Arches and Cybersecurity

Introduction

Organizations need to consider cybersecurity risks and requirements when planning deployment strategies, data modeling, operations, and maintenance for an Arches implementation. Doing so will help ensure the integrity and appropriate use of Arches managed data, as well as related IT networks, connected devices, etc.

Cybersecurity needs vary widely. Legal requirements, organizational policies, contract or funder requirements, understandings of ethics, operational needs, and the specifics of the information documented in your data can all play a role in shaping data security needs. In some organizational settings, especially in the public sector, cybersecurity will require complex technical and operational controls. Even information intended for public release will require measures to protect against accidental or unauthorized attempts at modification or deletion.

This page provides a general overview of topics relating to Arches and cybersecurity. It is not intended to provide a comprehensive reference for all security measures pertaining to the development, implementation, and use of Arches software. Because Arches is enterprise software, the security of the software and the data stored within rely on not only the software itself, but the security of the network and servers on which an individual instance is deployed, as well as policies and practices followed by system administrators and users at individual institutions utilizing Arches. It is the responsibility of the deploying organization to implement and continuously maintain good security practices; software is only one aspect of such practices.

 

Cybersecurity and Resource Planning

In certain contexts, cybersecurity risks can involve legal, financial, reputational, harms to your own organization and staff, as well as harms to stakeholding communities. It is important to understand and mitigate these risks. The first step in securing your Arches implementation requires review and assessment of your position within this complex and varied environment. Some Arches implementations will require much more robust protections than required by other implementations. If your cybersecurity needs require greater levels of protection, then you will need additional resources and planning to obtain the additional time, expertise, and finances required to assess and reduce security vulnerabilities.

Organizations that need greater cybersecurity protections should involve technical experts to secure their Arches deployments. An organization may need to rely on both “in house” expertise (people who manage information systems and networks within an organization) and contracted Arches service providers.

 

Security and Arches Software Development

Arches software development processes align with industry good practices in security. Arches also leverages rigorously tested component software, especially PostgreSQL and ElasticSearch that see frequent deployment for highly secure data management. Some of the security-related practices employed in Arches software development include:

  1. The Arches code base has increasing testing coverage for both backend (server and data management) and frontend (user interface) components.
  2. The Arches development process centers around peer code review to help improve quality, share knowledge, contribute to clarity and documentation, and early detection of defects. Code review processes help maintain industry standard security protections such as input validation and sanitization to prevent attacks, and access controls to limit unauthorized data exposures.
  3. The Arches development team also employs automated security checks of software libraries and other components used by Arches as dependencies. The Arches release process incorporates updates to component libraries to help improve security.
  4. The Arches development cycle includes “Long Term Support” (LTS) software releases. These releases will see security updates and other bug fixes over longer time horizons, thereby helping to reduce costs and risks faced by organizations to maintain Arches deployments over multiple years.
  5. When security vulnerabilities are discovered, the Arches developer team works in a secure, private version control setting to develop solutions. This practice helps minimize the risk of spreading awareness of a vulnerability before a fix is ready.
  6. In the course of implementation, certain organizations, especially government offices, run penetration testing of Arches software. Such testing provides invaluable feedback to the Arches development team, and helps improve the security of Arches for the entire community.

Collaboration to Improve Security

One of the most important strategies to improve Arches security centers on collaboration across the Arches open-source community. As discussed above, some organizations, particularly those in the public sector, have done extensive security audits and penetration testing of Arches. In some cases, they have reported vulnerabilities that were subsequently diagnosed and fixed in the Arches software release process. Reporting vulnerabilities therefore helps improve the security and reliability of Arches for the entire community. If a member of the Arches community learns about a security vulnerability in the Arches open source code, they should always promptly disclose that information to the Arches project. Security vulnerability information should be reported at: archesproject.org/security-reporting-form.

Additional Security Guidance

The official Arches open-source software documentation provides additional information to guide data security practices. Please review this guidance to learn how you can more securely deploy your Arches implementation: https://arches.readthedocs.io/en/stable/administering/security/

The Open Source Security Foundation (https://openssf.org/) provides guidance and free-of-charge professional development courses to promote good security practices in the production, deployment, and use of open source software.

Last updated: December 2024