Skip to content

Latest commit

 

History

History
79 lines (62 loc) · 5.9 KB

guide-security.asciidoc

File metadata and controls

79 lines (62 loc) · 5.9 KB

Security

Security is todays most important cross-cutting concern of an application and an enterprise IT-landscape. We seriously care about security and give you detailed guides to prevent pitfalls, vulnerabilities, and other disasters. While many mistakes can be avoided by following our guidelines you still have to consider security and think about it in your design and implementation. The security guide will not only automatically prevent you from any harm, but will provide you hints and best practices already used in different software products.

An important aspect of security is proper authentication and authorization as described in access-control. In the following we discuss about potential vulnerabilities and protection to prevent them.

Vulnerabilities and Protection

Independent from classical authentication and authorization mechanisms there are many common pitfalls that can lead to vulnerabilities and security issues in your application such as XSS, CSRF, SQL-injection, log-forging, etc. A good source of information about this is the OWASP. We address these common threats individually in security sections of our technological guides as a concrete solution to prevent an attack typically depends on the according technology. The following table illustrates common threats and contains links to the solutions and protection-mechanisms provided by the devonfw:

Table 1. Security threats and protection-mechanisms
Threat Protection Link to details

A1 Injection

validate input, escape output, use proper frameworks

SQL Injection

A2 Broken Authentication and Session Management

encrypt all channels, use a central identity management with strong password-policy

Authentication

A3 XSS

prevent injection (see A1) for HTML, JavaScript and CSS and understand same-origin-policy

client-layer

A4 Insecure Direct Object References

Using direct object references (IDs) only with appropriate authorization

logic-layer

A5 Security Misconfiguration

Use devonfw application template and guides to avoid

tutorial-newapp and sensitive configuration

A6 Sensitive Data Exposure

Use secured exception facade, design your data model accordingly

REST exception handling

A7 Missing Function Level Access Control

Ensure proper authorization for all use-cases, use @DenyAll as default to enforce

Method authorization

A8 CSRF

secure mutable service operations with an explicit CSRF security token sent in HTTP header and verified on the server

service-layer security

A9 Using Components with Known Vulnerabilities

subscribe to security newsletters, recheck products and their versions continuously, use devonfw dependency management

CVE newsletter and dependency check

A10 Unvalidated Redirects and Forwards

Avoid using redirects and forwards, in case you need them do a security audit on the solution.

devonfw proposes to use rich-clients (SPA/RIA). We only use redirects for login in a safe way.

Log-Forging

Escape newlines in log messages

logging security

Tools

Dependency Check

To address A9 Using Components with Known Vulnerabilities we integrated OWASP dependency check into the devonfw maven build. If you build an devonfw application (sample or any app created from our app-template) you can activate dependency check with the security profile:

mvn clean install -P security

This does not run by default as it causes a huge overhead for the build performance. However , consider to build this in your CI at least nightly. After the dependency check is performed , you will find the results in target/dependency-check-report.html of each module. The report will also always be generated when the site is build (mvn site).

Penetration Testing

For penetration testing (testing for vulnerabilities) of your web application, we recommend the following tools: