Because we are creating a social media platform, there will be a lot of security risks involved in the public platform itself, the data we store, and the platform codebase. In order to keep the entire system secure, we will need to adhere to some best practices and put some safeguards into place, most of which are outlined below (including some considerations the team needs to make as the platform's user base grows over time).

All the stakeholders of the alumni platform will be involved in keeping it secure to some degree, though individuals with elevated privileges like developers, database administrators, and all entities with access to internal data (members of the alumni association, university advisors, advancement services) will have a greater involvement in platform security and will likely require additional training to ensure that any action that they perform on the system won’t compromise its security in any way. It is important to inform all stakeholders (including users) about basic security protocols and methods to mitigate breaches. Ultimately, the biggest asset that will require the most protection is our stored data. The project team members in charge of security will need to pay special attention to keeping our platform data extra secure because the alumni user base inherently trusts our team to keep their personal data secure and because we need to ensure that our platform remains GDPR-compliant.

User Authentication

• Encourage users to enable multi-factor authentication to minimize hacked accounts
• Set password minimum requirements during password creation/changes to make it harder for hackers to guess
• Limit the period when a user is kept logged in so they have to re authenticate their identity once in a while
• Encourage users to occasionally update their passwords
• Only allow a limited number of credential guesses before locking an account and requesting a password change

User Input

• Sanitize any special characters and/or reserved keywords to prevent cross-site scripting or SQL injection attacks
• Implement checks that verify that user input is valid, when applicable (check for data type, format, length, etc.)
• Block/disable submission of data and provide helpful errors when invalid input is provided

Stored Data

• Encrypt sensitive data before storing them in the database using a secure algorithm
• Password protect the database management system and consider only allowing access via VPN
• Perform regular database backups to minimize data loss in the event of an internal/human error or breach
• Isolate each database table from one another to make it harder for attackers to gain access to all our data in the event of a breach
• Set up database firewalls to have an additional layer of security

Development Security Measures

• Ensure that new code is well-tested to prevent releasing bugs or vulnerable features to production