{
  "application_name": "Balsamiq Wireframes for Google Drive",
  "application_description": "Google Drive app for creating and collaborating on low-fidelity wireframes.",
  "application_vm_securitycontact_yes": "checked",
  "application_vm_securitycontact_no": "",
  "application_ssl_exclusively": "checked",
  "application_ssl_mixed": "",
  "application_ssl_none": "",
  "application_ssl_configuration_ciphers_yes": "checked",
  "application_ssl_configuration_ciphers_no": "",
  "application_ssl_configuration_keys_yes": "checked",
  "application_ssl_configuration_keys_no": "",
  "application_ssl_configuration_pfs_yes": "checked",
  "application_ssl_configuration_pfs_no": "",
  "application_ssl_configuration_termination_app": "",
  "application_ssl_configuration_termination_loadbalancer": "checked",
  "application_ssl_configuration_termination_other": "",
  "application_ssl_configuration_lb_traffic_encrypted": "",
  "application_ssl_configuration_lb_traffic_unencrypted_own_network": "checked",
  "application_ssl_configuration_lb_traffic_unencrypted_other_network": "",
  "application_ssl_configuration_lb_traffic_other": "",
  "application_ssl_mixedcontent_yes": "checked",
  "application_ssl_mixedcontent_no": "",
  "tip_application_ssl_hsts_yes": "checked",
  "tip_application_ssl_hsts_no": "",
  "application_ssl_cookies_secure_yes": "checked",
  "application_ssl_cookies_secure_no": "",
  "application_authentication_requires_login": "checked",
  "application_authentication_admin_interface": "",
  "application_authentication_roles": "checked",
  "application_authentication_roles_description": "We piggyback on Google Drive permissions. Details here: https://balsamiq.com/wireframes/google-drive/docs/",
  "application_authentication_sso_none": "",
  "application_authentication_sso_oauth": "checked",
  "application_authentication_sso_other": "",
  "application_auth2_library": "checked",
  "application_auth2_self_secure": "",
  "application_auth2_self": "",
  "application_custom_auth_yes": "",
  "application_custom_auth_no": "checked",
  "application_custom_auth_explain": "",
  "application_custom_auth_chpasswd_yes": "checked",
  "application_custom_auth_chpasswd_no": "",
  "application_custom_auth_pwdreq_yes": "checked",
  "application_custom_auth_pwdreq_no": "",
  "application_custom_auth_storage_plain": "",
  "application_custom_auth_storage_reversible": "",
  "application_custom_auth_storage_hashed": "",
  "application_custom_auth_storage_salted": "",
  "application_custom_auth_storage_pbkdf": "checked",
  "application_custom_auth_storage_other": "",
  "application_custom_auth_initpwd_selfset": "checked",
  "application_custom_auth_initpwd_email": "",
  "application_custom_auth_initpwd_snail": "",
  "application_custom_auth_initpwd_other": "",
  "application_custom_auth_initpwd_prepopulated_yes": "",
  "application_custom_auth_initpwd_prepopulated_no": "checked",
  "application_custom_auth_recovery_resetlink": "checked",
  "application_auth_cookies_httponly_yes": "checked",
  "application_auth_cookies_httponly_no": "",
  "application_auth_cookies_other": "",
  "application_auth_cookies_sig": "",
  "application_auth_cookies_timeout_yes": "checked",
  "application_auth_cookies_timeout_no": "",
  "application_auth_cookies_timeout_length": "24 hours",
  "application_auth_cookies_invalidation_yes": "checked",
  "application_auth_cookies_invalidation_no": "",
  "application_authz_horizontal_yes": "checked",
  "application_authz_horizontal_no": "",
  "application_authz_vertical_yes": "checked",
  "application_authz_vertical_no": "",
  "application_authz_xsrf_yes": "checked",
  "application_authz_xsrf_no": "",
  "application_authz_xsrf_token": "checked",
  "application_authz_xsrf_header": "",
  "application_authz_xsrf_post": "checked",
  "warn_application_authz_xsrf_post": "",
  "application_authz_xssi_other": "checked",
  "application_authz_xssi_protections_yes": "checked",
  "application_authz_xssi_protections_no": "",
  "application_authz_xssi_jsonp": "",
  "application_authz_clickjacking_protected": "checked",
  "application_authz_clickjacking_notprotected": "",
  "application_webvuln_db": "checked",
  "application_webvuln_upload": "checked",
  "application_xss_templating": "checked",
  "application_xss_chokepoint": "",
  "application_xss_content_type_yes": "checked",
  "application_xss_content_type_no": "",
  "application_xss_fileupload_yes": "checked",
  "application_xss_fileupload_no": "",
  "warn_application_xss_fileupload": "Users can only upload projects (BMPR format) and images and PDFs inside those projects. The data is validated on the server and processed, before being stored in the database.",
  "application_xss_dombased_yes": "checked",
  "application_xss_dombased_no": "",
  "application_sqli_orm": "checked",
  "application_sqli_prepared": "",
  "application_sqli_manual": "checked",
  "application_sqli_other": "",
  "application_sqli_prepared_consistent_yes": "checked",
  "application_sqli_prepared_consistent_no": "",
  "application_upload_storage_fs": "",
  "application_upload_storage_db": "checked",
  "application_upload_storage_other": "",
  "application_upload_storage_types": "BMPR, JPEG, GIF, PDF, PNG, ZIP",
  "application_upload_type_extension": "checked",
  "application_upload_type_contenttype": "checked",
  "application_upload_type_reencoding": "checked",
  "application_testing_unit_yes": "checked",
  "application_testing_unit_no": "",
  "application_testing_unit_coverage_large": "checked",
  "application_testing_unit_coverage_med": "",
  "application_testing_unit_coverage_small": "",
  "application_testing_unit_security_yes": "checked",
  "application_testing_unit_security_no": "",
  "application_testing_qa_security_yes": "checked",
  "application_testing_qa_security_no": "",
  "warn_application_monitoring_robust": "checked",
  "warn_application_monitoring_weak": "",
  "warn_application_monitoring_none": "",
  "security_contacts": "security@balsamiq.com",
  "warn_application_authz_xsrf_post": "",
  "warn_application_upload_reencoding": "We're only decoding/reencoding the BMPR files, which are compressed SQLite archives. After successfully reading the contents of the archive, we store those contents in a MySQL database. So, basically, it's moving (and validating) data from one relational database to another.",
  "application_other": "We realize that we have room for improvement, but we're a small team and are doing our best with our resources. We continue to improve as we grow.",
  "application_auth_cookies_framework": "checked",
  "application_auth_cookies_framework_which": "Google App Engine OAuth / Tomcat",
  "warn_application_auth_cookies_no_invalidation": "We will consider adding this in the future.",
  "application_xss_perpage": "checked",
  "application_sqli_orm_which": "Google Cloud Datastore",
  "warn_application_sqli_manual": "We only store valid JSON.",
  "warn_application_testing_unit_coverage": "We have what we consider a good test coverage. We have automated tests. Both unit-tests at the algorithmic level, where applicable, and integration tests on the server-side API. Much of the non-tested code belongs to adapters that integrate to third-party services. The coverage of our tests could be improved, but as it stands today it already gives us good confidence in the correctness of the application."
}