Security
Principals
- There is only one Internet connection in the application: a link to the Application Web site in the Problem handling
- User input is filtered from dangerous characters
- No third party libraries
- No third party database or query language
- Means to use access control, but does not force it
- Means to encrypt data, but does not force it
- To maximize the security, set the login-password and data encryption on from the Settings
-
Windows only:
- UI is in the browser, but the web server is embedded in the local application
- The host of the web page is 127.0.0.1, it cannot be changed, it is hard-coded in the application
- The port default is 8480, it can be changed in the application console or in Settings
- The HTTP-request uses random generated tokens for URL validation
Analysis of the OWASP 10 threats
-
A01:2021-Broken Access Control
- One user and personal devices, no access control needed
-
A02:2021-Cryptographic Failures
- No data transfer over the internet
- Backups in the Cloud service account of the user can be encrypted
- Used cryptographic algorithms are modern and secure, key size is long enough for modern computers
- Login password saved in securely encrypted form
- Designed risk: the data encryption model is a considered compromise of security and ease of use
-
A03:2021-Injection
- No SQL or any other database query language is used
- User input filtered from HTML non-safe characters
-
A04:2021-Insecure Design
- Only one user controlled outgoing internet connection
- Cloud backups in user account
- Windows HTTP UI secure by design
- Designed risk: proprietary database opened for the user modification to get maximal flexibility
-
A05:2021-Security Misconfiguration
- Single user application
- UI cannot be opened to the internet
- Only one port open in embedded HTTP server
- No third party libraries used (platform excluded)
- Designed risk: access control not forced
-
A06:2021-Vulnerable and Outdated Components
- Programmed with platform standard libraries
- No third party libraries used
-
A07:2021-Identification and Authentication Failures
- One user and personal devices
- No internet
- Login fail delay
- Designed risk: password safety is user responsibility
-
A08:2021-Software and Data Integrity Failures
- Standard platform installation
- Standard platform updates
-
A09:2021-Security Logging and Monitoring Failures
- Single user application: no audit needed
- Logging only in problem handling
- Logging controlled by the user
- All logging is local
- Designed risk: bug reports sent by email
-
A10:2021-Server-Side Request Forgery
- No internet
- Windows HTTP UI URLs validated thru random tokens
- Windows embedded HTTP Server hard-coded to IP 127.0.0.1