Hi,
>
> I get comfort from all the efforts that 4D has made to be very secure, but
> when a customer hands you a 644 cyber security audit report and says “Address
> these issues”, I need to know where to begin.
>
> It’s one thing for 4D to be able to say their product can pass all security
> audits, but there seem to be myriad ways for a developer to compromise that
> security by not following best practices. Most 4D developers are not cyber
> security experts, so we rely on best practices to guide us.
We work on a regular basis for a company which is very strict on security.
This is not a big projet. Rather a side projet for them. The server is nowhere
near connected to their main infrastructure, but still they apply their
security standards for the project.
The project was done with PHP and Laravel (not by me but by a colleague who is
fluent in php). I realize it won't help you directly in term of 4D web site,
but we generally learnt from this process.
Every change to the web site goes through security audit from an large
independent security (Orange Cyberdefense).
1. functional test
2. bug fix
3. final functional validation.
4. security audit (with a report)
5..fixing security issues
6. counter security audit (with report to confirm security issue are
fixed)
7. site deployed in production
The site only goes live when the counter security audit is successful (security
issues all addressed).
We have to provide a technical documentation upfront
- versions of system, tools, libraries, framework used
- we describe the architecture of the solution
- we provide login and password for the tested application (so the can
pretend to be a user).
An audit configuration is delivered (similar to production but access
restricted to the ip adresses of the audit company).
From what I have seen (looking at the logs we record during the audit, from the
report)
- they run automated test to check for standard problem (port scans,
check for CVE/ exploits, malicious urls, etc...)
- they try classic sql injections, xss attacks
- they got us to adjust the apache configuration (restrict TLS ciphers
to higher standards, prevent apache to reveal its version, disable some default
insecure apache options, etc...)
- they asked us to add re-captcha (to mitigate brute force attacks on
login page)
- they made us fix security issues in the javascript
Since we use a decent framework (Laravel) we did not have many security issues.
I suppose it would have been much worse if we did write a php site from
scratch...
What amazes me is that they come up with new things to fix at every
iteration... Every time, we deal with different people, their expectation level
seem to be raised each time.
> Is there a concise comprehensive guide to best practices for 4D development
> with respect to Web Security? If not, I think this would be a great Tech
> Note/Summit Session.
+1 for a session at the summit.
HTH
Bruno LEGAY
A&C Consulting
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive: http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub: mailto:[email protected]
**********************************************************************
