Sage ERP Accpac 6 Security
With version 6, Accpac will still be an on-premise deployed application. Even though Accpac will now be a Web Based application, customers can still deploy it on their LAN and do not need to expose the Accpac application to the greater World Wide Web. By not exposing the application to the Web and keeping it all behind a firewall and/or DMZ, their data will be very safe.
However more adventurous customers will want to expose Accpac to the Web. They will want employees to be able to login from home, airports, hotels or on the road. Probably from places (like many Hotels) where VPN is blocked by a local firewall. They will want their data just as safe as before, but much more accessible. For these customers especially, but really all customers, we have to do extensive security testing of Accpac to make sure their data is safe. Generally for security we want to ensure the service is available, all transactions are confidential and that the transactions can’t be tampered with.
Accpac will be setup to do all communications through a secure connection called Transport Layer Security (TLS) (previously called Secure Socket Layer (SSL)). This is a very secure method to protect the communication between two computers. It will prevent people spying on the network from reading the information or tampering with the information that is transmitted on the network. It also provides a high level of authentication so you know who you are talking to. This does mean that customers will need to purchase a server digital certificate so that remote clients can ensure they are communicating with the correct service and that an intermediary hasn’t been installed in-between (man in the middle attack).
TLS does not protect the Browser memory or the Browser User Interface. Malicious web pages may be able to steal data from our user interface forms (cross site scripting attacks (XSS)). Bad user input may be able to cause bad side affects by interfering with our business logic (SQL Injection attacks). We have to test our software to ensure the browser side of our web pages are secure and that malicious user input is caught and dealt with.
There are attacks that are outside the scope of our application. If customers don’t follow good practices for maintaining and configuring their servers, then perhaps they can be attacked independently of Accpac. If the customer has malware like a keystroke logger program installed (perhaps by a virus) on their computer, then that program can steal their passwords. These are threats even today with desktop applications. Hence the importance of corporate security practices, like virus checkers and reduced privilege users.
A form of attack that technology can’t solve is “social engineering” attacks. Say someone phoning a customer and persuading them they are the support department and need the customer’s password for some reason. These types of attacks are usually the easiest and most successful. Some sort of awareness training is required for employees to be aware of these and to know to never give out sensitive information like their password over the phone, or via any other means.
Other attacks aren’t intended to steal anything, but to just take your system down. These are denial of service attacks. A hacker could say setup hundreds of computers (real or virtual) to make invalid login requests to your web server. None would ever succeed, but the load of rejecting these, could make your system unusably slow. Or perhaps they can find a way to crash your web server or application. Then the hacker could blackmail you, so he’ll stop. Or maybe he doesn’t care, and is only just doing it because he can. Or maybe a competitor is trying to put you out of business. These are certainly very serious attacks that must be guarded against.
Security testing is fun, because the testers become hackers and have to find ways to break into the software. They get to use new techniques like fuzz testing to find problems (http://www.owasp.org/index.php/Category:OWASP_JBroFuzz). They get to study criminals to learn their techniques to ensure we are safe from them. Security tends to be a journey; hackers are always inventing new techniques to gain access. Often testers will use “hacker” tools downloaded from the Internet to ensure they can’t be used to compromise our application. The tester study the traffic on the wire with tools like WireShark (http://www.wireshark.org/) to study all the packets on the network. There are many tools to scan your application and server for vulnerabilities. Source code has to be reviewed and tested to ensure clever user input can’t cause problems from things like SQL Injection attacks (http://en.wikipedia.org/wiki/SQL_injection).
Generally we want to ensure that when installed properly on a Web Server using TLS that Accpac is a very hard to crack application. We will need to publish best practices for installing and configuring servers. Generally newer server operating systems turn everything off by default so there isn’t much for hackers to latch onto. Mainly its up to the operators to ensure only a minimum of services are installed, that all patches are installed and to monitor the server logs for strange activity. Hopefully this will mean making Accpac available to remote Web users will be fairly easy and safe. But as always with security it always pays to be vigilant.