Understanding security threats and preventing security risks

 Use secure socket layer (SSL) to encrypt the traffic between the HTTP web server and the browser client. Configuring the environment for SSL support is beyond the scope of guidance that BMC provides.

HTTP TRACE is a default function in many web servers, primarily used for debugging. The client sends an HTTP TRACE request with all header information, including cookies, and the server simply responds with that same data.

To prevent cross-site tracing (XST) attacks that use XSS and the HTTP TRACE function, the HTTP TRACE function in the mid tier is disabled by default. To disable the HTTP TRACE function completely, you must also disable HTTP TRACE on the application server hosting the mid tier. For information about how to enable the TRACE function, see HTTP tracing in the mid tier.

 By default, security is disabled for data passed through the mid tier by using the data visualization model plug-ins. To enable mid-tier security for the plug-ins, you must add the following option to the config.properties file:

arsystem.plugin_securitycheck=true

To prevent frame phishing vulnerabilities in the mid tier, the mid tier verifies that it is not placed inside a portlet container or displayed in third-party frames or iFrames. If a portlet container, third-party frame, or iFrame is detected, the mid tier automatically disconnects from the object and displays the content in a single window.

When encryption is employed, unsafe key generation, non-rotating keys, and weak algorithm usage is common. The use of weak or unsalted hashes to protect passwords is also common.

All sensitive data is encrypted within AR System. All communication between the web browser and the web server can be encrypted using HTTPS. All communication between the web server and the AR System server can be encrypted using API encryption.
Starting version 9.1.02, Remedy AR System also provides feature for encrypting data of the form fields using REST API. If there are any form fields that contain sensitive data, you can use this property to encrypt the form. 

You can add an inclusion list of URLs to be redirected to when you log on to the mid tier and when you log out of the mid tier. An inclusion list of URLs is allowed in the goto request parameter of LoginServlet and LogoutServlet so that the user is automatically redirected to the specified URL.

To add an inclusion list, add the following property in the <midTierInstallDirectory>/WEB-INF/classes/config.properties file:

arsystem.inclusion_goto_urls=http://www.google.com,http://www.microsoft.com,
http://<midTierServer>/

• HIPAA Compliance is about the business itself and the processes within that organization. A software product itself cannot be HIPAA compliant, but can support the HIPAA compliance goal of an organization. BMC Remedy AR System provides number of features that support customers in building HIPAA compliant processes. For example, forced (re-)authentication for approval and electronic signature.
• When used correctly, BMC Remedy AR System and applications built on BMC Remedy AR System, like, BMC Remedy IT Service Management (ITSM), provide the necessary capabilities for a business to meet HIPAA guidelines.

Cookies carrying sensitive information can be marked as HTTPOnly. The browsers supporting this attribute prevent access to such Cookies by client-side script (JavaScript).

The SessionID cookie (JSessionID) is the only cookie used by BMC Remedy Mid Tier that carries information about user's SessionID. By default, all SessionID cookies are marked as HTTPOnly to prevent unauthorized access to the SessionID cookies.

There is a newly reported TLS POODLE vulnerability. For more information, see https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls. There is a new critical vulnerability reported for this issue on F5 load balancers. It appears that F5 load balancer is vulnerable to this TLS POODLE vulnerability. For more information, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730.

It is important to apply the F5 hot fix if you are using a F5 load balancer. If you are using any other load balancer, confirm with your load balancer vendor if it suffers from the TLS POODLE vulnerability and get a hotfix for the issue. For more information, see https://www.imperialviolet.org/2014/12/08/poodleagain.html which lists other load balancer vendors affected by this vulnerability.

Use the SSL Labs SSL Server Test tool https://www.ssllabs.com/ssltest/ to check your server for SSL related vulnerabilities.