General
- Architecture
- Conventions & Policies
- Data Protection
- Free License
- Key Benefits
- Licensing
- Open-Source
- Page Statistics
- Roadmap
- Security
- This Wiki
- Press
  - What the Press Writes About Us
  - V3.4 Press Releases
  - V4.0 Press Releases
  - V5.0 Press Releases
    - V5.0 Press Kit (English)
- Glossary
  - Glossary of ]po[ Terms
- Other
  - Contributors
  - How to write a Success Story
FAQ
Partners
- About Partners
- Abakus
- Access-Business Solutions S.A.
- Ad Axem
- Cogito
- Cosmo Commerce Corp.
- EFEXCON AG
- Elego
- GEDPRO
- Globalme
- Gongolabs
- Integra Consultor�a y Sistemas
- Intelligent Orange
- Konsultex
- KryStone
- LaiKA iT
- Localization to Russian
- Nuvento
- Ociris
- Qabiria
- SPIR-IT
- Sesmic Technologies
- Spazio IT - Soluzioni Informatiche
- Stoquart
- Thiqah
- Webbudget
- Wizentis
- cognov�s
- 株式会社アイティードゥ (ITdo!)
- Material for ]po[ Partner
  - @Marketing Material
  - Customer Types
  - Rollout Plan and Tutorial
Processes
Modules
Packages
Pages & Portlets
Business Intelligence
- Indicators
- Reports
User Tutorials
Installers
Maintenance & Updates
Configuration
Developers
Languages & Localization
- About Languages
- About Localization
- Arabic
- Bulgarian
- Chinese (Simplified)
- Dutch
- English (US)
- French
- German
- Italian
- Japanese
- Localization Terminology
- Polish
- Portuguese (Brazil)
- Russian
- Slovakian
- Spanish (Spain)
- Turkish
- Vietnamese
- Localization Terminologies
  - Dutch
  - Spanish
Integration With Other Tools
PM Methodologies

Security Architecture

]project-open[ features a three layer security architecture that consists of a "Web-Firewall", an "SQL Ejection Database Interface" and an application-level Intrusion Detection System (IDS). None of these layers are usually found in similar Web applications.

image:three-tier-security-architecture.gif

Security

]po[ and its underlying OpenACS platform have been designed from the beginning to operate in the hostile Internet environment. A number of security features allow ]po[ to be run safely with direct access from the Internet:

Parameter Check via “Page Contracts”:
Every Web page in ]po[ contains a “page contract” that checks any values coming from the hostile Internet environment and determines whether they match the defined data type. Page contracts are obligatory, so the developers can't “forget” this check.
In other words, ]po[ includes an integrated Web application firewall.

SQL Injection Blocker:
SQL injection is one of the most common vulnerabilities in Web applications. To avoid such attacks, ]po[ includes a special database driver that transfers parameter values separately from their SQL statement to the database.
Cross-Site Scripting (XSS) Blocker:
The “page contract” mechanism above also acts as a filter against cross-site scripting attacks. By default, no HTML tags are allowed in “string values,” so a developer must explicitly allow for HTML tags. But even “HTML strings” are prevented from containing potentially malicious HTML tags.
Buffer Overflow Protection:
]po[ is written in the TCL programming language, with arbitrary length strings, avoiding buffer overflows. (Buffer overflows are possible in the AOLserver component; however, no such vulnerability has been reported since 2001.)
“Obscure” but Well-Maintained:
The combination of AOLserver and the TCL programming language is not commonly found in the Internet, so a potential hacker will need to expend a considerable amount of criminal energy in order to reverse-engineer the application stack. In addition, this code is very well-maintained: AOLserver is the core of the AOL infrastructure, and OpenACS/]po[ is developed as open-source by senior developers.
Semi-Automatic Security Reviews:
]po[ includes a semi-automatic security checker that identifies weak code and potential security threats.

Together, these features have convinced many ]po[ customers that the benefits from seamless Internet collaboration exceed the potential cost of a security breach. A prominent figure amongst this group includes VAW arvato (Bertelsmann group).

Security Architecture

Security

Contact Us

Project Open Business Solutions S.L.

Links: