Ivo GonçalvesPlatform Operations Expert Services
https://www.linkedin.com/in/ivomgoncalves
Paulo CostaPlatform Operations Expert Services
https://www.linkedin.com/in/pauloalex
Agenda
• What is IT security?
• Layered security.
• Secure your infrastructure and your application with OutSystems recommendations:
○ 7 common vulnerabilities.
■ Vulnerability explanation and mitigation.
What is IT security?
“IT Security is the process of implementing measures and systems designed to securely protect and safeguard information (...) against any unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure (...)”Sans Institute
Confidentiality
Availability
Integrity
CIA Triad
ConfidentialityPrevent unauthorized parties to access the information. IntegrityPrevent data manipulation and deletion by unauthorized parties.
AvailabilityInformation is always available to authorized parties.
Layered security
“Layered security combines multiple security measures to make sure that you don'thave all your security eggs in one basket. This protects you from different sources anddifferent types of threats.”Fortinet blog, 14 January 2014
Application
Application Servers
Systems and Network
Development practices
Security configurations deployed in the surrounding infrastructure
Security configurations deployed in the application servers
Security and OutSystems
● Generated code is subject of advanced vulnerability scanning.
○ OutSystems applications are mostly secure.
● Exploits on user code can still be present.
● Application Servers and Systems and Network layers may have vulnerabilities.
● No system is 100% secure.
DescriptionOpen communication channels
• Information exchanged in plain text.• Network monitoring:
○ Eavesdropping and tampering.
Mitigation — HTTPSApplication Server Layer
• Acquire a digital certificate.• Configure your application server to support HTTPS.• Disable SSL 2.0 and 3.0.• Prevent BEAST attacks.• Mobile requires valid and trusted certificates.
• HTTPS for all screens and integrations.
Mitigation — HTTPSApplication Server Layer
Service Center Lifetime
• HTTPS for all screens and integrations.
Mitigation — HTTPSApplication Layer
Web Screens
Integrations
Web Flows
DescriptionSession cookie without “secure” flag
• Session cookies transmitted in plain text:○ E.g. Session ID.
• Session hijack.
Mitigation — Secure Session CookiesApplication Layer
• Set ‘secure’ flag for session cookies.○ Factory Configuration.
Mitigation — Session FixationApplication Layer
• Implement Token-based authentication and session ID regeneration.
DescriptionInjection/Code injection
• Application handles untrusted data poorly.• Application allows relaying malicious code to other systems (e.g. SQL Injection).• Application allows injecting code that is then interpreted/executed (e.g. XSS,
HTML injection).
Mitigation — Injection/Code InjectionApplication Layer
• Escape content.• Encode/Sanitize content.• Mobile apps escape all inputted content.
DescriptionOpen redirect
• AKA Unvalidated Redirects and Forwards.• Application allows redirect requests to an untrusted URL.• Commonly used for phishing attacks.
Mitigation — Open RedirectApplication Layer
• Don’t use dynamic URL redirects from input.• If you do, use built-in functions:
○ ReplaceURLDomain• If you need to redirect to other domains, check the input URL against a whitelist.
DescriptionSensitive user forms with autocomplete
• User forms cache sensitive information (e.g. credit card number, email, etc).• Allows retrieving previously used data.
Mitigation — Sensitive Information User FormsApplication Layer
• Disable autocomplete for sensitive user forms.
DescriptionUser enumeration
• Application reveals if the username exists.• Dictionary attack.• OutSystems 10 has built-in brute force login protection.
Mitigation — User EnumerationApplication Layer
• Display generic messages.• Update the code that reveals user information.
OWASP 10 Matrix
OWASP Reference Webinar Reference
A1 Injection 4) Injections
A2 Broken Authentication and Session Management
1) Open communication channels
2) Session cookies without “secure” flag
3) Session fixation
A3 Cross-Site Scripting 4) Injections
A6 Sensitive Data Exposure6) Sensitive user forms with autocomplete
7) User Enumeration
A10 Unvalidated Redirects and Forward 5) Open redirect