Challenge
Organizations struggle to answer security questionnaires consistently. Manual reviews are slow, evidence is scattered, and teams cannot show a clear remediation roadmap.
Security & Compliance
Security posture you can measure, evidence, and sell
An automated security assessment product built from CODA's own platform hardening — covering encryption, access control, MFA, logging, and compliance — deployed internally and offered externally to institutions.
Organizations struggle to answer security questionnaires consistently. Manual reviews are slow, evidence is scattered, and teams cannot show a clear remediation roadmap.
CODA mapped customer-data protection pillars to automated checks, CI scorecards, and phased remediation plans — starting with our own UAT/production stack (MFA, RBAC, password hashing, audit logging) before packaging the model for clients.
What CODA implemented, how, and why — the same framework we use internally and sell externally.
Customer and integration data is protected in transit and at rest: HTTPS with HSTS on all internet-facing environments, Fernet encryption for OAuth tokens and API credentials, and PBKDF2 password hashing (replacing legacy MD5).
Production and UAT settings enforce SECURE_SSL_REDIRECT, HSTS (1-year preload), and secure session/CSRF cookies. Secrets at rest use shared_core/crypto.py (Fernet via OAUTH_TOKEN_FERNET_KEY). Passwords hash through PBKDF2 with MD5 verify-only fallback so existing users rehash on next login without lockouts.
If traffic is intercepted or a database backup leaks, ciphertext and strong hashes keep customer credentials and integration secrets unreadable — a baseline every institution asks about in vendor reviews.
Role-based access control is centralized across finance, contributions, contracts, and dashboards — with automated CI checks that block permission regressions.
core/permissions.py and accounts/permissions.py define persona gates (staff, finance, investor, student). Views use CODAPermissionMixin and require_* decorators. scripts/rbac_audit_check.py runs on every PR; contract_access.py stays request-free for testable pure predicates.
Least privilege reduces insider risk and satisfies audit questions about who can see payments, member records, and administrative functions.
Staff and superuser accounts require TOTP multi-factor authentication, mandatory email verification in production, and Django's full password validator suite.
django-otp with TOTP devices and one-time backup codes. StaffMfaMiddleware gates privileged sessions after login. Enrollment at /accounts/mfa/setup/; verification each session at /accounts/mfa/verify/. CODA_MFA_ENFORCE + optional grace date control rollout on Heroku without lockout surprises.
Administrative accounts are the highest-value targets. MFA and verified email close the gap between 'someone knows a password' and 'someone is authorized.'
Dependencies are pinned and monitored; a phased security plan tracks Django upgrade, pip-audit CI, and dependency CVE response.
Poetry lockfile at repo root for reproducible builds. SECURITY_IMPLEMENTATION_PLAN and SECURITY_REMEDIATION docs define P0–P6 phases. pip-audit and gitleaks scheduled for Phase 2 CI. Django 4.2 LTS upgrade planned in Phase 5 with UAT soak.
Known CVEs in EOL frameworks are the fastest path to breach. Institutions expect a visible patch cadence — not 'we'll get to it eventually.'
Authentication, finance, webhook, and public-access events are logged with structured audit models — designed for review, not silent mutation.
LoginHistory tracks sign-ins. FinanceAuditEvent records settlement and webhook actions. WebhookEventRecord stores SHA-256 payload hashes (never raw PINs/OTPs). ContributionPublicAccessLog records token fingerprints and rate-limit events. Heroku captures stdout for centralized log drain.
You cannot respond to incidents you cannot see. Audit trails are how institutions prove 'we knew who did what, when' after the fact.
Production database backups via Heroku Postgres, with documented restore procedures and CLI tooling for backup verification.
Heroku pg:backups capture on schedule. platform_services management command heroku_list_backups surfaces backup age. scripts/backup/postgres_backup.sh and restore_into_compose_postgres.sh support dev/staging drills. CODA Docker Developer Guide documents quarterly restore expectations.
Ransomware, operator error, and provider outages happen. Tested backups are the difference between a bad day and a business-ending event.
CSRF protection on all session-authenticated routes, explicit ALLOWED_HOSTS, X-Frame-Options DENY, and webhook-only CSRF exemptions on an documented allowlist.
CsrfViewMiddleware globally enabled. scripts/csrf_exempt_allowlist.txt documents every exempt endpoint (payment webhooks, health probes only). SSRF guards in application/utils.py block private IP ranges on outbound URL validation. Phase 2 removes ~20 legacy finance CSRF exemptions.
Network-layer controls stop session hijacking, clickjacking, and server-side request forgery — common attack paths against Django monoliths.
Sensitive payloads are not stored when a hash or fingerprint suffices; retention purge commands exist for webhook dead letters and operational logs.
WebhookEventRecord: payload_hash + normalized DTO — never raw webhook bodies. Public access logs store SHA-256 token fingerprints, not tokens. purge_webhook_dead_letters management command for retention. REQUIREMENT_INTELLIGENCE_REDACT_SENSITIVE_SOURCE_TEXT flag for AI pipelines.
GDPR and institutional clients ask: 'Do you really need to store that?' Minimization shrinks breach blast radius and simplifies compliance narratives.
Security posture is measured against ten customer-data protection pillars with automated checks, CI integration, and phased remediation documentation.
scripts/security_questionnaire_check.py produces JSON/markdown scorecards mapped to GDPR/SOC-style control areas. GitHub workflow runs on every PR. SECURITY_IMPLEMENTATION_PLAN tracks Phases 0–6 with checkboxes and owners. RBAC and deploy checks feed the compliance pillar grade.
Compliance is not a PDF — it is repeatable evidence. Automation turns annual panic into continuous readiness for vendor reviews and board questions.
Staff security culture through academy safety governance, MFA enrollment workflows, and documented security operating procedures — not security as an afterthought.
AI Improvement Lab safety checklists and UAT-only banners train staff on production boundaries. MFA setup flow includes backup code handoff and grace period comms. SECURITY_REMEDIATION and IMPLEMENTATION plans are living docs the engineering team executes against.
The weakest link in any system is a person who clicks the wrong link or shares credentials. Awareness turns your team into part of the control, not a bypass.
Platform screenshots and walkthrough visuals will be added in a future update.