This documentation applies to the 8.0 version of Remedy Action Request System, which is in "End of Version Support." You will not be able to leave comments.

To view the latest version, select the version from the Product version menu.

Security assessments

This topic highlights the IBM Rational AppScan automated assessment process for web application security that BMC implements for the BMC Remedy AR System. It also provides a list of security protections that BMC provides to mitigate against vulnerabilities outlined in the Open Web Application Security Project (OWASP) Top Ten list.

Note

The IT environment and network infrastructure in which your AR System runs must be properly secured and include standard IT network security tools and systems such as firewalls and intrusion detection systems (IDS).

System architecture

The AR System architecture is multi-tiered; it consists of a Presentation layer, a Logic layer, and a Data layer as shown here.

AR System security architecture diagram

Presentation layer

The Presentation layer consists of the web browser client connected to the mid tier with secure socket layer (SSL) encryption. You must implement SSL to secure the connection between the browser and the web server. BMC supports any SSL version that is supported by the HTTP web services vendors listed in the BMC Remedy AR System Compatibility Matrix (see Checking system requirements and supported configurations).

Logic layer

The Logic layer includes instances of a mid tier, a JavaServer Pages (JSP) engine, a web server, and the AR System server. The JSP engine and accompanying servlets provide dynamically generated HTML and XML documents in response to web client requests. The mid tier installer includes and can automatically install a bundled version of the Tomcat web server.

The mid tier translates client requires, interprets responses from the AR System server, handles web service requests, and runs server-side processes that present AR System functionality to the client from the AR System server. The server executes workflow and business logic that define all AR System applications. Because all AR System clients are API-based, turning on encryption ensures that all interactions with the server are encrypted.

Data layer

The Data layer consists of one or more databases, which perform data storage and retrieval functions. The AR System server connects to the Data layer using database client API libraries. The server can work with the database encryption libraries used to protect data that is transmitted between the server and database.

AppScan test results

BMC uses IBM Rational AppScan, a Web 2.0 security assessment tool, as an integrated part of the software development life cycle (SDLC). By performing a wide range of early detection testing, BMC identifies and fixes or mitigates vulnerabilities before they become security risks.

AppScan provides issue severity levels and detailed descriptions as well as advisories and issue solution recommendations for potential security risks related to AR System components. BMC uses this data to investigate and proactively resolve security issues. See the Security section for information about securing your system.

A sample AppScan results page is shown here.

Sample AppScan test result window

This table lists the AppScan version 7.8 test results. No high-severity vulnerabilities were detected in the current version of the AR System mid tier.

AppScan test result details

AR System Servlet

Test Result

AdminServlet

No vulnerabilities were detected.

ApplicationServlet

False vulnerabilities were detected. To issue an identical error message for every false login attempt, set the Display-General-Auth-Message flag in the ar.cfg file. Setting this flag ensures that the same message is returned to the mid tier client, enabling the client to display it to the user.

ApplictionSevletWithLoginParameter

No vulnerabilities were detected.

arsys

No vulnerabilities were detected.

AttachServlet

False vulnerabilities were detected. AR System does not accept externally created session identifiers. The session id, jsession id, is created by Tomcat and changed after user authentication. A new session is created for the authenticated user.

BackChannelServlet

No vulnerabilities were detected.

BMCBorderServlet

No vulnerabilities were detected.

BOViewerServlet

No vulnerabilities were detected.

download

No vulnerabilities were detected.

EngineServlet

No vulnerabilities were detected.

FBImageServlet

False vulnerabilities were detected. AR System does not accept externally created session identifiers. The session id, jsession id, is created by Tomcat and changed after user authentication. A new session is created for the authenticated user. Also, to issue an identical error message for every false login attempt, set the Display-General-Auth-Message flag in the ar.cfg file. Setting this flag ensures that the same message is returned to the mid tier client, enabling the client to display it to the user.

FlashboardPlugin

False vulnerabilities were detected. AR System does not accept externally created session identifiers. The session id, jsession id, is created by Tomcat and changed after user authentication. A new session is created for the authenticated user.

forms

No vulnerabilities were detected.

HomeServlet

No vulnerabilities were detected.

Imagepool

No vulnerabilities were detected.

ImageServlet

No vulnerabilities were detected.

LicenseReleaseServlet

No vulnerabilities were detected.

LoginServletWithParameter

No vulnerabilities were detected.

LoginServlet

No vulnerabilities were detected.

LogoutServlet

No vulnerabilities were detected.

NotFoundServlet

No vulnerabilities were detected.

OverrideServlet

False vulnerabilities were detected. AR System does not accept externally created session identifiers. The session id, jsession id, is created by Tomcat and changed after user authentication. A new session is created for the authenticated user.

PluginEventServlet

No vulnerabilities were detected.

preview

No vulnerabilities were detected.

ProtectedWSDLServlet

No vulnerabilities were detected.

PublicApplicationServlet

No vulnerabilities were detected.

PublicWSDLServlet

No vulnerabilities were detected.

RedirToFedSrvServlet

No vulnerabilities were detected.

ReportPlugin

False vulnerabilities were detected. To issue an identical error message for every false login attempt, set the Display-General-Auth-Message flag in the ar.cfg file. Setting this flag ensures that the same message is returned to the mid tier client, enabling the client to display it to the user.

