Spring, 2016
Adeptia has engaged with 3rd party Application Security vendor to perform a security scan on the Adeptia Connect Web Application. The Adeptia Connect application security is also independently tested and verified by following companies:
- Cigital Inc.
- Intuit Inc.
- Salesforce Inc.
- Amazon AWS
- SAP
Adeptia Connect is a cloud-based business application that allows you to access and exchange data with your partners (customers, vendors, or external organizations), and other cloud-based applications used within the company. It allows you to exchange information in the simplest possible way. It is designed for business users to self-manage their data connectivity while providing control to IT staff.
Adeptia Connect features a simple user interface to manage all external connections and data interfaces for your company and reduces your effort and cost drastically. It is a single place to manage all your business data exchanges, where you publish your company profile just once and Adeptia Connect takes care of the rest.
Objective
The objective of this assessment is to assess the overall security posture of the application from a black-box perspective. This includes determining the application's ability to resist common attack patterns and identifying vulnerable areas in the internal or external interfaces that may be exploited by a malicious user.
During the assessment, following tests are conducted on Adeptia Connect:
- Application Security
- Data Security
- Infrastructure and Hosting Security
Scope
The scope of this engagement is limited to components and interfaces specific to Adeptia Connect Web Application. The following URLs are considered in scope:
Methodology
Assessment Type
Adeptia has engaged 3rd party vendors to perform a time-boxed manual security assessment against the target application. This assessment involves a deep automated scan using automated scanning tools to discover common vulnerabilities, as well as manual testing. Manual testing includes validation of all issue types covered under the automated scan as well as checks for problems not typically found by automated scanners such as authentication, authorization and business logic flaws.
Risk Assessment Methodology
The severity assigned to each vulnerability was calculated using the NIST 800-30 r1 standard. This standard determines the risk posed by the application based on the likelihood an attacker exploits the vulnerability and the impact that it has on the business.
Likelihood
The difficulty of exploiting the described security vulnerability includes required skill level and the amount of access necessary to visit the element susceptible to the vulnerability. The difficulty is rated with the following values:
- Critical: An attacker is almost certain to initiate the threat event.
- High: An untrained user could exploit the vulnerability or the vulnerability is very obvious and easily accessible.
- Medium: The vulnerability requires some hacking knowledge or access is restricted in some way.
- Low: Exploiting the vulnerability requires application access, significant time, resource or a specialized skillset.
- Minimal: Adversaries are highly unlikely to leverage the vulnerability.
Impact
The impact the vulnerability would have on the organization if it is exploited successfully is rated with the following values:
- Critical: The issue causes multiple severe or catastrophic effects on the organizational operations, organizational assets or other organizations.
- High: Exploitation produces severe degradation in mission capability to the point that the organization is not able to perform primary functions or results in damage to organizational assets.
- Medium: Threat events trigger degradation in mission capability to an extent the application is able to perform its primary functions, but their effectiveness is reduced and there may be a damage to the organizational assets.
- Low: Successful exploitation has limited degradation in mission capability; the organization is able to perform its primary functions, but their effectiveness is noticeably reduced and may result in minor damage to the organizational assets.
- Minimal: The threat is non-existent or has a negligible adverse effect on the organizational operations or organizational assets.
Application Security
Adeptia takes security very seriously and has gone to great lengths to ensure the integrity of customer data. The architecture of Adeptia Connectcarefully keeps your security in mind. Because the connections reside in the secure Adeptia AWS Cloud, it is important that there are extensive security measures in place in order to prevent any compromise during the configuration and run-time execution of a connection. Adeptia Connect has been designed not to save a local copy of the customer data and if the data does not exist, it cannot be compromised.
Application Communication Security
Access to Source and Target Applications is through secure SSL connections and access to Adeptia Connect is through a Web Application Firewall (WAF) that prevents attacks such as SQL injection, cross-site scripting, denial of service and many others. To ensure the security of data in transit, Adeptia Connect makes use of the latest and most stringent data communication security standards. All communications to and from Adeptia Connect is done using SSL encryption (SHA-256 with RSA Encryption).
