Welcome to the

Webinar

Starts at 14:00 CEST (07:00 EST)

Agenda

- About the Company behind Formspider

- Authentication and Authorisation Repository

- Formspider Security Architecture

- Repository in Action

- OWASP Top 10 Vulnerabilities

- Countermeasures in Formsider

About Gerger

- InternationalWorldwide recognition with Formspider. Customers in 24 Countries.

- LocalRecognized by the Turkish Government as an R&D company. Founding member of Turkey Oracle User Group. Member of Oracle Architect Club Steering Committee.

- BasicsFounded in 2003. Released Formspider Beta in February 2011. Formspider 1.0 in May 2012

FS Engine FS Middle Tier FS JavaScript Library

- Listens to user input- Draws the screen- Sends user input back to the server

- Keeps a virtual copy of the app instance- Receives events&updates- Execute events, runs PL/SQL code (FS API’s)- Sends screens&commands

- Facilitates communication- Stores file assets such as CSS, icons etc...

OWASP Top 10

- Injection

- Cross Site Scripting

- Broken Authentication and Session Management

- Insecure Direct Object References

- Cross Site Request Forgery

- Security Misconfiguration

- Insecure Cryptographic Storage

- Failure to Restrict URL Access

- Insufficient Transport Layer Protection

- Unvalidated Redirects and Forwards

https://www.owasp.org/index.php/Top_10_2010-Main

Injection

- Formspider Always uses Bind Variables

- PL/SQL natively compiles SQL

txtUserId = getRequestString("UserId");

txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers

XSS

- Formspider escapes all untrusted data automatically.

- Formspider abstracts HTML and JavaScript away from developer.

Broken Authentication and Session Management

- Changes the session ID after authentication automatically

- Enforces same IP address in the same user session

- Cannot be opened in an iFrame if called from different domain

- Every servlet is secured. No new servlets by developers.

- Session ID not shown in the URL

- Session Timeout

Indirect Secure Object Reference

- Occurs when access to UI Component is restricted in the browser but the corresponding server resource is not secured.

- Formspider API’s are server side

- Formspider listens to API calls and secures resources

- If client sends an illegal action Formspider ignores it

- Authorization Repository

Cross Site Request Forgery

- Formspider creates new ID’s or UI Objects for each web session.

- New ID’s are impossible to predict.

- Formspider Applications do not communicate like this.

Security Misconfiguration

- Formspider allows access only to Get, Head and Post

- Hides all error messages.

Failure to Restrict Access

- Formspider exposes a handful of servlets

- Number of servlets doesn’t increase with new screens

Insufficient Transport Layer Protection

- Formspider supports using SSL certificates.

Unvalidated Redirects and Forwards

- Formspider applications run using a single URL. There are no forwards and redirects.

- For bookmarking, FS uses a randomly generated string and enforces the developer to evaluate the incoming bookmark before sending the user to a screen.

Authentication and Authorization Repository

- Easy to manage and query

- Security aware UI components

- Security both at data and UI layer

Repository Model

Repository Model

Repository Model

Securing Data

Query Level:

Securing Data

Column Level:

Securing Data

- Data secured this way, never leaves the database unless the user has the right key.

- Developers can access secured data using API’s without being constrained by security restrictions.

Securing UI Components

- UI components that are bound to data objects inherit their security restrictions.

- Developers can assign keys to enable, editable and visible attributes of every UI component.

<textField datasource=“emp1” column=“LAST_NAME”/>

Securing UI Components

- If the user doesn’t have the key, the attribute value is set to N permanently. Set API’s cannot change the value of the attribute back to Y.

api_component.setVisible(‘panel1.textLabel1’,’Y’)

Populating Repository with Keys

- The IDE tracks new keys while you reference them and automatically creates them in the repository.

Secuirty API’s

- login(in_username_tx varchar2, in_password_tx varchar2)

- logout

Package api_security:

- hasKey(in_key_tx varchar2)

- You may use hasKey API in SQL to implement row level security.

Formspider Security Benefits

- Formspider Applications pass security audits faster

- Developers spend less time on security implementation

- Built-In Security Best Practices

References

- ING InsuranceTurkey Branch. Agency Portal. Forms Modernization.

- AveaTurkish Telco. Logistics Reports.

- ZaminbankAzerbaijan.

- RhenusNetherlands Branch, Forms Modernization of Logistics ERP.

- AG TransportCzech Republic. Logistics ERP.

References

- New York StateOASAS Budget Management.

- US Air ForceActive Duty and Reserves Recruiting

- OK InternationalGlobal manufacturer of bench tools, equipment used in 3D printing and electronics&industrial product assembly

- TEAM-PBGermany. Forms Modernization of ProStore, the Supermarket Chain Warehouse Management System.

- Serve2ServeAustralia. SaaS application for repair shops.

References

- Thank You!

Twitter: @formspider

LinkedIn: linkedin.com/in/yalimgerger

Web: theformspider.com