ReportPluginWithReportName

False vulnerabilities were detected. To issue an identical error message for every false login attempt, set the Display-General-Auth-Message flag in the ar.cfg file. Setting this flag ensures that the same message is returned to the mid tier client, enabling the client to display it to the user.

ReportSetupServlet

No vulnerabilities were detected.

ResourceServlet

No vulnerabilities were detected.

SetupServlet

No vulnerabilities were detected.

SharedLogin

No vulnerabilities were detected.

SharedResourceServelet

No vulnerabilities were detected.

UTF8Encoder

No vulnerabilities were detected.

ViewerFilter

No vulnerabilities were detected.

ViewFormServletPOST

False vulnerabilities were detected. AR System does not accept externally created session identifiers. The session id, jsession id, is created by Tomcat and changed after user authentication. A new session is created for the authenticated user.

ViewFormServletQuery

False vulnerabilities were detected. AR System does not accept externally created session identifiers. The session id, jsession id, is created by Tomcat and changed after user authentication. A new session is created for the authenticated user.

ViewFormServletSubmit

No vulnerabilities were detected.

ViewFormServletSubmitWith Parameter

False vulnerabilities were detected. AR System does not accept externally created session identifiers. The session id, jsession id, is created by Tomcat and changed after user authentication. A new session is created for the authenticated user.

WebcontentBirt

False vulnerabilities were detected. To issue an identical error message for every false login attempt, set the Display-General-Auth-Message flag in the ar.cfg file. Setting this flag ensures that the same message is returned to the mid tier client, enabling the client to display it to the user.

WebSvcEncryptor

No vulnerabilities were detected.

OWASP Top Ten: AR System protections

Using AppScan, BMC specifically tests for vulnerabilities identified in the Open Web Application Security Project (OWASP) Top Ten list. Security risks identified by OWASP and AR System protections are listed and described in the following table.

AR System protections against the OWASP Top Ten

Sample risk

OWASP description

AR System protections

Injection

Attackers trick a process into calling external processes of their choice by injecting control-plane data into the data plane. Command injection has two forms:

  • An attacker changes the command that the program executes, explicitly redefining the command.
  • An attacker changes the environment in which the command executes, implicitly redefining the command.

To prevent command injection, AR System disables server-side scripting.
To prevent JavaScript and SQL injection, AR System:

  • Encloses all dates in quotes and escapes all quotes.
  • Uses filters for escape characters.
  • Provides strong-types and user-supplied fields.
  • Checks for type constraints.

    To prevent blind SQL injection, AR System properly filters escape characters.
  • Secures variables with strong types and validation.
  • Sets security privileges on the database to least required.

Cross-Site Scripting (XSS)

Attackers can make a single request to a vulnerable server that causes the server to create two responses. The second response might be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the server.

All user-supplied HTML special characters are encoded into character entities, thereby preventing them from being interpreted as HTML.

Broken Authentication and Session Management

Attackers can bypass authentication mechanisms if credentials do not accompany every request.

All requests contain credentials. The mid tier does not use cookies. It uses a cache ID in the URL and controls the user role (such as the Admin role.)
AR System uses web server session management to store AR System authentication into the HTTPS session.

Insecure Direct Object References

Attackers force the return of sensitive information instead of non-sensitive information that would be returned normally.

All object references are subject to permissions enforced by the AR System server.

Cross-Site Request Forgery (CSRF)

Using this technique, attackers make victims perform actions that they did not intend to, such as logging out, purchasing items, or other functions provided by the vulnerable website. The victim's browser is tricked into issuing a command to a vulnerable web application.
The vulnerability is caused by browsers automatically including user authentication data such as a session ID, IP address, or Microsoft Windows domain credentials with each request.

The AR System disables web server scripting in the mid tier.
In addition, logic that runs processes on the AR System server is restricted by the AR System permissions model, and processes that may be run are restricted to specific directories on the server.

Security Misconfiguration

This attack involves exploiting insecure configurations.

AR System configuration guidelines ensure secure operation. For example, AR System restricts user access to directories required for user operations, and AR System validates all user input.

Insecure Cryptographic Storage

The most common flaw in this area is simply not encrypting data that deserves encryption.
When encryption is employed, unsafe key generation, non-rotating keys, and weak algorithm usage is common. The use of weak or unsalted hashes to protect passwords is also common. External attackers have difficulty detecting such flaws due to limited access.

All sensitive data is encrypted within AR System.
All communication between the web browser and the web server can be encrypted using HTTPS.
All communication between the web server and the AR System server can be encrypted using API encryption.

Failure to Restrict URL Access

Attackers may access pages beyond the login page without authorization.

All access to all AR System pages require authorization from the AR System server.

Insufficient Transport Layer Protection

Attackers may intercept unprotected network traffic if only SSL or TLS is used during authentication.

AR System uses transport layer security and digital signatures to perform end-to-end validation after a connection is made to an endpoint.
FIPS-compliant Performance and Premium Encryption add-on components are provided for additional cryptographic protection among AR System components.

Unvalidated Redirects and Forwards

Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page.

All AR System parameters are validated and authenticated against user credentials.

Was this page helpful? Yes No Submitting... Thank you

Comments