Basecamp security review

Does the SaaS provider protect external data in transit using TLS?

Yes

Basecamp uses HTTPS to transmit and receive data. TLS 1.2 is used to encrypt data whilst in transit between Basecamp’s servers and the user’s browser.

Does the SaaS provider protect external data in transit using correctly configured certificates?

Yes

Basecamp meets the recommended cryptographic profiles for TLS as published by the NCSC. Basecamp currently gets an ‘A’ rating from SSL Labs. Note that this was performed on their top level domain, and not all subdomains that may be used for API calls.

Does the SaaS provider protect internal data in transit between services using encryption?

Unknown

At this time, it is unknown whether Basecamp protects internal data in transit between services using encryption. However, Basecamp does state that project data, messages, text documents and TODOs are not encrypted at rest.

Does the SaaS provider protect internal data in transit between services using correctly configured certificates? 

Unknown

At this time, it is unknown whether Basecamp protects internal data in transit using correctly configured certificates.

If APIs are available, does the SaaS provider protect both internal and external APIs through an authentication method?

Yes (version dependent)

All Basecamp 3 APIs require the use of OAuth 2.0 for authentication.

All public integrations of Basecamp 2 require the use of OAuth 2.0 for API authentication. Basecamp 2 does support HTTP basic authentication for private integrations.

Basecamp Classic does not require the use of OAuth 2.0. Public integrations of Basecamp Classic are compatible with OAuth 2.0, but do not require it.

If there is a concept of privilege levels in the service, does the SaaS provider have the ability for low privilege users to be created?

Yes (version dependent)

Basecamp offers various account roles: Admin, Owner and Non-admin user accounts. If there is a concept of privilege levels, does the SaaS provider provide 2FA/multi-factor authentication on at least the high privileged accounts?

Yes

Basecamp offers 2 factor authentication (2FA) in the form of ‘Phone Verification (SMS)’ for all users. In the event the user loses access to their phone, security questions are set during the 2FA setup process which the user can use to unlock their account. They also support sign-in via Google accounts which support non-SMS 2FA.

Does the SaaS provider collect logs of events?

Types of log may include security logs and resource logs

Unknown

At this time, it is unknown whether Basecamp collects logs of events. Does the provider make logs available to the client?

Partial

Currently, the only logs visible to Basecamp’s clients are uptime statistics of each of the Basecamp versions.

Does the SaaS provider have a clear incident response and patching system in place to remedy any publicly reported issues in their service, or libraries that the service makes use of?

The provider’s previous track record on this is a good metric to see how they’ll cope with a new issue occurring.

Yes

Basecamp have a security response procedure whereby they encourage security researchers to email them vulnerability details using their public key. From here, Basecamp will correspond with the bug finder until the issue is resolved. Does the SaaS provider give clear and transparent details on their product and the implemented security features (i.e. how easy has it been to answer the above questions) ? Yes Basecamp publishes the majority of the answers to the above security questions. They have recently released a security whitepaper on their security pages, that bring together information covered above.

Source: NCSC