Encryption Security
Adeptia uses AES 256 Encryption for encrypting user passwords. AES 256 is the strongest encryption available for password protection. For data at rest, Adeptia uses AES 256 to encrypt and store the connection metadata in the Adeptia AWS NFS volumeAdeptia Connect provides a secure end-to-end encrypted environment for all data that is transferred and exchanged between the companies and its partners. Adeptia has multiple features that are implemented right from from implementation until a transaction is complete. This ensures that all the user data transacted through adept is secured and does not move out. Following is the list of security features of Adeptia Connect.
On-Premise Installation in DMZ environment
Data Encryption
Encryption is the process of encoding the data in such a way that it can be read only by the authorized users. The purpose of encryption is to prevent third parties from recovering the original data. In an encryption process, the data (referred to as plaintext) is encrypted using an encryption algorithm, turning it into an unreadable ciphertext. This is usually done with the use of an encryption key, which specifies how the data is to be encoded. Any adversary may be able to see the ciphertext but should not be able to decode the original data. An authorized party, however, is able to decode the ciphertext using a decryption algorithm which usually requires a secret decryption key. The adversaries do not have access to this key. An encryption process usually needs a key-generation algorithm to randomly produce keys.
Adeptia enables you to apply encryption and decryption to the source and target files being transported via Adeptia Server. This enhances the security of the file being transported. To use encryption and decryption in Adeptia Suite, a new feature Data Security has been added in Adeptia Suite. You can now encrypt the source file to be sent and in the similar way, you can decrypt an encrypted file received via Adeptia Server.
Encryption is the process of encoding the data in such a way that it can be read only by the authorized users. The purpose of encryption is to prevent third parties from recovering the original data.
In an encryption process, the data (referred to as plaintext) is encrypted using an encryption algorithm, turning it into an unreadable ciphertext. This is usually done with the use of an encryption key, which specifies how the data is to be encoded. An authorized party, however, is able to decode the ciphertext using a decryption algorithm which usually requires a secret decryption key.
Local copies of data is deleted automatically after it's been processed.
During the assessment, following tests are conducted on Adeptia Connect:
- Application Security
- Data Security
- Infrastructure and Hosting Security
In an encryption process, the data (referred to as plaintext) is encrypted using an encryption algorithm, turning it into an unreadable ciphertext. This is usually done with the use of an encryption key, which specifies how the data is to be encoded. An authorized party, however, is able to decode the ciphertext using a decryption algorithm which usually requires a secret decryption key. For more information, click here.
Certificates
Certain Adeptia Connect Connectors use certificates in order to ensure security when transmitting data across a communication protocol. Connectors such as FTPS, SFTP, HTTPS, and many others require the use of certificates in order to encrypt data and channels and to verify the digital signature of the application sending the data. The Certificate Component can use an existing key obtained from a certificate authority such as VeriSign or a key generated by Adeptia.
Protection against attacks
Adeptia has implemented the following techniques to prevent attackers to exploit the vulnerabilities in the Adeptia Connect application.
...
- Follows SOC2 SSAE 16 security compliance guidelinesRuns on AWS Virtual Private Cloud
- Distributed Denial of Service (DDoS) Mitigation
Logical separation of Objects
Adeptia Connect follows these guidelines to logically separate objects.
- One company's objects cannot be accessed by any other company
- Every object tagged with Company ID (Tenant ID)
- Data store schema design
- Code/logic enforces access by Company ID
- Encrypted Databases and Storage
User Authentication
Adeptia Connect follows these guidelines to provide secure authentication for user access.
- Admin users approve other users
- User Management console available
- Password policies
- Strong password enforced
- Password retries are limited
- Password expiry option available
- Users can be deactivated/paused before deleting
- Separate environments for separate departments to segment users
Role-Based Security
Adeptia Connect follows these guidelines to provide Role-Based Security.
- Admin – IT Users
- Manage access
- Monitor User activity
- User Control
- Governance
- Admin give access to business users
- Admin controls what connectors are available
- Audit Trail
- Track who did what and when
- Object Locking
- Prevent changes to approved objects
User Authorization
Adeptia Connect follows these guidelines for User Authorization.
