Gateway Apps - Security Summary SECURITY SUMMARY

Similar documents
SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Agenda. How to configure

SSO Methods Supported by Winshuttle Applications

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

Workday Mobile Security FAQ

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Criteria for web application security check. Version

What is Web Security? Motivation

Check list for web developers

SAP Single Sign-On 2.0 Overview Presentation

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

The Top Web Application Attacks: Are you vulnerable?

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

SAP NetWeaver AS Java

SAP SECURITY OPTIMIZATION

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Flexible Identity Federation

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Hack Proof Your Webapps

Enterprise Application Security Workshop Series

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

Perceptive Experience Single Sign-On Solutions

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

Sitefinity Security and Best Practices

JVA-122. Secure Java Web Development

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

SAP Web Application Server Security

Copyright: WhosOnLocation Limited

ATTACKS TO SAP WEB APPLICATIONS

SAP Mobile Platform Intro

Chapter 1 Web Application (In)security 1

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Last update: February 23, 2004

Where every interaction matters.

Web Application Security

SAP: Session (Fixation) Attacks and Protections

Web-Application Security

Addressing threats to real-world identity management systems

Web application security

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Security features of ZK Framework

Cross Site Scripting in Joomla Acajoom Component

Relax Everybody: HTML5 Is Securer Than You Think

elearning for Secure Application Development

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Web Application Vulnerability Testing with Nessus

CA CloudMinder. Getting Started with SSO 1.5

OpenSSO: Cross Domain Single Sign On

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

nexus Hybrid Access Gateway

Cyber Security Workshop Ethical Web Hacking

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Certified Secure Web Application Security Test Checklist

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Last Updated: July STATISTICA Enterprise Server Security


OWASP Top Ten Tools and Tactics

Access Gateway Guide Access Manager 4.0 SP1

SAM Context-Based Authentication Using Juniper SA Integration Guide

The increasing popularity of mobile devices is rapidly changing how and where we

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Connected Data. Connected Data requirements for SSO

Thomas Röthlisberger IT Security Analyst

(WAPT) Web Application Penetration Testing

CA Performance Center

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Lecture 11 Web Application Security (part 1)

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Strong Encryption for Public Key Management through SSL

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Improve Security, Lower Risk, and Increase Compliance Using Single Sign-On

Deploying RSA ClearTrust with the FirePass controller

Secure development and the SDLC. Presented By Jerry

Client Side Filter Enhancement using Web Proxy

HP Software as a Service. Federated SSO Guide

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

Application Gateway with Apache

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Using Entrust certificates with VPN

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

How To Use Netscaler As An Afs Proxy

Using SAML for Single Sign-On in the SOA Software Platform

Developing ASP.NET MVC 4 Web Applications MOC 20486

OWASP TOP 10 ILIA

T his feature is add-on service available to Enterprise accounts.

White Paper Secure Reverse Proxy Server and Web Application Firewall

Transcription:

Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015

Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference 27 Feb 15 Yabing Li V1.0 Initial draft for review/discussion 03 Mar 15 Neeta T. V1.1 Browser security review 10 Mar 15 Marcelo A. V1.2 Review of items 3 and 4 18 Mar 15 Yabing Li V 1.3 Review chapter 2, 3 and 4.3 Reviewers Name Version reviewed Position Date Cordis Solutions Limited 2015 1 of 10 Confidential

CONTENTS 1. Purpose of This Document... 3 2. Web/mobile interface Security... 4 2.1 Browser Secruity... 4 3. Network and Communication Security... 5 4. Server Security... 7 4.1 User Authentication and Authorization... 7 4.2 Single sign on... 7 4.3 Session security... 8 4.4 Other security Aspects... 9 Cordis Solutions Limited 2015 2 of 10 Confidential

1. PURPOSE OF THIS DOCUMENT This document summarises the security for Cordis Harmony suite. The descriptions contained should not be relied upon in evaluating or recommending the software, and can be changed without notice by Cordis Solutions. Note that while the solution is designed to work with software provided by SAP and Microsoft, Cordis Solutions can give no undertakings on the functionality contained in, or performance of any software running in your environment. Cordis Solutions Limited 2015 3 of 10 Confidential

2. WEB/MOBILE INTERFACE SECURITY Cordis Gateway Apps have two user interface - Microsoft office interface and Web/Mobile interface. The following section provide information about security aspects of web/mobile interface. 2.1 BROWSER SECRUITY Cordis Apps web/mobile interface is built using SAPUI5 library which is client-side JavaScript library. Web/mobile browser is used to execute the java script and render the html, therefore browser security need be discussed. Browser security comprises several topics such as cross-site scripting, clickjacking, and local storage. A browser is, by design, an untrusted client: A server cannot rely on any information sent from a browser, as a malicious user can use a JavaScript debugger to tamper with the client code, or a proxy server like fiddler to modify request data. Input validation on the client is just for convenience purposes as the server always has to validate the data again that is received from the client. CROSS-SITE SCRIPTING Cross-Site-Scripting has become the most prominent security issue of web applications within the last years and also the most dangerous one, as it allows several ways of exploitation. Once malicious code is running within your browser, it can be used to steal your session cookies, to trigger requests within the current session, or even to exploit a known browser vulnerability to do native code execution. For SAPUI5 applications, XSS vulnerabilities can exist on different levels: Within the HTML page or custom data transports sent to the browser from the server Within the JavaScript code of the application, which is processing server responses Within the HTML renderers of SAPUI5 controls Since Cordis Gateway App web interface is built on top of SAPUI5 library, it prevents CSS by the following approach: On SAPUI5 library level, SAPUI5 can prevent cross-site scripting in the processing and rendering of controls. In the library, input validation exists for all typed element properties and output encoding is done in the renderer class of controls. On the application level, Cordis application handles proper output encoding of all content embedded in the HTML page itself, as well as for encoding JSON data sent to the client and secure processing of this data. CLICKJACKING Clickjacking, or UI redressing, tricks the user into triggering actions within an application by redirecting clicks. This is done, for example, by using an invisible iframe which is positioned above a fake UI. When the user clicks on something on the fake UI, the content of the invisible iframe handles the click. Since SAPUI5 are not be able to enable a generic clickjacking prevention, on the application level, the application needs to clarify whether embedded scenarios, for example portal, are required and add a clickjacking protection for the respective scenario. In general, Cordis Gateway apps web/mobile interface does not support an embedded scenario. In case client have this requirement, please contact with Cordis technical support for framebusting solutions. Cordis Solutions Limited 2015 4 of 10 Confidential

RFC(SNC) HTTP(S) Harmony Security Summary 3. NETWORK AND COMMUNICATION SECURITY Cordis Apps use open protocols below when communicating with different servers: 1. HTTP(S) 2. OData 3. Remote Function Calls (RFC) MS Office Client Office Version(.NET) Web Browser Client Web/Mobile Version(HTML5) Odata SAP NetWeaver Gateway Gateway Component SAP ECC SAP Backend Component DATA ENCRYPTION BETWEEN CLIENT AND SAP NETWEAVER GATEWAY Security between client and SAP Gateway server side is not sufficient if the data transported between client and server can be read, intercepted, or even modified by an attacker. Per default, HTTP communication is stateless and unencrypted and this makes it necessary to configure it in a way that it is using encrypted connections and to add session handling on top using either cookies or URL rewriting. In order to make it difficult for unauthorized persons to obtain sensitive data passing through the channel, the communicated need be encrypted especially in a production environment. I.e. Secure Sockets Layer (SSL) over HTTP and Secure Network Communications (SNC) for RFC. Sending the HTTP protocol over a SSL secured connection (HTTPS) is not only standardized, but also required for SAP applications. Cordis Gateway Apps fully supports the use of HTTPS. Cordis Solutions Limited 2015 5 of 10 Confidential

DATA ENCRYPTION BETWEEN SAP SYSTEMS Secure Network Communications (SNC) integrates SAP NetWeaver Single Sign-On or an external security product with SAP systems. With SNC, you strengthen security by using additional security functions provided by a security product that are not directly available with SAP systems. SNC protects the data communication paths between the various client and server components of the SAP system that use the SAP protocols RFC or DIAG. The SNC functions are integrated in the SAP system components (for example, the AS ABAP system kernel, SAPGUI, or the RFC library) as a layer between the kernel layer and an external library provided by SAP NetWeaver Single Sign-On (SAP Secure Login Server) or an external security product. The figure below illustrates the integration of an external library. Cordis Solutions Limited 2015 6 of 10 Confidential

4. SERVER SECURITY Since Cordis Gateway apps are using SAP Netweaver Gateway as middle layer to communicate with backend business system, the request sent from frontend will be handled by Gateway. This section provides information about security aspects on SAP Server Side. 4.1 USER AUTHENTICATION AND AUTHORIZATION Cordis gateway apps is using SAP standard mechanisms to manage the application user. It utilizes the user and role administration functions of SAP NetWeaver AS ABAP. Each user has a user master record that contains all the information about that user. In addition, the user master record consists of the authorizations included in roles and profiles that limit the scope of action of the user in the system. 4.2 SINGLE SIGN ON SAP NetWeaver Gateway supports the use of the following SSO authentication mechanisms: X.509 client certificates SAP NetWeaver Gateway recommends the use of client certificates for user authentication. Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). Security Assertion Markup Language (SAML 2.0) SAP NetWeaver Gateway also supports the use of SAML assertions for user authentication. The assertions can be issued by an Identity Provider (IdP) system, or by the SAP NetWeaver host with single sign-on capabilities. Consumer and Authentication Option X.509 Certificate SAML 2.0 Web application (HTML5, Silverlight, Flex) Recommended Desktop application (Microsoft.NET, Java) Recommended Mobile application Recommended Cloud application Recommended Social network integration Recommended Web server side (PHP/ASP.NET) Recommended We recommend the use of X.509 certificates, which are easier to configure and works very well for both interfaces of Cordis applications. With this approach, an X.509 client certificate is a digital "identification card" for use on the Internet, also known as a public-key certificate. A user who accesses the SAP Web Application Server, and presents a valid certificate is authenticated on the server using the SSL protocol. The information contained in the certificate is passed to the server, and the user is logged into the server based on this information. User authentication takes place in the underlying protocols, and no user ID and password entries are necessary. When using client certificates for user authentication, the user is re-authenticated with each request using the SSL protocol. Cordis Solutions Limited 2015 7 of 10 Confidential

There are a lot of ways to generate the clients X.509 certificates, but for environments based on Windows Servers and Microsoft Active Directory authentication a good tool is the SAP Secure Login Server/Client, which can reuse the user Windows Authentication and generate the certificates automatically (without any user interaction transparent process to the end user): The detail to configure and test SAP Secure Login Server/Client is provided in Cordis Single Sign on Summary document. 4.3 SESSION SECURITY Since Cordis Apps are using SAP NetWeaver Gateway to communicate with SAP backend, each end user will have his/her own HTTP session to facilitate the commutation. Therefore session security need be discussed. Session security topic comprises secure session management on the server side to prevent session impersonation, as well as Cross-site request forgery prevention implemented in Cordis Gateway Apps. SECURE SESSION MANAGEMENT On the SAP Netweaver Gateway Server side, activating secure session management in the Gateway host protects and prevents access to SAP logon ticket and security session cookies, through Javascript and plug-ins. Within a secure session, users can start applications that require a user logon without logging on again. When a security session ends, the system also ends all applications that are linked to this security session. Cordis Solutions Limited 2015 8 of 10 Confidential

Also, it s recommended to use Secure Session Management (transaction SICF_SESSIONS) together with other authentication methods, for example, X.509 certificates. For protection of session cookies, it s recommended to use HTTPS transport. XSRF PREVENTION Even if the data transport is secured using SSL, there are possibilities to hijack such a secure connection and sending malicious requests from the client. Cross-site request forgery and session fixation are two of the prominent examples of this class of attacks. In order to prevent Cross-site request forgery (XSRF), Cordis Gateway Apps use XSRF header to fetch token from SAP NetWeaver Gateway server. Then in all subsequent write operation, the application send the token back to server to validate the request. 4.4 OTHER SECURITY ASPECTS CROSS ORIGIN RESOURCE SHARING Usually the XMLHttpRequest for security reasons does only allow accessing resources from the same domain as the originating document. As there are a lot of web-based services available today, starting with RSS or Atom feeds, WebServices or OData services, there is a need to be able to also access data sources from different domains within the browser, which was addressed with the CORS (Cross Origin Resource Sharing) standard. This allows the server to set special headers on their responses, which are telling the XMLHttpRequest object, whether it is allowed to process the requested data or not. This CORS capability also plays an important role in SAPUI5 based applications. In case the application itself and the data visualized are coming from different servers, the CORS header has to be configured correctly on the data providing server, to allow the application server domain to access the data. Cordis Gateway apps (built using SAPUI5 library) is using CORS header on its CDN based library to be able to load additional scripts, styles, and resources from the CDN server. Cordis Solutions Limited 2015 9 of 10 Confidential

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information