Stephen Smith's Blog

All things Sage 300…

SaaS and Security

with 5 comments

As we develop the web based version of Accpac, we are having to develop a lot of knowledge about hacking and web based security exploits. Learning about these things is very interesting but also very eye opening and scary. Once you expose your application to the web you are definitely in a different world.

We currently offer an on-line version of Accpac through, but here we are using citrix server and relying on Citrix and Microsoft to protect us. You first have to login to a Windows domain and then these services provide the secure connection. Of course we do have to be vigilant and make sure all security patches are installed promptly. We also have to keep auditing our server configurations to ensure they are secure. We have to ensure there are the minimum services running that can be exploited. We have to ensure that a pissed off user can only damage their own data and things of that nature.

Once we leave the comfort of the Citrix/Windows Domain world and expose our log-in page as the first line of defense, then we are in a very different world. We now take on responsibility for new level of security, where all the previous threats still exist, but now there are a great many more. It will be the hacker living in their parents basement patiently staying up all night trying to get past our login screen; patiently probing and trying to find any crack that can be exploited; putting together many disparate bits of information to learn how to get past our security.

We need to now deal directly with denial of service (DoS), sql injection, cross site scripting (XSS) and many other forms of attack. We have to train our QA department how to be hackers. How to think like hackers and how to probe our software to find these cracks before the black hat hackers do. Our programmers have to be vigilant in everything they do, about what are the security concerns.

Certainly this is going to be a very challenging journey, but a very rewarding journey. The challenges are very unique and interesting. It certainly adds an extra dimension to software development, beyond just getting the functionality correct (challenging enough), but to be correct and secure.

Written by smist08

February 28, 2009 at 6:35 pm

Posted in Security

5 Responses

Subscribe to comments with RSS.

  1. Stephen,

    This is an interesting blog article from you.

    I believe Accpac 6.0 will be falling in line with the so called “cloud computing”.

    When your team works on the ways to protect and fight the threats, how does the new technology and architecture help a consultant hired to do Post Implementation Audits (PIA) or System Audit?

    How do you think the organizations should be prepared to redraft their IT Policies on the pages relating to the Business Application?

    Sundaresan Ramanathan

    November 17, 2009 at 2:23 pm

  2. Many companies will keep their deployment local and not expose it to the internet, for them there won’t be any changes. For people that are exposing their system to the Internet then they will have to follow a set of best practices to ensure they remain secure. It isn’t a one time thing since they will have to be vigilant monitoring the system and installing security updates to all their software.


    November 19, 2009 at 2:55 am

  3. Stephen,

    Just to add few more words on the lines of my previous post.

    I was having a meeting with Ernst & Young representatives yesterday, who happen to be playing the role of QA and Post Implementation Audit of our Sage Accpac ERP roll out.

    I also believe, the internal audit team prefering a system audit a little later from now. It becomes difficult to generate the requirements of PIA / System Audit, without tools or files from the system, except one or two like system diagnostic files. The project documents and custom reports help a little here.

    While I know that Sage Accpac satisfies the compliance and reporting requirements of IFRS, GAAP, etc., is there any help to satisfy the PIA & System Audit? How do you think we can take up questions if it comes on the lines of applicable standards / procedures of BS or ITIL?

    Sundaresan Ramanathan

    November 19, 2009 at 8:15 pm

  4. Probably a good idea, I’ll pass the suggestion on to Product Management.


    November 20, 2009 at 3:01 am

  5. Hi Stephen,

    Thanks and appreciate the attention paid.

    Sundaresan Ramanathan

    November 20, 2009 at 6:07 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: