Hi,
I need to prepare a short training of writing secure 4GL applications. This must be from developers point of view so no TDE, SSL or auditing. Just writing 4GL code.
There are commands to login to app with encoded password etc. but may you suggest something more to include in such training?
I would appreciate any advice,
Piotr
What aspects of writing a secure 4GL application are you interested in? I know my interpretation of 'secure' might be very different from yours, and knowing more about what your specific definition of 'secure' would help us help you. FYI: My list of topics for a secure 4GL application would include:
OS file system
3rd party shared libraries
data
encryption key
code base
identity management [for application & database]
network
db connection
memory
...
The password thing is important but only one aspect of overall application and data security. (IMHO)
Hi Michael,
Thank you for fast response. This need comes from customer's site. They are interested mostly in code base security but I know it should be wider look taking more aspects into account. Anyway I think that everything what could be included in 4GL would do.
One aspect which doesn't get much attention is (ABL) injection. Although the ABL isn't as nearly as vunerable as SQL, it's possibile to manipulate dynamic queries. Search the knowledge base for "injection", it's entry 29761.
Related to Mike’s list are items that are particularly troublesome.
· Obfuscation vs encryptions (e.g. BASIC-AUTH obfuscates a Password, so it is not clear text, but you can recover the password from it.)
· WebSpeed and URL/Posts
· Personally Identifyable Information (PII) and how to avoid storing it in clear text (or in logs)
NOTE: some of these are simply handled by using SSL or TDE, but if you want to avoid discussing these, you need to point out the vulnerabilities that you need to handle in 4GL.
Thanks guys for your contribution to this topic.