Solved

IFS Aurena development Security Considerations

  • 11 November 2019
  • 5 replies
  • 641 views
Vishwajeet
Rank
Badge +2

Dear All ,

Thank you so much for your support as always ….

Could you please give some idea about security and performance considerations while developing an IFS Aurena Client page.

 

Thanks in Advance

Regards:

Vishwajeet Chaudhary

icon

Best answer by haetse 15 November 2019, 09:15

View original

5 replies

Mathias Dahl
Rank
Userlevel 7
Badge +30

Hi,

That’s a very broad question for anyone to give a meaningful answer to, without writing a whole essay :) Do you have anything particular in mind here? Security, in general, is handled by the Aurena framework and it is nothing you need to think about (of course, depending on what you mean by security). As for performance, well, don’t do server calls that are expensive and you will be fine :)

How much do you know right now about Aurena development? If you have some more specific questions, perhaps we can help out.

/Mathias

 

/Mathias
Vishwajeet
Rank
Badge +2

Hi ,

Thanks for your response.

You can consider me as a beginner in the Aurena developments. This is regarding when we are developing a Aurena Client page,

Security Considerations like: Secure authentication, Http protocols, and Token validation

 

Thanks in advance

Mathias Dahl
Rank
Userlevel 7
Badge +30

Hi ,

Thanks for your response.

You can consider me as a beginner in the Aurena developments. This is regarding when we are developing a Aurena Client page,

Security Considerations like: Secure authentication, Http protocols, and Token validation

 

Thanks in advance

As a developer of Aurena pages, I would say you can ignore all of that and concentrate on the feature you want to develop. The Aurena framework will make sure that all of that is good.

 

/Mathias
H
Rank
Userlevel 3
Badge +6

As Vishwajeet  wrote, many of the lower level technical security issue types are handled by the frameworks and as an Aurena/Marble developer don’t need to worrya about.

This include (but is not an exhaustive list)  (from the OWASP Top Ten https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf)

  • Authentication
  • CSRF, XXE, XSS
  • Parts of access control

Security related issues that you do need to consider when doing Aurena/Marbe development are

  • Injections, especially SQL injections. Beware of dynamic SQL commands like EXECUTE IMMEDIATE, and/or dbms_sql
  • Insecure direct object references, missing “row level access” and lack of access control of unbound actions.

    Example: Apply a filter on the client side, but leaving the server (projection) with completely open API.
    Also, adding “enabled” control on the client side but not do the same check in the API.

IFS Developer Studio contains assistance for possible security vulnerability scenarios such as SQL Injections and lack of access checks on unbound actions



 

bhaktiutama
Rank
Userlevel 3
Badge +8

Hello, 

Is there any way to make a POST call to IFS API from another application. I already have the token access. But when I make a POST call there is always CSRF_ERROR

For example I want to post Transport Task from outside IFS10 Apps, using this API

https://ifsdomain:48080/main/ifsapplications/projection/v1/TransportTaskHandling.svc/TransportTaskSet

 

thanks
- bhakti

 

Reply


Terms & ConditionsCookie settings