Product Briefs

Brief - OWASP Top Ten

Issue link: https://resources.boomi.com/i/1142146

Contents of this Issue

Navigation

Page 0 of 1

Product Brief | OWASP Top Ten OWASP Top Ten The Open Web Application Security Project (OWASP) Top Ten provides a powerful awareness document for web application security. It represents a broad consensus about the most critical web application security flaws. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency has listed the OWASP Top Ten as key best practices that should be used as part of the Department of Defense (DOD) Information Technology Security Certification and Accreditation (C&A) Process (DITSCAP). Boomi has reviewed the OWASP Top Ten very carefully, and provided below are our responses for how we prevent each security flaw. Flaw Description Boomi's Response A1: Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. The data access layer used in the Boomi Platform prevents the production of dynamic queries. Back-end query execution is therefore limited to statements for which replacement parameters are appropriately set. A2: Broken Authentication Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently. Boomi customers are in full control of authentication security. Customers are responsible for configuring password strength requirements. Local account passwords are stored using an irreversible hash with a unique salt value. Customers can choose to enable SAML 2.0 compatible Single Sign-On (SSO) with their Identity Provider (IDP). Customers can also enable two-factor authentication (2FA). A3: Sensitive Data Exposure Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Boomi customers can choose to store processed documents in an on-premise Atom or the public Boomi Atom cloud. The Boomi Atom cloud uses TLS 1.2 for encryption in transit and AES 256-bit for data encryption at rest in all AWS data centers. Customer can also choose to Purge Data Immediately to ensure processed documents are never stored in the public Atom cloud. Boomi uses AWS Shield for DDoS protection. A4: XML External Entities Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution and denial of service attacks. XML parsers throughout the Boomi Platform are configured to disallow processing of external entities and DTDs.

Articles in this issue

view archives of Product Briefs - Brief - OWASP Top Ten