Security OWASP Compliance

The web applications created by the Genio modeling tool all are subject continuous security testing based on the OWASP recomendations. Each of these attack vectors requires specialized mechanisms to secure against.

Injection

"Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization."

All sql querys in the application are executed using SqlParameters so that any user input is escaped and validated correctly.

All non-sql variables which value had its source from user input are also routinely sanitized, parsed to native C# types, and validated against business rules.

To ensure coding pratice compliance all code is analised through a static code analizer that detects potential points of injection.

Broken Authentication

"Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently."

All security and authentication implementations are using standard algorithms and implementations. Forms authentication methods are used for User/Pass credentials. The credentials can then be used in LDAP or ConnectId based authentication. TOTP is used for 2 factor authentication. Smart cards and hardware keys can also be used as methods of authentication. Passwords are never saved in plain text and use State of the are secure hashing mechanisms like Argon2.

Sensitive Data Exposure

"Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser."

All web applications are ready to support HTTPS so that the data trasport channel is secure between user and application server.

The connection to the Database server will also support SSL transport excryption.

XML External Entities (XXE)

"Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks."

File format parsing is done using standard DotNet libraries so that out of date implementations are never an issue. The vast majority of the application uses JSON when communication extenally so that XML usage is relegated to configuration files and inter-system messaging, both of wich are under full control of the isolation layers of the application servers.

Broken Access Control

"Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc."

All acess control is isolated into a separate administration portal. If business roles also need to do these kinds of configurations then the deployment of a separate website for that purpuse is highly recomended.

All applications are generated though a Model Drivel Development pipeline. This enables transversal inference of all the code implication of a role set reconfiguration. This enables a standardized solution that garantees that a certain rule is either always present and working, or that is missing and that fault can be detected and replicated anywhere.

Security Misconfiguration

"Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion."

The web applications are routinely tested against most security penetration attacks using Owasp ZAP tool. This allows to quickly detect faults in the code, in the configuration of the application or in the environment configuration guidelines.

Cross-Site Scripting (XSS)

"XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites."

All inputs and outputs are stictly formatted coming into and out of the web application server. Appart from the ASP.Net MVC protections built into the framework itself, the application will always try to parse and validate user inputs before persisting, and escape data before rendering or sending it over the network.

To protect against XSRF/CSRF attacks, an Anti-forgery token is also added to all data submission pages, making it very hard for an attacker to spoof a data submission by merely riding on the user authenticated cookie.

Insecure Deserialization

"Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks."

All data is serialized using standard formats and libraries using JSON, XML or Framework Rendered HTML. This ensures that serialization and deserialization security is kept at a state of the art level.

Using Components with Known Vulnerabilities

"Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts."

We are subscribed to the network of national security agencies bulletins like GNS and CISA. These bulletins feed into our security verification process that is certified by ISO/IEC 27001:2013 within the scope of Design, development and automatic generation of information systems and related consultancy, training, research, technical assistance and evolutionary maintenance.

Package managers like Node and Nuget also help in this detection by issuing warnings for out of date packages and the vulnerabilities they may have fallen victim to.

Insufficient Logging & Monitoring

"Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring."

Web applications log all errors and exceptions at the levels of the http requests, the business processing and the data persistence. Together with extensive configurable mechanisms for data audit and user action audit, the web applications provide ample monitorization to detect malicious tampering attempts.