Identifying and mitigating security risks
Archived
1 Task
10 mins
Scenario
Front Stage's Booking application is going live in the near future. Prior to promoting the application to production, a security review is required. Any security risks found require a review.
Perform a security review of Front Stage's Booking application using the security checklist. Provide recommendations to strengthen the security of the application.
Some changes can be implemented directly in the development environment, while others are configured when the application has been promoted to the production environment. Create a list of configuration tasks that need to be carried out when the application has been promoted to other environments for changes that cannot be implemented in the develop environment.
Detailed Tasks
1 Solution detail
Tasks to perform on the development environment include:
- Disabling unneeded out-of-the-box operators
- Changing passwords for used out-of-the-box operators used
- Fixing any issues found by the security analyzer
- Fixing any security issues in the Guardrail report
- Ensuring that timeouts are set up at the application server level, requestor level, and Access Group level that are of an appropriate length
- Ensuring that the Unauthenticated Access Group has the minimum required access to rules
- Adding the
<env name="alerts/suppressalerts" value="true" />
setting to the prconfig.xml file to ensure that sensitive property values, such as customer account numbers or Social Security numbers, do not appear in the Alert log - In each ruleset version, selecting Lock this Version on the Security tab, and entering a password
- In each ruleset rule, selecting Use checkout? on the Security tab, and entering three distinct passwords to limit the ability to add versions, update versions, and update the ruleset rule itself
- Applying the correct type for all properties
- Applying privileges across all the relevant rules (flow actions, reports, flows)
- Reviewing the Unauthenticated access group to make sure that it has the minimum required access to rules
Tasks to perform outside of the development environment:
- Updating prconfig settings
- Updating dynamic system settings
- Removing any unnecessary resources/servlets from the web.xml, and renaming default servlets where applicable, particularly PRServlet
- If using https, ensuring that testing environments are available to test with SSL enabled
- Ensuring that the system has been set up using a JDBC connection pool approach through the application server, rather than the database being set up in the prconfig.xml
- Renaming and deploying the prhelp.war once per environment (potentially on its own node to avoid being able to pick up the endpoint URL from the pop-up window)
- Renaming and deploying the prsysmgmt.war once per environment (potentially on its own node to avoid being able to pick up the endpoint URL from the pop-up window)
- Renaming and redeploying the prweb.war for each node
- Renaming and securing the context root for prgateway.war