Application security overview

Owned by Saurabh Gupta (Unlicensed)
Last updated: Aug 12, 2020 by Akash Kumar Jaiswal (Unlicensed)Version comment
6 min read

Adeptia Connect provides a secure end-to-end encrypted environment for the data that is transferred and exchanged between the companies and its partners. Adeptia has multiple features that make the data secure right from the implementation until the transaction is complete. This further ensures that all the data transacted through Adeptia is secured and does not move out. 

Adeptia has also engaged 3rd party vendors to perform a time-boxed manual security assessment against the target application. This assessment involves a deep automated scan using automated scanning tools to discover common vulnerabilities, as well as manual testing. Manual testing includes validation of all issue types covered under the automated scan as well as checks for problems not typically found by automated scanners such as authentication, authorization, and business logic flaws.

The objective of this assessment is to assess the overall security posture of the application from a black-box perspective. This includes determining the application's ability to resist common attack patterns and identifying vulnerable areas in the internal or external interfaces that may be exploited by a malicious user.

During the assessment, following tests are conducted on Adeptia Connect:

  • Infrastructure Security
  • Application Security
  • Data Security

The severity assigned to each vulnerability was calculated using the NIST 800-30 r1 standard. This standard determines the risk posed by the application based on the likelihood an attacker exploits the vulnerability and the impact that it has on the business.

Likelihood

The difficulty of exploiting the described security vulnerability includes required skill level and the amount of access necessary to visit the element susceptible to the vulnerability. The difficulty is rated with the following values:

  • Critical: An attacker is almost certain to initiate the threat event.
  • High: An untrained user could exploit the vulnerability or the vulnerability is very obvious and easily accessible.
  • Medium: The vulnerability requires some hacking knowledge or access is restricted in some way.
  • Low: Exploiting the vulnerability requires application access, significant time, resource or a specialized skillset.
  • Minimal: Adversaries are highly unlikely to leverage the vulnerability.

Impact

The impact the vulnerability would have on the organization if it is exploited successfully is rated with the following values:

  • Critical: The issue causes multiple severe or catastrophic effects on the organizational operations, organizational assets or other organizations.
  • High: Exploitation produces severe degradation in mission capability to the point that the organization is not able to perform primary functions or results in damage to organizational assets.
  • Medium: Threat events trigger degradation in mission capability to an extent the application is able to perform its primary functions, but their effectiveness is reduced and there may be a damage to the organizational assets.
  • Low: Successful exploitation has limited degradation in mission capability; the organization is able to perform its primary functions, but their effectiveness is noticeably reduced and may result in minor damage to the organizational assets.
  • Minimal: The threat is non-existent or has a negligible adverse effect on the organizational operations or organizational assets.

Infrastructure Security

Adeptia Connect Connectors use certificates in order to ensure security while transmitting data across a communication protocol. For DMZ deployment the product is protected by TLS using protocols such as FTPS, SFTP, HTTPS, and many others that require the use of certificates in order to encrypt the data and to verify the digital signature of the application sending the data. The Certificate Component can use an existing key obtained from a certificate authority such as VeriSign or a key generated by Adeptia.

 

Secured On-Premise Installation in DMZ Environment


Application Security

Secured Connectors

Adeptia engaged with 3rd party Application Security vendor to perform security scan on the Adeptia Connect Web Application. The Adeptia Connect application connectors are also independently tested and verified by following companies:

  • Cigital Inc.
  • Intuit Inc.
  • Salesforce Inc.
  • Amazon AWS
  • SAP
  • BigCommerce
  • BambooHR

Certain Adeptia Connect Connectors use certificates in order to ensure security when transmitting data across a communication protocol. Connectors such as FTPS, SFTP, HTTPS, and many others requires the use of certificates in order to encrypt data and channels and to verify the digital signature of the application sending the data. The Certificate Component can use an existing key obtained from a certificate authority such as VeriSign or a key generated by Adeptia.

Logical separation of Objects

Adeptia Connect follows these guidelines to logically separate objects.

  • One company's objects cannot be accessed by any other company
  • Every object tagged with Company ID
    • Data store schema design
  • Code/logic enforces access by Company ID
  • Encrypted Databases and Storage

User Authentication

Adeptia Connect follows these guidelines to provide secure authentication for user access.

  • Users are added through invitation only
  • User monitoring by the admin
  • Strict Password policies
  • Strong password enforced
  • Password retries are limited
  • Password expiry option available
  • Users can be deactivated before deleting
  • Separate environments for separate departments to segment users

Role-Based Security

Adeptia Connect follows these guidelines to provide Role-Based Security.

