bugs and issues found over the years.  The security of 3rd party components are actively monitored and any security implications if relevant to PaperCut are openly addressed.  The PaperCut development team has also found security problems in copier/MFP firmware and has worked with leading vendors to address these issues.

PaperCut is developed in line with security best practices such as
[[https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard|CERT Coding Standards]] and [[http://java.sun.com/security/seccodeguide.html|Oracle Java Security Guidelines]].  A number of our larger University customers have also had PaperCut subjected to full [[https://www.pcisecuritystandards.org/|PCI Security Audits]] prior to deployment for handling online payment. 

The development team regularly review security and add features proactive in line with best-practice (for example, the recent introduction of `HTTPOnly cookie headers added in version 11.2).  Another example would be the [[https://github.com/codedance/GhostTrap|Ghost Trap]] project.  This is a security related project and was started by PaperCut.  The aim is to bring best-of-bread security to the Ghostscript Interpreters by sandboxing it with the technology used in the Google Chrome browser.
Added line 14:
* The [[Category.Security|+]] category for other print and system security articles.
Changed line 18 from:
[-Keywords: security policy, security management-]
to:
[-Keywords: security policy, security management-]
Changed lines 7-8 from:
PaperCut also leverages a number of 3rd party components such as the [[http://jetty.codehaus.org/jetty/|Jetty HTTP Server]], [[http://tapestry.apache.org/|Apache Tapestry]], and [[http://db.apache.org/derby/|Apache Derby]] database.  PaperCut actively works with the open source community backing these projects and has reported and assist with bugs and issues found over the years.  The security of 3rd party components are actively monitored and any security implications if relevant to PaperCut are opening addressed.  The PaperCut development team has also found security problems in copier/MFP firmware and has worked with leading vendors to address these issues.
to:
PaperCut also leverages a number of 3rd party components such as the [[http://jetty.codehaus.org/jetty/|Jetty HTTP Server]], [[http://tapestry.apache.org/|Apache Tapestry]], and [[http://db.apache.org/derby/|Apache Derby]] database.  PaperCut actively works with the open source community backing these projects and has reported and assist with bugs and issues found over the years.  The security of 3rd party components are actively monitored and any security implications if relevant to PaperCut are openly addressed.  The PaperCut development team has also found security problems in copier/MFP firmware and has worked with leading vendors to address these issues.
Added line 13:
* [[WebServerSecuritySettings|+]]
Changed lines 1-4 from:
(:title Tell me about PaperCut's security?:)


to:
(:title Tell me about PaperCut's security:)
Changed lines 11-12 from:
to:
!!See also
* [[CommonSecurityQuestions|+]]
Changed line 14 from:
''Also see:'' [[CommonSecurityQuestions|+]]
to:
''Categories:'' [[Category.Security|+]], [[Category.Architecture|+]]
Changed lines 16-18 from:
''Categories:'' [[Category.Architecture|+]], [[Category.Security|+]]
----
[-keywords: security policy, security management
-]
to:
[-Keywords: security policy, security management-]
Changed lines 11-13 from:
PaperCut is developed in line with security best practices such as [[https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard|CERT Coding Standards]] and [[http://java.sun.com/security/seccodeguide.html|Oracle Java Security Guidelines]].  A number of our larger University customers have also had PaperCut subjected to full [[https://www.pcisecuritystandards.org/|PCI Security Audits]] prior to deployment for handling online payment.

to:
PaperCut is developed in line with security best practices such as [[https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard|CERT Coding Standards]] and [[http://java.sun.com/security/seccodeguide.html|Oracle Java Security Guidelines]].  A number of our larger University customers have also had PaperCut subjected to full [[https://www.pcisecuritystandards.org/|PCI Security Audits]] prior to deployment for handling online payment.  The development team regually review security and add features proactive in line with best-practice (for example, the recent introduction of `HTTPOnly cookie headers added in version 11.2).

