WebSpeed fails 5 out of 10 OWASP standards

[ChrisJRutter]

Having been a Progress house since 1986 we are now wanting to offer internet access to our application. We have prototyped a portal using WebSpeed and sent it to a security consulting firm for review and penetration testing. Their findings indicate that WebSpeed fails on 5 our of the 10 key OWASP internet security standards being:

• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session Management
• A4: Insecure Direct Object References
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access

Our security consultants are urging us to drop WebSpeed in favour of Java or .NET on the basis these platforms already have all the inbuilt controls that meet 10 OWASP standards.

Has anyone had similar problems?

 

[RealHeavyDude]

Out of experience I can tell you the following that it isn't WeSpeed that is failing but your application built on WebSpeed because of the way it implements security. Any application built on Java-based web technologies or .NET will be as vulnerable to security threats as your WebSpeed application if the security mechanism that are provided by the technology are not used the right way.

Most people I know tend to delegate security to technology - but in the real world it is the developers which must use the technology to make an application secure.

Do Java or .NET prevent you to build insecure applications?

I am working for a big Swiss bank. You can imagine that this is one of the most paranoid of paranoid environments to develop applications for. I am so used - and fed up - to argue with security architects, auditors and whoever thinks he knows it all, because, for sure, they don't know nothing about Progress' OpenEdge technology - at least the ones I had to deal with in the past, and they were a lot.

To sum it up: IMHO they tested your application and it was the application that failed on 5 out of 10 OWASP standards - _NOT_ WebSpeed.

But, all of the is strictly IMHO of course.

Heavy Regards, RealHeavyDude.

 

[lee.bourne]

We have also had our site (written entirely in webspeed) penetration tested. Not once did the security firm suggest that OpenEdge was a risk. All of the things that came up were either related to application design, versions of Apache/OS or SSL certificates.

If your security company really want to focus on the development tools rather than the application I wonder if they could tell you how many .NET specific security patches have been issued by Microsoft over the years compared with Webspeed and Progress? I'd put money on Microsoft being a bigger target for hackers than Progress.

Lee

 

[webguy]

We also had to go through this testing for PCI compliance. A lot of these failures have nothing to do with webspeed specifically. The cross site scripting, for example, is a coding issue with the page being requested. Its related a lot of times to an action such as a search or form submission that utilizes client side scripting. One way to fix this is to not allow <> in the submission or exclude any term eq to <script>. We received that error on a form. How did I fix it? Well the form was actually calling an asp script to process the submission. I fixed it by recreating the form processing all in webspeed and excluding the ability to enter characters <> or script in the post. If these so called consultants don't know this they aren't very sharp. Secondly, webspeed runs of java. All of these errors can occur with an asp or jsp app as well. Who are these consultants good grief. This is one of the reasons why the bad marketing by Progress hurts their product. Most big consulting companies have never heard of webspeed so they make brash stupid comments like you should switch to asp or java. We had to go through this with our PCI compliance guy because Progress webspeed was not on his companies list of authorized secure app servers.

 

[webguy]

Progress does needs to upgrade webspeed to be HTTP/1.1 compliant and their connections with PCI security standards. Its pretty stupid that they aren't on standard industry lists of compliant app servers.