- Access to Shared Connections is only allowed to authorized customers or partners
- Systems track all those who are authorized
- Admin has the ability to revoke access
Findings
...
Findings
...
Description
...
Verified
...
File Upload Restrictions
...
...
√
...
Account Lockout Policy
...
Adeptia enforces an account lockout policy by suspending a user account after a certain number of failed authentication attempts.
Likelihood & Impact: Minimal
...
√
...
Server-side validation
...
Adeptia uses server-side validation for any client-side input to prevent attackers from accessing the application via proxy.
Likelihood & Impact: Minimal
...
√
...
Query String Parameter in SSL Request
...
Adeptia does not allow sensitive data to be passed between the client and server in the URL query string. Parameters are passed via POST operation.
Likelihood & Impact: Minimal
...
√
...
Password Policy
...
Adeptia follows a strong password complexity policy. This policy combines rules to prevent easily guessable password from being used while also ensuring that passwords contain sufficient entropy.
Likelihood & Impact: Minimal
...
√
...
Secure Cookie Attribute
...
Adeptia sets 'Secure' attribute on all cookies that contain sensitive values such as Session IDs.
Likelihood & Impact: Minimal
...
√
...
Data Security
...
Adeptia masks or obfuscates Non-public personal information (NPI) when this data is entered into the application and when it is displayed back to the user.
Likelihood & Impact: Minimal
...
√
...
Cacheable SSP Pages
...
Adeptia uses Cache-Control directives to set the cache behavior on all pages.
Likelihood & Impact: Minimal
...
√
...
Verbose Server Banner
...
Adeptia does not provide verbose server information from all HTTP responses
Likelihood & Impact: Minimal
...
√
...
OWASP Top 10 Privacy Risk Test
...
Adeptia complies with OWASP Top 10 security risks and supports countermeasures to mitigate these risks.
Likelihood & Impact: Minimal
...
√
Data Security
It is important to note that at no point during the Connection configuration or run-time process does Adeptia Connect store the data. Adeptia Connect is engineered to optimize interoperability of applications and facilitate your integration processes without saving your data in our data center, unless specifically configured to do so.
On-Premise Data – Data that processes through an 'On Premise' Adeptia Secure Engine will never actually flow through cloud data center. The data is stored behind the firewall on a customer server where the Connection is executed and is transported directly to the Secure Engine configured behind your company's firewall. Later in this section, we will describe the benefits of Secure Bridge and Secure Engine.
Hosted Metadata – For Connections deployed in our data center, you will have all the security that our data center infrastructure provides in order to ensure that your metadata resides in a system that will keep it secure. These data centers provide the highest level of SaaS security available. This will ensure that all your metadata for your hosted Connections is fully secure and only accessible by your account.
Adeptia's Secure Bridge and Engine help you maintain confidentiality and privacy of your data by allowing you connect your internal applications securely. It also helps moving processing to your own premises, if required.
Secure Bridge
Secure Bridge helps you to securely connect your private databases, JMS instances, and files from your own secured premises to Adeptia Connect. Using Secure Bridge, you can connect your entities to Connect as a source or target application, securely and easily.
of
Secure Bridge- Securely connects on-premise applications to the cloud applications
- Connects on-premise applications running at different locations
- Allows to securely share on-premise applications data to other companies
Secure
EngineSecure Engine helps you to process all your data within your own premise. It also helps you to use your own private servers while using Secure Bridge .
Benefits of Secure Engine
- Secure Engines provides you with the flexibility of iPass while you still want your data to process in your secure data center or on-premise.
- Secure Engine also has Secure Bridge capability and you get Secure Bridge with Secure Engine.
Findings
Findings
Description
Verified
and
no business data.Adeptia Connect only stores the metadata related to Connection configuration in the cloud. Business data is never stored in the cloud.
√
Secure Engine
and never in the cloudAdeptia enforces the runtime data transit through Secure Engine.
√
User authentication information
Adeptia encrypts and stores user authentication. Passwords are protected with cryptographic hash algorithms.
