Playbook has survived multiple customer audits. Also, we know a thing or two about web application security, being app security consultants ourselves. Some things to know up front:

• Playbook has a minimal pre-auth attack surface. The “retail” interface customers use to submit tickets doesn’t involve actual logins (we issue tokens to track tickets with). The virtual appliance Playbook runs on gives you a web app with a login prompt and little else.

• Playbook is designed to take advantage of Subversion branches to enforce access control internally. Edits by normal users take place on user branches, not the trunk. Users with real Playbook logins can “see” most things, but can’t edit anything that touches firewalls.

• Yes, we use bcrypt to manage login passwords.

• We do support RADIUS and LDAP for authentication, as well as RSA tokens.

Last updated on September 17, 2009 by Thomas Ptacek