WhiteHat Sentinel PE security penetration testing

Remedy AR System 20.02 and Remedy IT Service Management (ITSM) 20.02 use the WhiteHat Sentinel Premium Edition (WhiteHat Sentinel PE) service, a dynamic application security tool (DAST), for security penetration testing. By performing security penetration testing, BMC can identify whether applications are vulnerable to web attacks and implement the required countermeasures to reduce vulnerabilities.

As of February 21, 2020, Remedy AR System 20.02 and Remedy ITSM 20.02 do not have any security penetration vulnerabilities.

BMC schedules automated security scans with WhiteHat Security for the following Remedy components:

Remedy AR System
BMC CMDB
Remedy ITSM Application (Includes BMC Service Request Management and BMC Service Level Management)
Remedy Smart Reporting
Remedy with Smart IT

Automated scans are augmented by manual penetration tests performed by WhiteHat security experts. After the tests are completed, BMC receives vulnerability assessment reports. For more information about WhiteHat Sentinel, see https://www.whitehatsec.com/

This topic contains the following information:

Test environment

Component	Server specifications	VM used?	Operating system
Remedy Mid Tier 20.02 Remedy Single Sign-on 20.02	4 CPUs (Intel^® Xeon^® CPU E7 4870 @ 2.40 GHz) 16 GB RAM 100 GB drive for Remedy applications	Yes	CentOS release 7.4.17 Adapt JDK 11.0.5
Remedy AR System 20.02 Remedy ITSM 20.02	4 CPUs (Intel^® Xeon^® CPU E7 4870 @ 2.40 GHz) 16 GB RAM 100 GB drive for Remedy applications	Yes	CentOS release 7.4.17 Adapt JDK 11.0.5
Remedy Smart Reporting 20.02	4 CPUs (Intel Xeon CPU E7 4870 @ 2.40 GHZ) 16 GB RAM 100 GB drive for Remedy Applications	Yes	CentOS release 7.4.17 Adapt JDK 11.0.5
Remedy with Smart IT	4 CPUs (Intel Xeon CPU E7 4870 @ 2.40 GHZ) 16 GB RAM 100 GB drive for Remedy Applications	Yes	CentOS release 7.4.17 Adapt JDK 11.0.5

WhiteHat security vulnerability tests

As of February 21, 2020, WhiteHat Security has run 90 automated security scans of Remedy AR System 20.02 and Remedy ITSM 20.02. Whitehat Security performs manual testing by further exploring areas found during the automated testing.

WhiteHat Security employs the following types of tests during the security testing:

Authentication tests (brute force, insufficient authentication, weak password recovery, cross-site request forgery, credential/session prediction, insufficient authorization, insufficient session expiration, session fixation)
Client-side attack tests (content spoofing, cross-site scripting, HTTP response splitting)
Command execution tests (buffer overflow, format string attack, LDAP injection, OS commanding, SQL injection, server-side include injection, XPath injection)
Information disclosure tests (directory indexing, information leakage, path traversal, predictable resource location)
Logical attack tests (abuse of functionality, denial of service, insufficient anti-automation, insufficient process validation)

For more information about WhiteHat Security, see the website security statement for WhiteHat Security.

Whitehat PCI Compliance Testing

Whitehat also test for compliance with the Payment Card Industry Data Security Standard (PCI-DSS Version 3.2), which includes requirements that web applications be built to secure coding guidelines and that applications be subject to routine vulnerability checks. The following categories of PCI tests are employed:

Injection flaws
Buffer overflow
Insecure Cryptographic Storage
Insecure Communications
Improper Error Handling
Cross Site Scripting
Improper Access Control
Cross Site Request Forgery
Broken Authentication and Session Management

Whitehat reports

For more information about the WhiteHat Sentinel PE tests that were used and the results, which are zero technical and business logic vulnerabilities, see the following reports:

BMC and Whitehat Security are continually running tests as BMC augments the environment or adds new security tests.

Restricting attachments by using Attachment Security

BMC used the Attachment Security feature. This feature helps to prevent users from uploading malicious attachments and viewing them in the BMC Remedy Mid Tier. BMC defined the following attachment extensions as the only attachment extensions allowed for attachment uploads:

.txt
.png
.jpg

To restrict attachments, BMC used the following procedure to make the changes to the Attachment Security tab of the AR System Administration: Server Information form:

Select the following options:
- Allow attachments with following extensions option in the Attachment criteria field
- Allow display of attachments with the following extensions option in the Display criteria field
Define the list of attachment extensions (.txt, .png, .jpg) in the Comma separated list of limit extensions and Comma separated list of display extensions fields.
Click Apply.

For additional information about how to restrict attachments, see Setting security restrictions on file uploads Open link .

The following image shows the changes made to the Attachment Security tab.

AR System Administration: Server Information form — Attachment Security tab

Enforcing the default password policy in Remedy AR System

Remedy AR System uses an SHA-256 hash of passwords stored in the database, ensuring that passwords cannot be retrieved. To enable and configure a password policy, refer to the topic Enforcing a password policy introduction. For the BMC WhiteHat security testing, the default password policy was enabled.

Configuring the password lockout policy in Remedy AR System

Remedy AR System can be configured to limit the number of times that users can enter incorrect password in successive attempts before the system locks them out. See Setting administrative options.

Remedy Mid Tier security settings

The following table lists the BMC Remedy Mid Tier settings used for Whitehat security testing:

Parameter	Setting
Use Post for Backchannel calls	Added following parameter in midtier/WEB-INF/classes/config.properties arsystem.xmlhttp.get=false
Plugin XSS Security Check	Added following parameter in midtier/WEB-INF/classes/config.properties: arsystem.plugin_securitycheck=true
Turn on SecureCookieFilter	Uncommented following from midtier/WEB-INF/web.xml: <filter> <filter-name>SecureCookieFilter</filter-name> <filterclass>com.remedy.arsys.stubs.SecureCookieFilter </fliter-class> </filter> <filter-mapping> <filter-name>SecureCookieFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Turn on XSSFilter	Uncommented following from midtier/WEB-INF/web.xml: <filter> <filter-name>XSSFILTER</filter-name> <filter-class>com.remedy.arsys.stubs.XSSFilter </filter-class> </filter> <filter-mapping> <filter-name>XSSFILTER</filter-name> <url-pattern>/plugins/</url-pattern> </filter-mapping> <filter-mapping> <filter-name>XSSFILTER</filter-name> <url-pattern>/pluginsignal/</url-pattern> </filter-mapping>
Turn on HEADERVALID filter	Configure the trusted host head list in midtier/WEB-INF/classes/config.properties arsystem.host.header_list=whitehat-dev.onbmc.com `<filter>` `<filter-name>HEADERVALIDFILTER</filter-name>` `<filter-class>com.remedy.arsys.stubs.HeaderValidFilter </filter-class>` `</filter>` `<filter-mapping>` `<filter-name>HEADERVALIDFILTER</filter-name>` `<url-pattern>/*</url-pattern>` `</filter-mapping>`
Turn on HttpSecurityHeaderFilter	Uncommented following from midtier/WEB-INF/web.xml: `<filter>` `<filter-name>HttpSecurityHeaderFilter</filter-name>` `<filter-class>com.remedy.arsys.config.HttpSecurityHeaderFilter</filter-class>` `</filter>` `<filter-mapping>` `<filter-name>HttpSecurityHeaderFilter</filter-name>` `<url-pattern>/*</url-pattern>` `</filter-mapping>`
Disable the OPTIONS method	Disable the following method from the midtier/WEB-INF/web.xml file: `<security-constraint>` `<web-resource-collection>` `<web-resource-name>restricted methods</web-resource-name>` `<url-pattern>/*</url-pattern>` `<http-method>OPTIONS</http-method>` `</web-resource-collection>` `<auth-constraint />` `</security-constraint>`

Enabling secure cookie in Remedy SSO

To enable the secure cookie in BMC Remedy SSO, perform the following:

Navigate to BMC Remedy SSO admin console > General > Advanced.
Select Enable Secured Cookie and click Save.

Enabling and disabling header validation filter in Remedy Smart Reporting

The following table describes the parameter settings used for Whitehat security testing:

Parameter Setting

Turn on HEADERVALID filter

Uncomment following setction from the below locations:

appserver/webapps/ROOT/WEB-INF/web.xml
appserver/webapps/AdminConsole/WEB-INF/web.xml

<filter>
<filter-name>HEADERVALIDFILTER</filter-name>
<filter-class>com.bmc.servlet.HeaderValidFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>localhost;smartreportinghostname.bmc.com</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>HEADERVALIDFILTER</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Change param-value corresponding to your SmartReporting host name.