Dear All ,Thank you so much for your support as always ….Could you please give some idea about security and performance considerations while developing an IFS Aurena Client page. Thanks in AdvanceRegards:Vishwajeet Chaudhary

AsVishwajeetwrote, many of the lower level technical security issue types are handled by the frameworks and as an Aurena/Marble developer don’t need to worrya about.This include (but is not an exhaustive list) (from the OWASP Top Tenhttps://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf)Authentication CSRF, XXE, XSS Parts of access controlSecurity related issues that you do need to consider when doing Aurena/Marbe development areInjections, especially SQL injections. Beware of dynamic SQL commands like EXECUTE IMMEDIATE, and/or dbms_sql Insecure direct object references, missing“row level access” and lack of access control of unbound actions. Example: Apply afilter on the client side, but leaving the server (projection) with completely open API. Also, adding “enabled” control on the client side but not do the same check in the API.IFS Developer Studio contains assistance for possible securityvulnerability scenarios such as SQL Injections and lack of access checks on unbound actions

IFS Aurena development Security Considerations

Page 1 / 1

Hi,

That’s a very broad question for anyone to give a meaningful answer to, without writing a whole essay Do you have anything particular in mind here? Security, in general, is handled by the Aurena framework and it is nothing you need to think about (of course, depending on what you mean by security). As for performance, well, don’t do server calls that are expensive and you will be fine :)

How much do you know right now about Aurena development? If you have some more specific questions, perhaps we can help out.

/Mathias

Hi ,

Thanks for your response.

You can consider me as a beginner in the Aurena developments. This is regarding when we are developing a Aurena Client page,

Security Considerations like: Secure authentication, Http protocols, and Token validation

Thanks in advance

Hi ,

Thanks for your response.

You can consider me as a beginner in the Aurena developments. This is regarding when we are developing a Aurena Client page,

Security Considerations like: Secure authentication, Http protocols, and Token validation

Thanks in advance

As a developer of Aurena pages, I would say you can ignore all of that and concentrate on the feature you want to develop. The Aurena framework will make sure that all of that is good.

As Vishwajeet wrote, many of the lower level technical security issue types are handled by the frameworks and as an Aurena/Marble developer don’t need to worrya about.

This include (but is not an exhaustive list) (from the OWASP Top Ten https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf)

Authentication
CSRF, XXE, XSS
Parts of access control

Security related issues that you do need to consider when doing Aurena/Marbe development are

Injections, especially SQL injections. Beware of dynamic SQL commands like EXECUTE IMMEDIATE, and/or dbms_sql
Insecure direct object references, missing “row level access” and lack of access control of unbound actions.

Example: Apply a filter on the client side, but leaving the server (projection) with completely open API.
Also, adding “enabled” control on the client side but not do the same check in the API.

IFS Developer Studio contains assistance for possible security vulnerability scenarios such as SQL Injections and lack of access checks on unbound actions

Hello,

Is there any way to make a POST call to IFS API from another application. I already have the token access. But when I make a POST call there is always CSRF_ERROR

For example I want to post Transport Task from outside IFS10 Apps, using this API

https://ifsdomain:48080/main/ifsapplications/projection/v1/TransportTaskHandling.svc/TransportTaskSet

thanks
- bhakti

Reply

Did you find what you're looking for? If not:

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded