Writing secure 4GL applications

Posted by Piotr Tucholski on 16-Jun-2014 04:11


I need to prepare a short training of writing secure 4GL applications. This must be from developers point of view so no TDE, SSL or auditing. Just writing 4GL code.

There are commands to login to app with encoded password etc. but may  you suggest something more to include in such training?

I would appreciate any advice,


All Replies

Posted by Michael Jacobs on 16-Jun-2014 05:01

What aspects of writing a secure 4GL application are you interested in?   I know my interpretation of 'secure' might be very different from yours, and knowing more about what your specific definition of 'secure' would help us help you.   FYI: My list of topics for a secure 4GL application would include:

OS file system

3rd party shared libraries


encryption key

code base

identity management [for application & database]


db connection



The password thing is important but only one aspect of overall application and data security.  (IMHO)

Posted by Piotr Tucholski on 16-Jun-2014 05:35

Hi Michael,

Thank you for fast response. This need comes from customer's site. They are interested mostly in code base security but I know it should be wider look taking more aspects into account. Anyway I think that everything what could be included in 4GL would do.

Posted by bronco on 16-Jun-2014 05:45

One aspect which doesn't get much attention is (ABL) injection. Although the ABL isn't as nearly as vunerable as SQL, it's possibile to manipulate dynamic queries. Search the knowledge base for "injection", it's entry 29761.

Posted by Bill Wood on 16-Jun-2014 07:54

Related to Mike’s list are items that are particularly troublesome.

·        Obfuscation vs encryptions (e.g. BASIC-AUTH obfuscates a Password, so it is not clear text, but you can recover the password from it.)

·        WebSpeed and URL/Posts

·        Personally Identifyable Information (PII) and how to avoid storing it in clear text (or in logs)

NOTE: some of these are simply handled by using SSL or TDE, but if you want to avoid discussing these, you need to point out the vulnerabilities that you need to handle in 4GL.

Posted by Piotr Tucholski on 16-Jun-2014 13:08

Thanks guys for your contribution to this topic.

This thread is closed