“Thin front end solution” for eBusiness.

The background for the genesis of the “Thin front end solution”.

eBusiness ordering is in it simplest form just to be seen as the customers doing what the

CSC do today and that view gave birth to the concept of the “Thin front end solution” back

in 1999 in Denmark.

If we were able to just replace the “blue and green screens” in the CSC with a web page

interfacing direct to our ERP, you would have the ideal and simplest solution for

eBusiness. (See simplified drawing below)

The benefits with the “Thin front end solution” would be that you still follow the business

rules and process already in place in the ERP for the other sales channels, as all processing

(price calculation etc.) would be done in the same place (software and hardware) and

hereby align with other sales channels.

Beside this you would also only have all the data in one place connected to the customer

meaning an integrated view from the CSC and no replication/synchronization of data to

other systems hereby keeping cost at a low level.

Another reason for it to be a low cost solution is that the only new hardware to buy is the

hardware to handle the presentation of the web layer to the users/customers. This does not

need to have big processing power nor big data storage capacity as all these things is

done/stored by the ERP hereby utilizing the processing/storage power of that. The rest of

the infrastructure needed is already in place with GID-mini hub set-up.

Programming of the business process would not be needed, as it is a matter of reusing the

once already existing. You will also be relying on the people maintaining the ERP and

hereby not need new skills to be developed.

Concerns has been if it would overload the ERP, but here you should look at it as you

have just moved the work from the CSC to the Customers, meaning in theory that you have

the same load on the ERP if you have the same amount of customers. Because what the

customer will do, the CSC would have done in the past.

Security is another concern when you give the customer access from the Internet to your

systems.

The first decision was to send userID and password by different channels eg. UserID via

mail to the legal owner of the accounts connected to the online User and Password to the

provided e-mail address, hereby protecting against social hackers. These channels should

also be the only used when people forgot one or another. Exception was Sales rep. handing

over Face to Face the userID and password.

In Scandinavia a tool has been used that proves the security of the “Thin front end

solution” is of the highest standard for eBusiness, see embedded information for more

information on the issue.

Butler Group Technology Audit

Gardner research on product used

Reference list of companies using tool

For firewall configuration see

For developing secure thin front solution see

The Top Ten Web Application Security Vulnerabilities

How does the “Thin front end solution” work?

Technical the “Thin front end solution” starts with a user, accessing the site eg.

www.shell.dk/shellonline, hereby a “Dispatcher” (Communication program on the web

server) is initiating “Call first Page” and the “Page generator” (Program that build the

web pages) makes the login page. Via an algorithm and the hidden fields in the page a

Digital Signature is made for the page by the Page generator.

The user than type in information and trigger the event log in on the web page, this is send

to the “Dispatcher” that first checks the Digital Signature of the page/information and than

takes the information and deliver it to the right “Event handler” on the web server.

(Program that handles what should happen when the event is triggered).

The event handler can than trigger from 0 to many APIs (Interfaces between web and the

ERP system in a specified record format).

This could be to get a price for an order, here calling the pricing module in the ERP or it

could be to show an account statement, here be the module taking hand of getting the

account statement data being activated. It could also be to get information’s that normally

would have demanded several screens in the CSC (modules in the ERP) hereby making it

much more user friendly and easy to navigate in the web solution.

The information coming back is than send to the Page Generator (Program that puts the

data in the right template for building up the page to return to the user, the Page Generator

can also call the ERP via APIs to get the data to build the right page) and than the circle is

starting again.

The template could be user dependant meaning the for different user the data and action to

be build into the customer facing page would be different. Eg. a Reseller/agent should have

the data presented in another way than a private customer or a BtoB etc. beside this you

could also exclude things on the template site meaning that a CSC version would have all

possibilities but the other user types would have subset of the functionality and the data

site. This would mean only developing the interfaces for each functionality/service once for

all groups of users and hereby lowering development cost.

More security information.

Websydian Security

Security on the Internet is a major concern and must be addressed at different levels from

the application level by, ensuring data integrity, enforcing user authentication etc. to the

operating environment level, where a number of threats such as hacking or denial-of-

service attacks exists.

At the application development level Websydian includes ready-to-use solutions for data

integrity protection, user access control and complete audit control and management, which

all cover important issues of E-Business application security. These patterns can be used in

any E-Business development project, and requires no additional programming.

Enhanced reliability, security and protection of corporate data in the operating environment

are realised with the improved Distributed Websydian Architecture (DWA) which provides

high protection of corporate data and protection of e.g. denial-of-service attacks to

propagate from web servers to back-end servers - attacks which can jeopardize business.

High availability is ensured through the Websydian Server, by continuously monitoring

applications and performing error recovery operations if necessary. High performance can

be achieved by distributing applications across several servers using Websydian Server

Agents.

Websydian provide security at all the different levels from the application layer to the

operating system environment and has been used for development of a number of high-

security E-Business applications.

White paper

This white paper analyses the role of Websydian and developers using

Websydian for each of the top ten web application security vulnerabilities

http://www.owasp.org/documentation/topten identified in the Open Web Application

Security Project http://www.owasp.org. The analysis shows that Websydian takes care of

nine of the ten issues with little or no intervention required by the developer.

On top of this it can be mentioned that the encryption algorithm default included in

Websydian is MD2. However, Soft Design has already a stronger encryption algorithm

SHA 1, which are used by a number if of our customers.

If that is not strong enough, other algorithms can easy be used instead.

Further, is included a presentation we made at the Plex user conference in Barcelona.