Solutions Business Manager Web Application Security Assessment

Similar documents
OWASP Top 10 The Ten Most Critical Web Application Security Risks

EasyCrypt passes an independent security audit

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

C1: Define Security Requirements

TIBCO Cloud Integration Security Overview

Copyright

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Aguascalientes Local Chapter. Kickoff

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web Application Penetration Testing

GOING WHERE NO WAFS HAVE GONE BEFORE

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

A (sample) computerized system for publishing the daily currency exchange rates

Certified Secure Web Application Engineer

OWASP TOP 10. By: Ilia

Web Application Vulnerabilities: OWASP Top 10 Revisited

CSWAE Certified Secure Web Application Engineer

DreamFactory Security Guide

SECURITY TESTING. Towards a safer web world

IronWASP (Iron Web application Advanced Security testing Platform)

Web Application Security. Philippe Bogaerts

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Scaling for the Enterprise

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Application Layer Security

Secure Development Guide

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

epldt Web Builder Security March 2017

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Welcome to the OWASP TOP 10

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Bank Infrastructure - Video - 1

Security context. Technology. Solution highlights

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Your Turn to Hack the OWASP Top 10!

1 About Web Security. What is application security? So what can happen? see [?]

Project and Portfolio Management Center

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Sichere Software vom Java-Entwickler

AppPulse Point of Presence (POP)

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

InterCall Virtual Environments and Webcasting

IBM SmartCloud Notes Security

OWASP TOP OWASP TOP

W H IT E P A P E R. Salesforce Security for the IT Executive

Ruby on Rails Secure Coding Recommendations

MigrationWiz Security Overview

COMP9321 Web Application Engineering

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

WHITEPAPER. Security overview. podio.com

Chrome Extension Security Architecture

SDR Guide to Complete the SDR

Domino Web Server Security


Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Web Applications Penetration Testing

WHY CSRF WORKS. Implicit authentication by Web browsers

February 2017 Version: 1.0. Xerox App Gallery 4.0 Information Assurance Disclosure

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Curso: Ethical Hacking and Countermeasures

Identity Provider for SAP Single Sign-On and SAP Identity Management

Security Best Practices. For DNN Websites

LIPPU-API: Security Considerations

Test Harness for Web Application Attacks

RiskSense Attack Surface Validation for Web Applications

AppSpider Enterprise. Getting Started Guide

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

INNOV-09 How to Keep Hackers Out of your Web Application

Certified Secure Web Application Security Test Checklist

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

HPE Project and Portfolio Management Center

Vulnerabilities in online banking applications

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Security Enhancements

Applications Security

Transcription:

White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment

Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security Safeguards...................................... 1 Web Application Security Test Results for SBM 11.3.1... 4 Reference... 8 page

Micro Focus takes security seriously. We strive to aggressively enhance SBM to safeguard against any new vulnerabilities that are discovered. Micro Focus Takes Security Seriously Internet applications are always vulnerable to attacks by various malicious users, abusive bots, and crawlers that can exploit weaknesses in the data security model to gain unauthorized access to important data. Solutions Business Manager (SBM) is scanned for Web application security as part of the certification process upon each release, and it is thoroughly tested to validate the security of the enterprise data that is stored in the database. Micro Focus understands that any vulnerability that is detected during these tests can be exploited to gain access to sensitive enterprise data and ultimately lead to financial loss. Our development and quality assurance organizations endeavor to expose and resolve these types of potential vulnerabilities during each testing cycle. Micro Focus takes security seriously. We strive to aggressively enhance SBM to safeguard against any new vulnerabilities that are discovered. Who Should Read This Paper? This paper is intended for system administrators or others who are interested in understanding existing security safeguards within SBM 11.3.1 and reviewing the latest security web application scan results. Solutions Business Manager Security Safeguards Micro Focus applies a multi-layered approach for security within SBM, incorporating best practices for preventing security breaches, as well as ensuring data integrity and confidentiality. Server and Database Configuration SBM Configurator provides an easy mechanism to deploy the various SBM database and application components across multiple servers. This serves to minimize the attack surface. For example, data updated by users can be stored on one server, data used to build and describe process apps and other design artifacts stored on another, and then configuration and administrative data stored on yet another machine. Administrators can then appropriately restrict access to those servers, making it much harder for an adversary to exploit the system simply by hacking into any one server or physical machine. www.microfocus.com 1

White Paper Solutions Business Manager 11.3.1 Web Application Security Assessment Data in Transit Encryption Data is most vulnerable to unauthorized access as it travels across the Internet or within networks. Therefore, SBM Configurator provides the mechanism to configure applicable servers to use secure HTTP (HTTPS) and Secure Socket Layer (SSL) to encrypt, authenticate, and ensure data integrity. This can be for interactions with end users, inter-component communication, communication with third-party systems, and infrastructure such as LDAP servers and relational databases. Data at Rest Encryption The data residing on storage systems and media presents serious security concerns with regards to corporate data protection and privacy of data. SBM has two facets to data at rest data stored in a relational database and data stored on the file system. No matter what access method (Web browser, mobile apps, or desktop applications), all user access goes through an authentication process. SBM Configurator provides several options for identity providers, such as internal user database, Windows domain, LDAP, or other thirdparty providers. For data in the relational database, there are two factors to securing it. The first factor is restricting access to the data via permissions for the databases used by SBM. This is governed either by the DBMS user accounts or the Windows domain accounts that have been granted access to the databases. The second factor is that the data in the databases can be encrypted by the DBMS for an added layer of security. Data stored on the file system, such as configuration and connection information, must also be secured. SBM encrypts credentials used to connect to its various databases using a triple-des encryption algorithm with 184-bit keys. Also, information used to connect to identity providers for the purpose of Single Sign-On (SSO) can be considered sensitive, so SBM provides the option to encrypt this information. SSO uses 256-bit keys with either Blowfish, AES, or 3DES. Authentication and Session Management No matter what access method (Web browser, mobile apps, or desktop applications), all user access goes through an authentication process. SBM Configurator provides several options for identity providers, such as internal user database, Windows domain, LDAP, or other third-party providers. Session management in SBM can be configured to use HTTP cookies, NTLM, or security tokens via SSO. SBM also allows for more complex scenarios when using SSO, including validation against multiple identity providers and two-factor authentication via smart cards. 2

SBM Application Administrator provides administrators with the ability to set user permissions at role, group, and individual levels, giving administrators the ability to follow the principal of least privilege allowing users to have the least possible authority necessary to do their job. In addition, SBM provides controls for managing the idle timeout of session token lifetimes for security tokens. Authorization (Access Control) SBM Application Administrator provides administrators with the ability to set user permissions at role, group, and individual levels, giving administrators the ability to follow the principal of least privilege allowing users to have the least possible authority necessary to do their job. Additionally, SBM provides for two-way SSL connections to restrict access to non-end user interfaces. Web Application Security SBM provides integrated proprietary and third-party firewalling and sanitizing capabilities for various types of attacks: XML/HTML content attacks (cross-site scripting attacks [XSS], JavaScript injections, SQL injection, and well-formedness) Cryptographic attacks (denial of service and replay attacks) SOAP attacks (SOAP operation filtering and rogue SOAP attachments) Communication attacks (HTTP header and query string analysis) Authentication attacks (cross-site request forgery attacks [CSRF]) SBM provides customization of this sanitization via SBM Application Administrator. SBM can use IIS to proxy all server requests, which enables tighter monitoring capabilities. This forces all SBM traffic through IIS on port 443 and disables all Tomcat HTTP connectors. For details, refer to the SBM Installation and Configuration Guide or SBM Configurator help. In addition to content sanitization and monitoring, SBM provides a Web application firewall. This can be used for monitoring purposes or can be set to actively block requests based on defined security rules. These security rules are customizable and allow administrators to tailor security configuration to suit their particular content needs or heightened security requirements. In the event a security vulnerability is found, this also allows for virtual patching of the systems in the field. www.microfocus.com 3

White Paper Solutions Business Manager 11.3.1 Web Application Security Assessment Web Application Security Test Results for SBM 11.3.1 Testing was performed using Burp Suite Professional v.1.7.23. The Burp Web Vulnerability Scanner, a tool within this suite, was specifically used to actively scan requests from a client. This tool is highly regarded in the industry and uses feedback-driven scan logic rather than a static list of possible vulnerabilities. Test Setup Burp Suite was run on a dedicated machine that acts as a proxy server monitoring requests made through the Web browser. For the purpose of these tests, Burp Suite monitored requests on a remote, self-contained installation of SBM with SBM Internal authentication and SSO session management. Burp Suite recorded requests made through the browser, noting passively detected vulnerabilities at the same time. Burp Suite was then used to actively scan all recorded requests with parameters, sending numerous (hundreds or thousands) of requests formatted after each scanned request but with parameter alterations that attempt to expose vulnerabilities. SBM was configured to use HTTPS for requests and SSO was enabled. To handle customization variability, a custom Web application firewall ruleset was also put in place. Scanning tested for the following types of attacks: SQL Injection OS command injection Server-side code and template injection Reflected and stored cross site scripting File path traversal/manipulation External/out-of-band interaction HTTP header injection XML/SOAP injection LDAP injection Cross-site request forgery 4

Open redirection Header manipulation Server-level issues Micro Focus evaluated the results of these scans, looking for requests with potential vulnerabilities. Use Cases Scanning was done against what can be considered typical usage of SBM. This includes: Logging into SBM Viewing item data Viewing reports Viewing backlogs Viewing activities Viewing Kanban Viewing external feeds for Kanban Special attention was focused on operations that store or modify data in the system, including: Submitting an item Transitioning an item Creating and modifying a report Creating backlogs Creating activities search search Updating user profile information Creating Kanban Creating users in SBM Application Administrator Requesting for query at runtime Reporting for query at runtime Attaching a file/url to a field Viewing a file/url in a field Adding and viewing quick links and favorites Adding and viewing folders www.microfocus.com 5

White Paper Solutions Business Manager 11.3.1 Web Application Security Assessment Findings The results of the security scans were evaluated. No serious vulnerabilities were found. Results that were flagged as potential low severity issues that should be evaluated were inspected manually and determined not to be a problem as detailed below. Security Issue Area(s) Tested Result Cacheable HTTPS response Content types incorrectly stated Content type is not specified Cross-domain Referer leakage Cross Site Request Forgery (CSRF) Submit, view, transition item User profile modification Kanban execution Backlog Request for query at runtime Application Administrator Submit, view, transition item User profile modification Kanban creation Kanban execution Backlog User profile Modification Attach a file/url to a field CSRF No data is changed. CSRF Submit, view, transition item Session ID prevents CSRF attack. SQL Injection Report preview and execution of Change History reports that contain advanced SQL conditions. DOM-based XSS DOM data manipulation (DOM-based) Feed field values in call File path manipulation Form action hijacking HTTP Parameter Pollution (HPP) HTTP response header injection Submit, view, transition item Report creation and execution Kanban creation Passed after adding ModSecurity rule that blocks report execution if malicious SQL is detected. For details on adding this rule, refer to solution S141332. User profile modification Response does not get interpreted as HTML. Report creation and execution No data is changed. LDAP injection Link manipulation Continued on the next page 6

Security Issue Area(s) Tested Result Multiple content types specified Open redirection Parameter injection (URL) Parameter injection (body) Path-relative style sheet import Suspicious input transformation User agentdependent response X-Forwarded For dependent response XSS stored XSS stored/ reflected Submit, view, transition item Response does not get interpreted as HTML. Submit, view, transition item Response does not get interpreted as HTML. Submit, view, transition item Report creation and execution User profile modification Report creation and execution Submit, view, transition item Report for query at runtime Submit, view, transition item User profile modification View a file/url in a field Application Administrator Adding and viewing folders Returns 404 error on modified paths. OWASP Top Ten Results ID Security Issue Result Additional Information A1 Injection No issues found SBM actively monitors for different injection attacks and follows design patterns used to prevent them. A2 Broken Authentication and Session Management No issues found SBM uses industry best practices for session management, authentication, and password management. A3 Cross Site Scripting (XSS) No issues found SBM actively monitors for XSS attacks and provides fine-grained configuration for allowed content. A4 Broken Access Control No issues found All access of objects inside of SBM go through a centralized access control to verify the user s permission. All data requests are validated at the client and server levels to ensure proper permissions to data. A5 Security Misconfiguration No issues found SBM provides a configuration application to ease the configuration of security settings and provides guidance on how to secure the configuration properly. A6 Sensitive Data Exposure No issues found Sensitive data stored by SBM is stored securely at rest and, if configured to do so, in transit to the server. A7 Insufficient Attack Protection No issues found SBM prevents attacks across the entire spectrum. If an attack is attempted, SBM logs the attempt, which enables an administrator to review the logs and identify the attack. Brute force attacks, such as attempting to guess a user s password, can be prevented by SBM s authentication setting that disables a user account after a certain number of failed login attempts. Patches that prevent future security vulnerabilities are also developed for SBM as they are discovered. Continued on the next page www.microfocus.com 7

White Paper Solutions Business Manager 11.3.1 Web Application Security Assessment ID Security Issue Result Additional Information A8 Cross Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities No issues found SBM has active monitoring and mitigation for CSRF attacks. No issues found As part of the release process, third-party components are checked against vulnerability lists and updated accordingly. A10 Underprotected APIs No issues found SBM provides secure APIs that require strong authentication. Private session and login data is not exposed in these APIs, and SBM provides access only to the authenticated user s data and not any other data on the system. API parameters are scrubbed and hardened against attacks. Reference Contact Website: www.microfocus.com/serena/support 8

www.microfocus.com 9

Micro Focus UK Headquarters United Kingdom +44 (0) 1635 565200 U.S. Headquarters Rockville, Maryland 301 838 5000 877 772 4450 Additional contact information and office locations: www.microfocus.com www.microfocus.com 162-000134-002 S 12/17 2017 Micro Focus. All rights reserved. Micro Focus and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback