DreamFactory Security Guide

Similar documents
MigrationWiz Security Overview

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

epldt Web Builder Security March 2017

OpenIAM Identity and Access Manager Technical Architecture Overview

Solutions Business Manager Web Application Security Assessment

Security context. Technology. Solution highlights

Sentinet for Microsoft Azure SENTINET

Partner Center: Secure application model

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

ForeScout Extended Module for Carbon Black

Security in the Privileged Remote Access Appliance

DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com

Security in Bomgar Remote Support

WHITEPAPER. Security overview. podio.com

Security Guide Zoom Video Communications Inc.

ForeScout Extended Module for MaaS360

Google Identity Services for work

ForgeRock Access Management Customization and APIs

Security and Privacy Overview

W H IT E P A P E R. Salesforce Security for the IT Executive

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

ForeScout Extended Module for MobileIron

ForeScout Extended Module for VMware AirWatch MDM

SafeConsole On-Prem Install Guide. version DataLocker Inc. July, SafeConsole. Reference for SafeConsole OnPrem

ArcGIS Enterprise Security. Gregory Ponto & Jeff Smith

Symantec Endpoint Protection Family Feature Comparison

FAQ. General Information: Online Support:

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Liferay Security Features Overview. How Liferay Approaches Security

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

Novell Access Manager 3.1

Scaling DreamFactory

Salesforce Enterprise Edition Upgrade Guide

Security Architecture

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

SAML-Based SSO Solution

Kubernetes Integration Guide

Code42 Security. Tech Specs Data Protection & Recovery

Information Security Policy

ForeScout Extended Module for ServiceNow

SafeConsole On-Prem Install Guide

Release Note RM Neon. Contents

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

Introduction. The Safe-T Solution

Enterprise Guest Access

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

SECURE DATA EXCHANGE

Administering Jive Mobile Apps for ios and Android

SAP Security in a Hybrid World. Kiran Kola

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3.1 April 07, Integration Guide IBM

C1: Define Security Requirements

TIBCO Cloud Integration Security Overview

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

TeamViewer 12 Manual Management Console. Rev

SECURE CODING ESSENTIALS

Security Readiness Assessment

SECURITY DOCUMENT. 550archi

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Ekran System v.6.0 Privileged User Accounts and Sessions (PASM)

Providing an Enterprise File Share and Sync Solution for

CIS Controls Measures and Metrics for Version 7

uick Start Guide 1. Install Oracle Java SE Development Kit (JDK) version or later or 1.7.* and set the JAVA_HOME environment variable.

Microsoft Unified Access Gateway 2010

IBM Endpoint Manager Version 9.0. Software Distribution User's Guide

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

Talend Component tgoogledrive

Oracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service

How to Configure Authentication and Access Control (AAA)

The threat landscape is constantly

Technical Overview. Access control lists define the users, groups, and roles that can access content as well as the operations that can be performed.

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

PCI DSS Compliance. White Paper Parallels Remote Application Server

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

Sentinet for BizTalk Server SENTINET

Getting Started with AWS Security

maxecurity Product Suite

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

System Security Features

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Xerox Connect App for Blackboard

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

Business White Paper IDENTITY AND SECURITY. Access Manager. Novell. Comprehensive Access Management for the Enterprise

Comprehensive Database Security

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

Advanced Service Design. vrealize Automation 6.2

Increase user productivity and security by integrating identity management and enterprise single sign-on solutions.

5 OAuth EssEntiAls for APi AccEss control layer7.com

Identity Provider for SAP Single Sign-On and SAP Identity Management

Sophos Mobile. startup guide. Product Version: 8.1

EMS Platform Services Installation & Configuration Guides

Example Azure Implementation for Government Agencies. Indirect tax-filing system. By Alok Jain Azure Customer Advisory Team (AzureCAT)

Security Specification

Transcription:

DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit security features that have been engineered into the software. Native Install DreamFactory is an open source software package that runs in the cloud or on premises. Single- click installers are available for most of the Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) cloud vendors. You can also run DreamFactory on a Linux, Windows, or Mac desktop computer. The software package includes a complete xamp Stack application built with PHP including several default services (i.e. a dedicated SQL and NoSQL database, file storage, email, etc.). These versatile installation options enhance security. A company can use the same secure deployment practices for DreamFactory that they already use for their other applications. You can monitor usage, make backups, control cost, optimize performance, configure firewalls, and deploy applications with familiar tools and systems. Companies can choose a trusted cloud vendor or their own data center to manage application security. Open Source The DreamFactory source code is available under the Apache License at GitHub. An open source product has "many eyes" on the code base. DreamFactory Software has signed up for third- party security audits as well. DreamFactory Software has quality assurance engineers looking for security problems on a regular basis. Thousands of independent developers are also testing the platform daily. The open source nature of the code base enhances security. The latest version of the software is available on various cloud marketplaces and can be installed on your infrastructure. Since DreamFactory Software doesn t host your application, there is no risk of our company losing your data. You do not need to worry about where our data center is located, who has access to your private information, or how we keep your data separate from other customer accounts.

Automatically Generated Services REST API complexity is a major security challenge. With each new mobile project, there s a tendency to create more and more REST APIs. Each service might be written in house, by different developers, or by external consultants. These services typically have different user management systems, different security protocols, different parameter styles, and different requests and responses. They will be hardwired to various data sources, and designed to run on different pieces of physical infrastructure. Over time, the server- side infrastructure can become increasingly complex, and each new REST API endpoint can potentially introduce new security vulnerabilities. DreamFactory provides a comprehensive and reusable palette of REST API services. All of the various backend data sources are accessed through a unified REST API interface. This provides a reusable platform of REST API services for general- purpose application development. The total number of exposed service endpoints is reduced, and the connections to backend data sources are standardized.

Service Platform In a typical mobile development project, there is a client team and a server team, and the two groups must agree on a REST API interface. DreamFactory stops this back and forth interface negotiation and allows each side to focus on their respective responsibilities. DreamFactory enhances security by decoupling client- side application development from server- side user management and administration.

External Partners In many mobile projects, external consultants create the client- side application and also build the server- side interface. With DreamFactory, trusted members of the IT staff can easily create a REST API for each new mobile project. The platform can provide access to a staging or production database as needed. The client application can be moved from development, to testing, and on to production without code changes. This strategy eliminates the need to expose corporate information and backend systems to external partners working on development projects. Service Abstraction Applications written on a unified service platform also benefit from virtualization provided by the service layer. Services are no longer tied to specific pieces of backend infrastructure. Moving an application from development to testing and on to production is easy. The service platform can be installed anywhere, so applications can be moved between the cloud and data center. Application staging becomes simpler, and application lifecycle management becomes more secure. Some DreamFactory services, such as database services, provide features such as aliasing to further abstract connected resources (i.e. database schema table and field names) represented in the API from the actual implementation.

Role- Based Access Controls SQL databases have various tables, NoSQL databases have collections of documents, and file storage systems have different folders. In DreamFactory, administrators can define roles with role- based access controls to govern which of these components are visible to a given user, along with HTTP verbs such as GET, POST, PUT, PATCH or DELETE that govern access. You can use various combinations of these verbs and service resources to grant or deny user access. Role- based access controls allow information to be hidden from certain roles and their assigned users or applications. For example, individual sales people might not have access to salary information, while this data might be available to managers. This capability prevents accidental data loss or disclosure of sensitive information. Record- Level Access Control Roles can be customized further with server- side filters to implement record- level access control. Each filter takes the form of a "field operator value" equation that must be true to enable access. The record- level access controls can impose constraints on external data sources. For example, you can limit data visibility only to records that the user created. This feature provides fine- grained security control of data sources.

Application API Keys Applications in a DreamFactory instance can represent actual application code hosted on the instance, code hosted elsewhere on another server, or a designation for a native mobile app. Each application gets an API key generated at creation. The API key must be used for all access to the API (with a couple of exceptions noted below). The API key can be regenerated by administrative request, however care must be taken that all uses of the old key are updated (i.e. this is more difficult for a key embedded in a native mobile application). Applications can be given guest access by assigning a default role to an application detailing what resources should be accessible without user authentication. This is useful, if your application has an open website or kiosk mode. User Management DreamFactory delivers extensive user management features. Single sign- on, user per- application roles, open registration, password resets, email services, email templates, and password hashing are all carefully implemented. The standardization of user management as a service and the integration of user management with the REST API platform prevent the security holes often found in custom implementations. DreamFactory separates administrators from other users. Every DreamFactory instance must have at least one administrator configured at installation. Administrators can login, use the admin console, perform API calls, do not have roles, and are not required to use API keys for access. As such, these credentials should be safeguarded and usage minimized. DreamFactory supports the standard username and password user management, but can also be provisioned to utilize most common OAuth providers and even LDAP and Active Directory.

Single Sign- On When a user signs on to a DreamFactory instance via any of the aforementioned login options, they receive a session token, based on JSON Web Token (JWT) technology. The token is digitally signed and secures information about the identity of that user and the connection. This token is controlled by a configurable renewal and expiration policy and can be securely stored on the client. It must be included for all authenticated API usage. Depending on the DreamFactory instance configuration, all network transactions can be conducted over HTTPS, thus adding the security capabilities of SSL/TLS to standard HTTP communications. Deactivation of System Resources Administrative updates to system resources are instantly reflected across all connections. Most system resources have an active/inactive state. When an administrator deactivates a user, application, role, or service, any further access to that resource is denied. For example, if a user or role is deactivated, any associated session tokens become invalid immediately. If an application is deactivated, any attempted access with that application s API key is denied. This provides a more secure environment at multiple levels of the API for events like people entering or leaving the company, service abuse, or temporary disablement of system resources. Inheriting SQL Security DreamFactory acts as a secure proxy for external data sources. When a SQL database is hooked up with a connection string, DreamFactory automatically inherits the security characteristics of that database. For example, if the connection string is for a read- only database user, then the REST API will deliver all the services as read- only, regardless of other access control settings. DreamFactory can also inherit more complex permissions from a SQL database. You can configure server- side lookup keys to connect a user or role to the corresponding user or role on a remote database. This allows DreamFactory to mimic existing database security permissions, or change them as needed for mobile deployments.

Master Credential Storage DreamFactory can connect to any number of external data sources and services. DreamFactory functions as a secure proxy that creates REST API services, provides server- side scripting, and enforces role- based access control. Each external data source or service will typically require a connection string, username, password, developer key, or some other type of master credential for access. These master credentials are entered by an administrator in the DreamFactory Admin Console and encrypted for secure storage on the DreamFactory instance. When an end user logs in through single sign- on, they have controlled access to external data sources and services as enabled by their user role, but there is no way for them to discover the master credentials. This capability to hide master credentials securely on the DreamFactory instance removes the need for client applications to use the master credentials for any external service. End user access is provided through single sign- on and limited by the user- base access controls. Another benefit of this architecture is that external services can be activated, deactivated, or redirected without changing the client software. Programmable CORS access DreamFactory implements Cross- Origin Resource Sharing (CORS) as a system level web service. The Admin Panel has a simple interface that can enable any host domain to use the DreamFactory REST API. By default, CORS is turned off and the services are only available from the originating host. Programmable CORS support prevents cross- site scripting attacks and use of the API from unauthorized sources, but still allows the administrator to add necessary exceptions and temporary allowances for testing, etc.

Server- Side Scripting DreamFactory uses the V8 Engine developed by Google to run server- side code written in JavaScript. Any request or response can be examined, modified, or rejected by the scripting environment. This enables developers to customize any API call or develop new services as needed. The V8 engine is sandboxed, so server- side scripts cannot interfere with other platform operations, operating system or hardware resources. Scripting and customization can be used for formula fields, field validations, workflow triggers, access control, custom services, usage limits, and more. A third party can use server- side scripts to safely customize the backend system. Custom security protections and notifications can also be implemented with server- side scripts. Server- side scripts can use the REST API when needed. For example, a script might call the email service, trigger a push notification, or store some information in the database. The role- based access controls have separate settings that govern data access for both client- side applications and server- side scripts. This capability enables server- side scripts to safely perform special operations that are not available from the client- side REST API.

SQL Injection Attacks The DreamFactory REST API for SQL includes the ability to use query filter strings as URL parameters. For example, you could request all of the Opportunities greater than a certain amount, or created before a particular date. Each query filter string typically has a field name, operator, and target value. They can be combined into complex expressions with parentheses and logical operators. A SQL injection attack can occur when a hacker types a tricky text string into a search field or constructs a malformed query filter for use in a REST API call. They might use strange escape sequences, incorrect type handling, or unusual patterns of fields, operators, and values. DreamFactory deconstructs each query filter string into individual name, operator, and value components. The field name must match the object, the operator must make sense, and the field value must be well formed. After this, the query filter string is reconstructed with only valid parameters. This prevents unauthorized SQL statements from being injected into the database. URL Routing Attacks Another attack vector concerns spoofed URL strings, illegal URL parameters, or tricky HTTP headers that end up somehow bypassing role- based access controls or otherwise returning sensitive data from the platform. DreamFactory uses the routing engine in the Laravel PHP framework to avoid this problem. The security of the REST API interface has also been rigorously tested by thousands of DreamFactory developers actively building projects. The fact that all of the REST API calls have a single entry point is also more secure than having separate entry points for each backend system. Laravel Framework DreamFactory is written with the latest version of PHP and the Laravel framework. PHP is the world s most widely used server- side programming language, and Laravel is the fastest growing framework for PHP. There is a very large community of professional developers using these products, and many mission- critical websites depend on them for secure implementations. DreamFactory builds upon several widely used Laravel extensions for things like user management, OAuth, LDAP, and URL routing for reliable and secure operation.

In Conclusion DreamFactory is designed to be a secure platform for providing REST API services. Some of these capabilities are an inherent part of our open source model. Other features were specifically engineered to mobilize backend data sources in a secure manner. Reach out to the DreamFactory engineering team if you have additional questions. Community Forum Bugs and Feature Requests Contact Support

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback