Security measures taken on development - Forum - Technology Partner - Progress Community

Security measures taken on development

 Forum

Security measures taken on development

  • I have been a loyal customer of few of your products for a few years. Most of these I never worried about anything. Last month my firm's website was quite easily taken down by a group of hackers and they were even able to get into our network. This has got me worried. The hackers were kind enough to work with our developers to fix the vulnerabilities. After we hired a cybersecurity consulting company and they asked us to look into the vulnerabilities in the software we use. 

    This is why I want to know about the security of the products? How often do you check your system for vulnerabilities? Is there a team to ensure there are no vulnerabilities in the product you ship?  

  • This may be of interest to you and others: www.amduus.com/.../WebspeedSecurity.html

    This is just at the webspeed level.  Attacking the web server is a different way, attacking dns is another way... these are not covered by the video.

    Scott Augé
    President
    Amduus Information Works, Inc.
    Technical Services for Business and Government
    http://www.amduus.com/cms

  • Link is broken   :(

  • The topic of security is fairly broad, so for this brief reply I will focus on 2 areas: security features that OpenEdge supplies to developers, and the development process that the OpenEdge team follows to evaluate and correct security vulnerabilities.

    There are a variety of security features available with OpenEdge, including things like encrypt/decrypt functions, wire-level security when transmitting information (SSL/TLS), encryption of some/all of an OpenEdge database (Transparent Data Encryption) and associated key store, security at the AppServer level (Progress Application Server for OpenEdge and Spring security), security token services (OpenEdge Authentication Gateway), and more. We base our encryption technology on open standards, and have been very active in the last several years to be sure that we are keeping up with the latest releases of these technologies so we can offer the most secure solutions possible. We also have a policy that allows our customers to apply patches where appropriate, so that up-to-the-minute fixes from the security vendors are not necessarily gated by an OpenEdge release.

    As far as the Progress internal development process for OpenEdge, we regularly scan our source code with OWASP (for 3rd-party library vulnerabilities), Veracode (Java) and AppScan (C/C++). We evaluate the results and based on priority schedule updates/fixes as part of our overall backlog. As one example, in our last 3-month Program Increment (part of the Scaled Agile Framework methodology, SAFe) which just ended at the beginning of March 2018, we had a focus on updating 3rd party libraries that we use that were identified in our OWASP scans as having high priority vulnerabilities that had been corrected in more recent versions of the libraries. These library updates then became part of the upcoming Service Pack of OpenEdge 11.7 (i.e. 11.7.3).

    There is unfortunately no way to ensure that there are no vulnerabilities in OpenEdge, or in fact any infrastructure product used to build applications, in part because new issues are exposed continually over time. As you can see we strive to locate and repair security vulnerabilities continuously as part of our overall development process, and have support policies that allow customers to apply vendor security patches "out of band" from OpenEdge releases.