Upload
yalim-k-gerger
View
442
Download
2
Embed Size (px)
DESCRIPTION
This presentation explains the security architecture in Formspider, the application development framework for PL/SQL developers.
Citation preview
Welcome to the
Webinar
Starts at 14:00 CEST (07:00 EST)
Agenda
- About the Company behind Formspider
- Authentication and Authorisation Repository
- Formspider Security Architecture
- Repository in Action
- OWASP Top 10 Vulnerabilities
- Countermeasures in Formsider
About Gerger
- InternationalWorldwide recognition with Formspider. Customers in 24 Countries.
- LocalRecognized by the Turkish Government as an R&D company. Founding member of Turkey Oracle User Group. Member of Oracle Architect Club Steering Committee.
- BasicsFounded in 2003. Released Formspider Beta in February 2011. Formspider 1.0 in May 2012
FS Engine FS Middle Tier FS JavaScript Library
- Listens to user input- Draws the screen- Sends user input back to the server
- Keeps a virtual copy of the app instance- Receives events&updates- Execute events, runs PL/SQL code (FS API’s)- Sends screens&commands
- Facilitates communication- Stores file assets such as CSS, icons etc...
OWASP Top 10
- Injection
- Cross Site Scripting
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross Site Request Forgery
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Top_10_2010-Main
Injection
- Formspider Always uses Bind Variables
- PL/SQL natively compiles SQL
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers
XSS
- Formspider escapes all untrusted data automatically.
- Formspider abstracts HTML and JavaScript away from developer.
Broken Authentication and Session Management
- Changes the session ID after authentication automatically
- Enforces same IP address in the same user session
- Cannot be opened in an iFrame if called from different domain
- Every servlet is secured. No new servlets by developers.
- Session ID not shown in the URL
- Session Timeout
Indirect Secure Object Reference
- Occurs when access to UI Component is restricted in the browser but the corresponding server resource is not secured.
- Formspider API’s are server side
- Formspider listens to API calls and secures resources
- If client sends an illegal action Formspider ignores it
- Authorization Repository
Cross Site Request Forgery
- Formspider creates new ID’s or UI Objects for each web session.
- New ID’s are impossible to predict.
- Formspider Applications do not communicate like this.
Security Misconfiguration
- Formspider allows access only to Get, Head and Post
- Hides all error messages.
Failure to Restrict Access
- Formspider exposes a handful of servlets
- Number of servlets doesn’t increase with new screens
Insufficient Transport Layer Protection
- Formspider supports using SSL certificates.
Unvalidated Redirects and Forwards
- Formspider applications run using a single URL. There are no forwards and redirects.
- For bookmarking, FS uses a randomly generated string and enforces the developer to evaluate the incoming bookmark before sending the user to a screen.
Authentication and Authorization Repository
- Easy to manage and query
- Security aware UI components
- Security both at data and UI layer
Repository Model
Repository Model
Repository Model
Securing Data
Query Level:
Securing Data
Column Level:
Securing Data
- Data secured this way, never leaves the database unless the user has the right key.
- Developers can access secured data using API’s without being constrained by security restrictions.
Securing UI Components
- UI components that are bound to data objects inherit their security restrictions.
- Developers can assign keys to enable, editable and visible attributes of every UI component.
<textField datasource=“emp1” column=“LAST_NAME”/>
Securing UI Components
- If the user doesn’t have the key, the attribute value is set to N permanently. Set API’s cannot change the value of the attribute back to Y.
api_component.setVisible(‘panel1.textLabel1’,’Y’)
Populating Repository with Keys
- The IDE tracks new keys while you reference them and automatically creates them in the repository.
Secuirty API’s
- login(in_username_tx varchar2, in_password_tx varchar2)
- logout
Package api_security:
- hasKey(in_key_tx varchar2)
- You may use hasKey API in SQL to implement row level security.
Formspider Security Benefits
- Formspider Applications pass security audits faster
- Developers spend less time on security implementation
- Built-In Security Best Practices
References
- ING InsuranceTurkey Branch. Agency Portal. Forms Modernization.
- AveaTurkish Telco. Logistics Reports.
- ZaminbankAzerbaijan.
- RhenusNetherlands Branch, Forms Modernization of Logistics ERP.
- AG TransportCzech Republic. Logistics ERP.
References
- New York StateOASAS Budget Management.
- US Air ForceActive Duty and Reserves Recruiting
- OK InternationalGlobal manufacturer of bench tools, equipment used in 3D printing and electronics&industrial product assembly
- TEAM-PBGermany. Forms Modernization of ProStore, the Supermarket Chain Warehouse Management System.
- Serve2ServeAustralia. SaaS application for repair shops.
References
- Thank You!
Twitter: @formspider
LinkedIn: linkedin.com/in/yalimgerger
Web: theformspider.com