# Security Hardening Gids

## Overzicht

Deze gids beschrijft de security baselines en hardening maatregelen voor het Noveu platform.

## Defense in Depth

```
┌─────────────────────────────────────────────────────────────┐
│                    PERIMETER DEFENSE                        │
│         DDoS Protection │ WAF │ CDN │ Rate Limiting         │
└─────────────────────────────────────────────────────────────┘
                              │
┌─────────────────────────────────────────────────────────────┐
│                    NETWORK SECURITY                         │
│    Segmentation │ Firewall │ IDS/IPS │ Zero Trust Network   │
└─────────────────────────────────────────────────────────────┘
                              │
┌─────────────────────────────────────────────────────────────┐
│                    HOST SECURITY                            │
│    Hardened OS │ EDR │ Patch Management │ File Integrity    │
└─────────────────────────────────────────────────────────────┘
                              │
┌─────────────────────────────────────────────────────────────┐
│                    APPLICATION SECURITY                     │
│    Secure Coding │ SAST/DAST │ API Security │ WAF Rules     │
└─────────────────────────────────────────────────────────────┘
                              │
┌─────────────────────────────────────────────────────────────┐
│                    DATA SECURITY                            │
│    Encryption │ Key Management │ DLP │ Access Control       │
└─────────────────────────────────────────────────────────────┘
```

## Infrastructure Hardening

### Operating System

#### Linux Baseline

| Maatregel | Implementatie | Verificatie |
|-----------|---------------|-------------|
| Minimal install | Alleen noodzakelijke packages | Package audit |
| Kernel hardening | sysctl security parameters | Config review |
| SELinux/AppArmor | Enforcing mode | Status check |
| Disk encryption | LUKS voor data volumes | Mount check |
| Boot security | Signed boot, UEFI secure boot | Boot log |

#### Specifieke Parameters

```bash
# /etc/sysctl.d/99-security.conf

# Network hardening
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0

# Kernel hardening
kernel.randomize_va_space = 2
kernel.exec-shield = 1
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
```

### Container Hardening

| Maatregel | Beschrijving |
|-----------|--------------|
| Non-root execution | Containers draaien als non-root user |
| Read-only filesystem | Immutable container images |
| Resource limits | CPU/memory limits per container |
| Network policies | Pod-to-pod traffic control |
| Image scanning | Vulnerability scanning bij build |
| Runtime security | Falco of equivalent |

### Kubernetes Security

```yaml
# Pod Security Standards (Restricted)
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
          - ALL
```

## Network Security

### Segmentation

| Zone | Inhoud | Toegang |
|------|--------|---------|
| DMZ | Load balancers, WAF | Internet |
| Application | App servers | DMZ only |
| Data | Databases, storage | Application only |
| Management | Monitoring, logging | Jump hosts only |

### Firewall Rules

**Principe**: Default deny, explicit allow

| Bron | Doel | Port | Protocol | Reden |
|------|------|------|----------|-------|
| Internet | DMZ LB | 443 | HTTPS | User traffic |
| DMZ | App | 8443 | HTTPS | App traffic |
| App | Data | 5432 | PostgreSQL | Database |
| App | Data | 6379 | Redis | Cache |
| Mgmt | All | 22 | SSH | Management |

### Zero Trust Principles

1. **Verify explicitly** - Authenticeer elke request
2. **Least privilege** - Minimale rechten
3. **Assume breach** - Segmentatie en monitoring

## Application Security

### Secure Development

| Fase | Maatregel | Tool |
|------|-----------|------|
| Code | Secure coding guidelines | Developer training |
| Commit | Secret scanning | GitLeaks |
| Build | SAST scanning | SonarQube |
| Deploy | Container scanning | Trivy |
| Runtime | DAST scanning | OWASP ZAP |

### API Security

| Control | Implementatie |
|---------|---------------|
| Authentication | OAuth 2.0 / OIDC |
| Authorization | RBAC met scopes |
| Rate limiting | Per client/endpoint |
| Input validation | Schema validation |
| Output encoding | Content-Type headers |
| Logging | Request/response audit |

### Common Vulnerabilities Prevention

| OWASP Top 10 | Mitigatie |
|--------------|-----------|
| Injection | Parameterized queries, ORM |
| Broken Auth | MFA, session management |
| Sensitive Data Exposure | Encryption, masking |
| XXE | Disable external entities |
| Broken Access Control | RBAC, least privilege |
| Security Misconfiguration | Hardened baselines, scanning |
| XSS | Output encoding, CSP |
| Insecure Deserialization | Input validation |
| Vulnerable Components | Dependency scanning |
| Insufficient Logging | Comprehensive audit logs |

## Data Security

### Encryption

| Data State | Algorithm | Key Size |
|------------|-----------|----------|
| At Rest | AES-256-GCM | 256-bit |
| In Transit | TLS 1.3 | ECDHE |
| In Use | Secure enclaves (where available) | - |

### Key Management

| Aspect | Implementatie |
|--------|---------------|
| Storage | HSM of managed KMS |
| Rotation | Automatisch, configureerbaar |
| Access | Strict RBAC |
| Audit | Alle key access gelogd |
| Escrow | Secure backup procedure |

### TLS Configuration

```nginx
# Nginx TLS configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
```

## Identity & Access Management

### Authentication

| Methode | Gebruik | Sterkte |
|---------|---------|---------|
| Password + MFA | Standaard gebruikers | Hoog |
| SSO (SAML/OIDC) | Enterprise | Hoog |
| Certificaat | Service accounts | Zeer hoog |
| API Key + Secret | Integrations | Medium |

### MFA Requirements

| Type | Ondersteund | Aanbevolen |
|------|-------------|------------|
| TOTP | ✅ | ✅ |
| WebAuthn/FIDO2 | ✅ | ✅✅ |
| SMS | ❌ | - |
| Hardware token | ✅ | ✅✅ |

### Password Policy

| Requirement | Waarde |
|-------------|--------|
| Minimum length | 14 karakters |
| Complexity | Letters + cijfers + symbolen |
| History | Laatste 24 niet herbruikbaar |
| Max age | 90 dagen (of passkeys) |
| Lockout | 5 pogingen, 15 min lockout |

## Monitoring & Logging

### Security Logging

| Log Type | Retentie | Gebruik |
|----------|----------|---------|
| Authentication | 1 jaar | Access audit |
| Authorization | 1 jaar | Permission audit |
| Admin actions | 2 jaar | Change audit |
| Security events | 2 jaar | Incident investigation |
| Network flows | 90 dagen | Traffic analysis |

### Alerting Rules

| Alert | Severity | Response |
|-------|----------|----------|
| Multiple failed logins | Medium | Review, possible lockout |
| Privilege escalation | High | Immediate investigation |
| Unusual data access | High | User verification |
| Configuration change | Low | Audit trail |
| Malware detection | Critical | Isolation |

## Compliance Mapping

| Control | CIS | ISO 27001 | NIST |
|---------|-----|-----------|------|
| Encryption at rest | 3.1 | A.10.1.1 | SC-28 |
| Access control | 5.1 | A.9.1.1 | AC-2 |
| Logging | 8.2 | A.12.4.1 | AU-2 |
| Vulnerability management | 7.1 | A.12.6.1 | RA-5 |
| Incident response | 19.1 | A.16.1.1 | IR-1 |

---

*Laatste update: Januari 2026*  
*Gebaseerd op CIS Benchmarks en industry best practices*