Changed lines 15-17 from:

Also see: [[CommonSecurityQuestions|+]]
to:
''Also see:'' [[CommonSecurityQuestions|+]]
Added lines 17-18:
''Categories:'' [[Category.Architecture|+]], [[Category.Security|+]]
----
Changed lines 11-13 from:
PaperCut is developed in line with security best practices such as [[|https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard|CERT Coding Standards]] and [[http://java.sun.com/security/seccodeguide.html|Oracle Java Security Guidelines]].  A number of our larger University customers have also had PaperCut subjected to full [[https://www.pcisecuritystandards.org/|PCI Security Audits]] prior to deployment for handling online payment.

to:
PaperCut is developed in line with security best practices such as [[https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard|CERT Coding Standards]] and [[http://java.sun.com/security/seccodeguide.html|Oracle Java Security Guidelines]].  A number of our larger University customers have also had PaperCut subjected to full [[https://www.pcisecuritystandards.org/|PCI Security Audits]] prior to deployment for handling online payment.

Changed lines 9-11 from:
PaperCut also leverages a number of 3rd party components such as the [[http://jetty.codehaus.org/jetty/|Jetty HTTP Server]], [[http://tapestry.apache.org/|Apache Tapestry]], and [[http://db.apache.org/derby/|Apache Derby]] database.  PaperCut actively works with the open source community backing these projects and has reported and assist with bugs and issues found over the years.  The security of 3rd party components are actively monitored and any security implications if relevant to PaperCut are opening addressed.

to:
PaperCut also leverages a number of 3rd party components such as the [[http://jetty.codehaus.org/jetty/|Jetty HTTP Server]], [[http://tapestry.apache.org/|Apache Tapestry]], and [[http://db.apache.org/derby/|Apache Derby]] database.  PaperCut actively works with the open source community backing these projects and has reported and assist with bugs and issues found over the years.  The security of 3rd party components are actively monitored and any security implications if relevant to PaperCut are opening addressed.  The PaperCut development team has also found security problems in copier/MFP firmware and has worked with leading vendors to address these issues.

PaperCut is developed in line with security best practices such as [[|https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard|CERT Coding Standards]] and [[http://java.sun.com/security/seccodeguide.html|Oracle Java Security Guidelines]].  A number of our larger University customers have also had PaperCut subjected to full [[https://www.pcisecuritystandards.org/|PCI Security Audits]] prior to deployment for handling online payment
.

Added line 11:
Added lines 13-16:

Also see: [[CommonSecurityQuestions|+]]

----
July 02, 2010, at 08:22 AM by 202.129.124.120 -
Changed lines 9-10 from:
PaperCut also leverages a number of 3rd party components such as Jetty HTTP Server, Apache Tapestry, and Apache Derby database.  PaperCut actively works with the open source community backing these projects and has reported and assist with bugs and issues found over the years.  The security of 3rd party components are actively monitored and any security implications if relevant to PaperCut are opening addressed.
to:
PaperCut also leverages a number of 3rd party components such as the [[http://jetty.codehaus.org/jetty/|Jetty HTTP Server]], [[http://tapestry.apache.org/|Apache Tapestry]], and [[http://db.apache.org/derby/|Apache Derby]] database.  PaperCut actively works with the open source community backing these projects and has reported and assist with bugs and issues found over the years.  The security of 3rd party components are actively monitored and any security implications if relevant to PaperCut are opening addressed.
July 02, 2010, at 08:20 AM by 202.129.124.120 -
Changed lines 5-8 from:
PaperCut has been developed from day one with security in mind.  With its roots in education and with the full understanding that college kids “like to hack”, PaperCut’s development processes continually focused on security.  At the core of this is the open source code based culture where the majority of PaperCut’s source code is made available to customers.  The code has been reviewed by leading education organizations.  An example of this was an independent security expert working for a college found an XSRF (Cross-site request forgery) security issue during a review in 2008.  This issue was fully disclosed and quickly addressed in subsequent release by the PaperCut development team.

At a software-level PaperCut leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.  Internal passwords, if used, are stored in an MD5 hashed format which is seeded by username and salted with a random salt.  All security related development is internally assessed and R&D is conducted to ensure we're meeting best practice. 
to:
PaperCut has been developed from day one with security in mind.  With its roots in education and with the full understanding that college kids “like to hack”, PaperCut’s development processes continually focused on security.  At the core of this is the open source code based culture where the majority of PaperCut’s source code is made available to customers.  The code has been reviewed by leading education organizations.  An example of this was an independent security expert working for a college found an [[http://en.wikipedia.org/wiki/Cross-site_request_forgery|XSRF]] (Cross-site request forgery) security issue during a review in 2008.  This issue was fully disclosed and quickly addressed in subsequent release by the PaperCut development team.

At a software-level PaperCut leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.  Internal passwords, if used, are stored in an [[http://en.wikipedia.org/wiki/MD5|MD5]] hashed format which is seeded by username and salted with a random salt.  All security related development is internally assessed and R&D is conducted to ensure we're meeting best practice. 
July 02, 2010, at 08:18 AM by 202.129.124.120 -
Changed lines 7-8 from:
At a software-level PaperCut leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.
to:
At a software-level PaperCut leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.  Internal passwords, if used, are stored in an MD5 hashed format which is seeded by username and salted with a random salt.  All security related development is internally assessed and R&D is conducted to ensure we're meeting best practice. 
July 02, 2010, at 08:16 AM by 202.129.124.120 -
Changed lines 1-4 from:
(:title Tell me about PaperCut Security?:)


to:
(:title Tell me about PaperCut's security?:)


July 02, 2010, at 08:15 AM by 202.129.124.120 -
Changed lines 5-8 from:
PaperCut MF has been developed from day one with security in mind.  With its roots in education and with the full understanding that college kids “like to hack”, PaperCut’s development processes continually focused on security.  At the core of this is the open source code based culture where the majority of PaperCut’s source code is made available to customers.  The code has been reviewed by leading education organizations.  An example of this was an independent security expert working for a college found an XSRF (Cross-site request forgery) security issue during a review in 2008.  This issue was fully disclosed and quickly addressed in subsequent release by the PaperCut development team.

At a software-level PaperCut MF leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.
to:
PaperCut has been developed from day one with security in mind.  With its roots in education and with the full understanding that college kids “like to hack”, PaperCut’s development processes continually focused on security.  At the core of this is the open source code based culture where the majority of PaperCut’s source code is made available to customers.  The code has been reviewed by leading education organizations.  An example of this was an independent security expert working for a college found an XSRF (Cross-site request forgery) security issue during a review in 2008.  This issue was fully disclosed and quickly addressed in subsequent release by the PaperCut development team.

At a software-level PaperCut leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.
July 02, 2010, at 08:14 AM by 202.129.124.120 -
Changed lines 7-8 from:
At a software-level PaperCut MF leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.
to:
At a software-level PaperCut MF leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL/HTTPS for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.
July 02, 2010, at 08:13 AM by 202.129.124.120 -
Added lines 1-12:
(:title Tell me about PaperCut Security?:)



PaperCut MF has been developed from day one with security in mind.  With its roots in education and with the full understanding that college kids “like to hack”, PaperCut’s development processes continually focused on security.  At the core of this is the open source code based culture where the majority of PaperCut’s source code is made available to customers.  The code has been reviewed by leading education organizations.  An example of this was an independent security expert working for a college found an XSRF (Cross-site request forgery) security issue during a review in 2008.  This issue was fully disclosed and quickly addressed in subsequent release by the PaperCut development team.

At a software-level PaperCut MF leverages Active Directory security groups for access control.  Administrators can be setup with different levels of access.  For example, system administrators may have access to all features, while office staff are limited to reports and a sub-set of features such as account management. PaperCut uses SSL for communication and remote web based administration ensuring sensitive data like passwords and account information is secured over the network.

PaperCut also leverages a number of 3rd party components such as Jetty HTTP Server, Apache Tapestry, and Apache Derby database.  PaperCut actively works with the open source community backing these projects and has reported and assist with bugs and issues found over the years.  The security of 3rd party components are actively monitored and any security implications if relevant to PaperCut are opening addressed.

----
[-keywords: security policy, security management -]

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on July 11, 2017, at 06:40 AM
Printable View   |   Article History   |   Edit Article