Discription
This release marks a significant milestone in the evolution of the AVA platform, focusing on robust security hardening, infrastructure scalability, and critical functional improvements. Below are the detailed notes regarding the updates deployed in Release 25.7.
1. Security Implementations (Penetration Testing Fixes)
A comprehensive security overhaul was conducted following penetration testing to protect against various vulnerabilities and ensure data integrity.
Vulnerability Remediation
Implemented fixes for Mass Assignment Privilege Escalation, preventing users from unauthorized role changes, and resolved several Authorization Bypass vulnerabilities related to user detail modifications and notification management.
Injection Protection
Added middleware and filter hooks to block SQL Injection and Cross-Site Scripting (XSS) vulnerabilities.
Session & Authentication
Configured the Secure flag for session cookies and implemented HTTP Strict-Transport-Security (HSTS) headers to prevent unencrypted communication.
Access Control
Restricted public access to RDS databases, implemented an Account Lockout mechanism to thwart brute-force attacks, and addressed Username Enumeration vulnerabilities.
AWS Hardening
Enabled Multi-Factor Authentication (MFA) and External IDs for cross-account roles, enforced a strong AWS IAM password policy, and updated third-party components like jQuery and Apache to newer, secure versions.
Data Encryption
Enabled EBS and RDS encryption at rest across production and beta environments to ensure compliance with security best practices.
2. Server & Performance Upgrades
To improve application responsiveness and scalability, the following infrastructure upgrades were performed:
Environment Modernization
The new staging/beta server has been established on the latest stable Ubuntu release (Noble 24.04).
Hardware Scaling
EC2 instance types for development, staging, and shadow production were upgraded to t2.xlarge and t2.2xlarge to handle higher loads.
Framework Upgrades
Updated PHP-based applications from PHP 7.3 to PHP 8.3 and upgraded Laravel applications to Laravel 10.
Resource Optimization
Tuned PHP-FPM settings (e.g., increasing pm.max_children) to better utilize server resources and handle simultaneous requests.
Monitoring & Alerting
Installed Grafana and Prometheus on all servers to track CPU, RAM, and disk usage, with integrated AWS Lambda and SNS alerts for real-time performance monitoring.
3. Critical Functional Bug Fixes & Improvements
Enhancements were made to the core Web Portal and Task Modules to improve the user experience:
Task Module Enhancements
Task Category Field Updated
- Changed the name from “Task Type” to “Task Category”.
- Added new dropdown options.
Longer Task Titles Allowed
- Increased the character limit for the Title field to support longer names.
New Field: Agency Name
- Added a new dropdown field called “Agency Name”.
- Only Supervisor users can see and use this field.
- Options are based on the list shared by your team.
New Field: Insured Name
- Added a text field for entering the Insured Name.
- This field accepts special characters such as &, %, #, etc.
- Updated logic to allow duplicate task titles and permitted the same date for both Due Date and Reminder Date.
- Added a “Notes” column to task records for better visibility.
- Fixed page crashes when accessing the “To Be Reviewed” and “Completed” sections in Tasks.
General Web Updates
- Expanded Date of Birth support to allow entries prior to 1950.
- Updated the Premium amount field to accept decimal values (period marks).
- Resolved global SMTP errors that caused misleading “Something went wrong” messages during email-based actions.
- Restricted screenshot visibility so that agents can no longer view their own screenshots, ensuring privacy in accordance with new supervision policies.
4. VAVision Desktop Agent Compatibility
Reliability Fixes
Resolved issues where screenshots were not uploading correctly due to file matching logic errors.
Standalone Installer
Created a new standalone Windows installer using InnoSetup, which includes an automatic check and silent install for SQL Server LocalDB.
Future Readiness
Conducted R&D for a next-generation desktop agent built on a modernized cross-platform .NET framework.
Parallel Support
Both the current and beta desktop agents will remain fully functional during the migration period to ensure no disruption in performance tracking.