NoveuNOVEU
InloggenDemo aanvragen →
Terug naar Resources
Security8 min leestijd

Security Hardening Gids

Best practices voor platformbeveiliging

Download als Markdown

Security Hardening Gids

Overzicht

Deze gids beschrijft de security baselines en hardening maatregelen voor het Noveu platform.

Defense in Depth

┌─────────────────────────────────────────────────────────────┐
│                    PERIMETER DEFENSE                        │
│         DDoS Protection │ WAF │ CDN │ Rate Limiting         │
└─────────────────────────────────────────────────────────────┘
                              │
┌─────────────────────────────────────────────────────────────┐
│                    NETWORK SECURITY                         │
│    Segmentation │ Firewall │ IDS/IPS │ Zero Trust Network   │
└─────────────────────────────────────────────────────────────┘
                              │
┌─────────────────────────────────────────────────────────────┐
│                    HOST SECURITY                            │
│    Hardened OS │ EDR │ Patch Management │ File Integrity    │
└─────────────────────────────────────────────────────────────┘
                              │
┌─────────────────────────────────────────────────────────────┐
│                    APPLICATION SECURITY                     │
│    Secure Coding │ SAST/DAST │ API Security │ WAF Rules     │
└─────────────────────────────────────────────────────────────┘
                              │
┌─────────────────────────────────────────────────────────────┐
│                    DATA SECURITY                            │
│    Encryption │ Key Management │ DLP │ Access Control       │
└─────────────────────────────────────────────────────────────┘

Infrastructure Hardening

Operating System

Linux Baseline

MaatregelImplementatieVerificatie
Minimal installAlleen noodzakelijke packagesPackage audit
Kernel hardeningsysctl security parametersConfig review
SELinux/AppArmorEnforcing modeStatus check
Disk encryptionLUKS voor data volumesMount check
Boot securitySigned boot, UEFI secure bootBoot log

Specifieke Parameters

# /etc/sysctl.d/99-security.conf

# Network hardening
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0

# Kernel hardening
kernel.randomize_va_space = 2
kernel.exec-shield = 1
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2

Container Hardening

MaatregelBeschrijving
Non-root executionContainers draaien als non-root user
Read-only filesystemImmutable container images
Resource limitsCPU/memory limits per container
Network policiesPod-to-pod traffic control
Image scanningVulnerability scanning bij build
Runtime securityFalco of equivalent

Kubernetes Security

# Pod Security Standards (Restricted)
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
          - ALL

Network Security

Segmentation

ZoneInhoudToegang
DMZLoad balancers, WAFInternet
ApplicationApp serversDMZ only
DataDatabases, storageApplication only
ManagementMonitoring, loggingJump hosts only

Firewall Rules

Principe: Default deny, explicit allow

BronDoelPortProtocolReden
InternetDMZ LB443HTTPSUser traffic
DMZApp8443HTTPSApp traffic
AppData5432PostgreSQLDatabase
AppData6379RedisCache
MgmtAll22SSHManagement

Zero Trust Principles

  1. Verify explicitly - Authenticeer elke request
  2. Least privilege - Minimale rechten
  3. Assume breach - Segmentatie en monitoring

Application Security

Secure Development

FaseMaatregelTool
CodeSecure coding guidelinesDeveloper training
CommitSecret scanningGitLeaks
BuildSAST scanningSonarQube
DeployContainer scanningTrivy
RuntimeDAST scanningOWASP ZAP

API Security

ControlImplementatie
AuthenticationOAuth 2.0 / OIDC
AuthorizationRBAC met scopes
Rate limitingPer client/endpoint
Input validationSchema validation
Output encodingContent-Type headers
LoggingRequest/response audit

Common Vulnerabilities Prevention

OWASP Top 10Mitigatie
InjectionParameterized queries, ORM
Broken AuthMFA, session management
Sensitive Data ExposureEncryption, masking
XXEDisable external entities
Broken Access ControlRBAC, least privilege
Security MisconfigurationHardened baselines, scanning
XSSOutput encoding, CSP
Insecure DeserializationInput validation
Vulnerable ComponentsDependency scanning
Insufficient LoggingComprehensive audit logs

Data Security

Encryption

Data StateAlgorithmKey Size
At RestAES-256-GCM256-bit
In TransitTLS 1.3ECDHE
In UseSecure enclaves (where available)-

Key Management

AspectImplementatie
StorageHSM of managed KMS
RotationAutomatisch, configureerbaar
AccessStrict RBAC
AuditAlle key access gelogd
EscrowSecure backup procedure

TLS Configuration

# Nginx TLS configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;

Identity & Access Management

Authentication

MethodeGebruikSterkte
Password + MFAStandaard gebruikersHoog
SSO (SAML/OIDC)EnterpriseHoog
CertificaatService accountsZeer hoog
API Key + SecretIntegrationsMedium

MFA Requirements

TypeOndersteundAanbevolen
TOTP
WebAuthn/FIDO2✅✅
SMS-
Hardware token✅✅

Password Policy

RequirementWaarde
Minimum length14 karakters
ComplexityLetters + cijfers + symbolen
HistoryLaatste 24 niet herbruikbaar
Max age90 dagen (of passkeys)
Lockout5 pogingen, 15 min lockout

Monitoring & Logging

Security Logging

Log TypeRetentieGebruik
Authentication1 jaarAccess audit
Authorization1 jaarPermission audit
Admin actions2 jaarChange audit
Security events2 jaarIncident investigation
Network flows90 dagenTraffic analysis

Alerting Rules

AlertSeverityResponse
Multiple failed loginsMediumReview, possible lockout
Privilege escalationHighImmediate investigation
Unusual data accessHighUser verification
Configuration changeLowAudit trail
Malware detectionCriticalIsolation

Compliance Mapping

ControlCISISO 27001NIST
Encryption at rest3.1A.10.1.1SC-28
Access control5.1A.9.1.1AC-2
Logging8.2A.12.4.1AU-2
Vulnerability management7.1A.12.6.1RA-5
Incident response19.1A.16.1.1IR-1

Laatste update: Januari 2026
Gebaseerd op CIS Benchmarks en industry best practices

Vragen over dit document?

Neem contact op voor implementatie advies of een persoonlijke demo.

Neem contact opMeer resources bekijken