Cover Your BasesA Security Webinar

Ivo GonçalvesPlatform Operations Expert Services

ivo.goncalves@outsystems.com

https://www.linkedin.com/in/ivomgoncalves

Paulo CostaPlatform Operations Expert Services

paulo.costa@outsystems.com

https://www.linkedin.com/in/pauloalex

Agenda

• What is IT security?

• Layered security.

• Secure your infrastructure and your application with OutSystems recommendations:

○ 7 common vulnerabilities.

■ Vulnerability explanation and mitigation.

What is IT security?

“IT Security is the process of implementing measures and systems designed to securely protect and safeguard information (...) against any unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure (...)”Sans Institute

Confidentiality

Availability

Integrity

CIA Triad

ConfidentialityPrevent unauthorized parties to access the information. IntegrityPrevent data manipulation and deletion by unauthorized parties.

AvailabilityInformation is always available to authorized parties.

Layered security

“Layered security combines multiple security measures to make sure that you don'thave all your security eggs in one basket. This protects you from different sources anddifferent types of threats.”Fortinet blog, 14 January 2014

Application

Application Servers

Systems and Network

Development practices

Security configurations deployed in the surrounding infrastructure

Security configurations deployed in the application servers

Security and OutSystems

● Generated code is subject of advanced vulnerability scanning.

○ OutSystems applications are mostly secure.

● Exploits on user code can still be present.

● Application Servers and Systems and Network layers may have vulnerabilities.

● No system is 100% secure.

Security assessment

Improve your applications security

1) Open communication channels

DescriptionOpen communication channels

• Information exchanged in plain text.• Network monitoring:

○ Eavesdropping and tampering.

Mitigation

Mitigation — HTTPSApplication Server Layer

• Acquire a digital certificate.• Configure your application server to support HTTPS.• Disable SSL 2.0 and 3.0.• Prevent BEAST attacks.• Mobile requires valid and trusted certificates.

• Enforce HSTS headers.

Mitigation — HTTPSApplication Server Layer

Service Center Lifetime

• HTTPS for all screens and integrations.

Mitigation — HTTPSApplication Server Layer

Service Center Lifetime

• HTTPS for all screens and integrations.

Mitigation — HTTPSApplication Layer

Web Screens

Integrations

Web Flows

2) Session cookies without “secure” flag

DescriptionSession cookie without “secure” flag

• Session cookies transmitted in plain text:○ E.g. Session ID.

• Session hijack.

Mitigation — Secure Session CookiesApplication Layer

• Set ‘secure’ flag for session cookies.○ Factory Configuration.

3) Session fixation

DescriptionSession Fixation

• Session ID doesn’t change.• Session hijack.

Mitigation — Session FixationApplication Layer

• Implement Token-based authentication and session ID regeneration.

4) Injections

DescriptionInjection/Code injection

• Application handles untrusted data poorly.• Application allows relaying malicious code to other systems (e.g. SQL Injection).• Application allows injecting code that is then interpreted/executed (e.g. XSS,

HTML injection).

Mitigation — Injection/Code InjectionApplication Layer

• Escape content.• Encode/Sanitize content.• Mobile apps escape all inputted content.

5) Open redirect

DescriptionOpen redirect

• AKA Unvalidated Redirects and Forwards.• Application allows redirect requests to an untrusted URL.• Commonly used for phishing attacks.

Mitigation — Open RedirectApplication Layer

• Don’t use dynamic URL redirects from input.• If you do, use built-in functions:

○ ReplaceURLDomain• If you need to redirect to other domains, check the input URL against a whitelist.

6) Sensitive user forms with autocomplete

DescriptionSensitive user forms with autocomplete

• User forms cache sensitive information (e.g. credit card number, email, etc).• Allows retrieving previously used data.

Mitigation — Sensitive Information User FormsApplication Layer

• Disable autocomplete for sensitive user forms.

7) User enumeration

DescriptionUser enumeration

• Application reveals if the username exists.• Dictionary attack.• OutSystems 10 has built-in brute force login protection.

Mitigation — User EnumerationApplication Layer

• Display generic messages.• Update the code that reveals user information.

OWASP 10 Matrix

OWASP Reference Webinar Reference

A1 Injection 4) Injections

A2 Broken Authentication and Session Management

1) Open communication channels

2) Session cookies without “secure” flag

3) Session fixation

A3 Cross-Site Scripting 4) Injections

A6 Sensitive Data Exposure6) Sensitive user forms with autocomplete

7) User Enumeration

A10 Unvalidated Redirects and Forward 5) Open redirect

Thank you!