Security Architecture

]project-open[ features a three layer security architecture that consists of a "Web-Firewall", an "SQL Ejection Database Interface" and an application-level Intrusion Detection System (IDS). None of these layers are usually found in similar Web applications.

image:three-tier-security-architecture.gif

 


 

Security

]po[ and its underlying OpenACS platform have been designed from the beginning to operate in the hostile Internet environment. A number of security features allow ]po[ to be run safely with direct access from the Internet:

  • Parameter Check via “Page Contracts”:
    Every Web page in ]po[ contains a “page contract” that checks any values coming from the hostile Internet environment and determines whether they match the defined data type. Page contracts are obligatory, so the developers can't “forget” this check.
    In other words, ]po[ includes an integrated Web application firewall.

  • SQL Injection Blocker:
    SQL injection is one of the most common vulnerabilities in Web applications. To avoid such attacks, ]po[ includes a special database driver that transfers parameter values separately from their SQL statement to the database.

  • Cross-Site Scripting (XSS) Blocker:
    The “page contract” mechanism above also acts as a filter against cross-site scripting attacks. By default, no HTML tags are allowed in “string values,” so a developer must explicitly allow for HTML tags. But even “HTML strings” are prevented from containing potentially malicious HTML tags.

  • Buffer Overflow Protection:
    ]po[ is written in the TCL programming language, with arbitrary length strings, avoiding buffer overflows. (Buffer overflows are possible in the AOLserver component; however, no such vulnerability has been reported since 2001.)

  • “Obscure” but Well-Maintained:
    The combination of AOLserver and the TCL programming language is not commonly found in the Internet, so a potential hacker will need to expend a considerable amount of criminal energy in order to reverse-engineer the application stack. In addition, this code is very well-maintained: AOLserver is the core of the AOL infrastructure, and OpenACS/]po[ is developed as open-source by senior developers.

  • Semi-Automatic Security Reviews:
    ]po[ includes a semi-automatic security checker that identifies weak code and potential security threats.


Together, these features have convinced many ]po[ customers that the benefits from seamless Internet collaboration exceed the potential cost of a security breach. A prominent figure amongst this group includes VAW arvato (Bertelsmann group).

 


 


  Contact Us
  Project Open Business Solutions S.L.

Calle Aprestadora 19, 12o-2a

E-08907 Hospitalet de Llobregat (Barcelona)

 Tel Europe: +34 932 202 088
 Tel US: +1 415 429 5995
 Mail: info@project-open.com