√
Encryption at rest
.
√
Multi-tenant system
Adeptia follows multi-layer and multi-tier security provisioning; segregating customer configurations and metadata from other customers.
√
Metadata backup and storage
Adeptia backups all the metadata and uses secondary storage nodes for redundancy and availability. Backup policies and procedures are the key aspects of ensuring continued service.
√
Customer data storedindesktops or laptops
Adeptia does not store any customer data in laptops or desktops.
√
Access to modifying Connection configuration
Adeptia allows access to Connection configurations based on user and object permissions.
√
Encryption of Data in transit
Adeptia follows SSL based HTTPS. All communications to and from Adeptia Connect is done using SSL encryption (SHA-256 with RSA Encryption).
√
Hosting and Infrastructure Security
Amazon AWS Certified Partner
Adeptia is a certified partner of Amazon AWS and its iPaaS application "Adeptia Connect" is hosted on the Amazon AWS infrastructure.
Amazon Web Services Compliance enables customers to understand the robust controls in place at AWS to maintain security and data protection in the cloud. As systems are built on top of the AWS cloud infrastructure, both customers and Amazon AWS share compliance responsibilities.
By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, AWS Compliance enablers build on traditional programs; helping customers to establish and operate in an AWS security control environment.
The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including:
Level1
For more information on the Amazon AWS Security, refer to following resources:
- https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf
- https://aws.amazon.com/compliance/resources/
Findings
Findings | Description | Verified |
Amazon Elastic Compute Security | With Amazon EC2, Adeptia Connect provides resizable computing capacity that can scale based on volume and usage. | √ |
Multiple Levels of Security | With Amazon EC2, Adeptia Connect supports security at multiple levels; OS of the host platform, firewall and signed API calls. | √ |
Instance Isolation | Different running nodes are isolated from each other along with encrypted file system. | √ |
Elastic Load Balancing Security | With Amazon's Elastic Load Balancing, Adeptia Connect manages traffic on a fleet of Amazon EC2 instances, distributing traffic to instances across all availability zones within a region. | √ |
Amazon Simple Storage Service (S3) Security | Access to data in Amazon S3 is restricted; only object owners have access to Adeptia S3 resources they create. | √ |
Data Durability and Reliability | Adeptia use Amazon S3 that is designed to provide high durability and availability of objects on demand. Objects are redundantly stored on multiple devices across multiple facilities in the Amazon S3 region. | √ |
Encryption | Adeptia encrypts the connection between Adeptia Connect application and its databases using SSL. RDS creates SSL certificate and deploys the certificate on the DB instance when the instance is provisioned. | √ |
Automated Backups and DB Snapshots | Adeptia uses Amazon RDS that provides two different methods for backups and restoring DB Instance; automated backups and database snapshots. | √ |
Event Notifications and Reporting | Adeptia has setup robust dashboards and notification controls on getting alerts whenever important events occur on the AWS nodes. | √ |
Using Encryption and Decryption
Encryption is the process of encoding the data in such a way that it can be read only by the authorized users. The purpose of encryption is to prevent third parties from recovering the original data.
In an encryption process, the data (referred to as plaintext) is encrypted using an encryption algorithm, turning it into an unreadable ciphertext. This is usually done with the use of an encryption key, which specifies how the data is to be encoded. An authorized party, however, is able to decode the ciphertext using a decryption algorithm which usually requires a secret decryption key. For more information, click here.
Summary
Adeptia takes security very seriously and has gone to great lengths to ensure the integrity of customer data. Some of the important findings in the Security Assessment Report are:
- The application is architected to not to save a local copy of the customer data. If data does not exist, it cannot be compromised
- Customers may select to utilize dedicated servers for processing of their data, this ensures their data is at no time in the multi-tenant environment
- All web access to Adeptia Connect is thru secure HTTPS connections
- All access to sources and targets is thru secure SSL connections
- Adeptia Connect is architected to prevent attacks such as SQL injection, cross-site scripting, OWASP Top 10 risks and many others.
- Adeptia utilizes a third party, independent company to do regular penetration and security vulnerability assessment tests.
...