  •  Admin – IT Users
  •  Manage access
  •  Monitor User activity
  •  User Control
  •  Governance
  • Admin can give access to business users
  • Admin controls what connectors are available 
  • Admin has complete authority to revoke access

Authorized Access

Adeptia Connect follows these guidelines for User Authorization.

  Access to templates and transactions is only allowed to authorized customers or partners.

  Admin can track all those who are authorized.

  Admin has the ability to grant and revoke access.

Data Security 

It is important to note that at no point during the Connection configuration or run-time process does Adeptia Connect store the data. Adeptia Connect is engineered to optimize interoperability of applications and facilitate your integration processes without saving your data in our data center, unless specifically configured to do so.

There is no data stored on Adeptia and the local copy of the data is deleted automatically when the data transfer is completed. Even when a temporary local copy of business data is stored on the hard drive, Adeptia supports encryption-at-rest to ensure that data is encrypted.

Data Encryption

Encryption is the process of encoding the data in such a way that it can be read only by the authorized users. The purpose of encryption is to prevent third parties from recovering the original data. In an encryption process, the data (referred to as plaintext) is encrypted using an encryption algorithm, turning it into an unreadable ciphertext. This is usually done with the use of an encryption key, which specifies how the data is to be encoded. An adversary may be able to see the ciphertext but should not be able to decode the original data. An authorized party, however, is able to decode the ciphertext using a decryption algorithm which usually requires a secret decryption key. The adversaries do not have an access to this key. An encryption process usually needs a key-generation algorithm to randomly produce keys.

Adeptia enables you to apply encryption and decryption to the source and target files being transported via Adeptia Server. You can encrypt the source file to be sent and in a similar way, you can decrypt an encrypted file received via Adeptia Server. To know more in detail about how Adeptia handles Data Encryption, visit our Data Encryption at Rest help page.

Protection Against Attacks 

Adeptia has implemented the following techniques to prevent attackers to exploit the vulnerabilities in the Adeptia Connect application.

  • OWASP Top 10 vulnerabilities
    1. Web Application Vulnerabilities
    2. Operator-sided Data Leakage
    3. Insufficient Data Breach Response
    4. Insufficient Deletion of personal data
    5. Non-transparent Policies, terms and Conditions
    6. Collection of data not required for the primary purpose
    7. Sharing of data with third party
    8. Outdated personal data
    9. Missing or insufficient session expiration
    10. Insecure Data Transfer
  • Distributed Denial of Service (DDoS) Mitigation

Findings

Findings

Description

Verified

File Upload Restrictions

Adeptia prevent users from uploading files without proper validation. 
Likelihood & Impact: Minimal

Account Lockout Policy

Adeptia enforces an account lockout policy by suspending a user account after a certain number of failed authentication attempts. 
Likelihood & Impact: Minimal

Server-side validation

Adeptia uses server-side validation for any client side input to prevent attackers from accessing the application via proxy. 
Likelihood & Impact: Minimal

Query String Parameter in SSL Request

Adeptia does not allow sensitive data to be passed between the client and server in the URL query string. Parameters are passed via POST operation. 
Likelihood & Impact: Minimal

Password Policy

Adeptia follows a strong password complexity policy. This policy combines rules to prevent easily guessable password from being used while also ensuring that passwords contain sufficient entropy. 
Likelihood & Impact: Minimal

Secure Cookie Attribute

Adeptia sets 'Secure' attribute on all cookies that contain sensitive values such as Session IDs. 
Likelihood & Impact: Minimal

NPI Data Security

Adeptia masks or obfuscates Non-public personal information (NPI) when this data is entered into the application and when it is displayed back to the user. 
Likelihood & Impact: Minimal

Cacheable SSP Pages

Adeptia uses Cache-Control directives to set the cache behavior on all pages. 
Likelihood & Impact: Minimal

Verbose Server Banner

Adeptia does not provide verbose server information from all HTTP responses 
Likelihood & Impact: Minimal

OWASP Top 10 Privacy Risk Test

Adeptia complies with OWASP Top 10 security risks and supports countermeasures to mitigate these risks. 
Likelihood & Impact: Minimal

Summary

Adeptia takes security very seriously and has gone to great lengths to ensure the integrity of customer data. 

  The application is architected to not to save a local copy of the customer data. If data does not exist, it cannot be compromised

  Customers may select to utilize dedicated servers for processing of their data, this ensures their data is at no time in the multi-tenant environment

  All web access to Adeptia Connect is through secure HTTPS connections

  All access to sources and targets is thru secure TLS connections

  Adeptia Connect is architected to prevent attacks such as SQL injection, cross-site scripting, OWASP Top 10 risks, and many others.

You may be interested in...
What's new
Best practices
Training guides
Frequently asked questions
Adeptia Connect APIs
Adeptia security report