Security of Ampersand generated software
Even though Ampersand was designed for prototyping, we are taking applications such as RAP2 and RAP3 to production. As the development of Ampersand is going in the direction of production software, we must be prepared for questions. Currently, I can hardly answer any questions about security. This page is for the purpose to discuss security questions, such that we are at least on the same ground wrt security. If any changes to Ampersand emerge from that, we should create separate issues for them. Here is a list of questions.
How is access control arranged in an Ampersand application? Answer: This can be arranged by using the SIAM modules, which provide role-based access controls, login possibilities and password security.
How does an Ampersand application log critical activities, and transactions that deal with sensitive data? Answer: The runtime system used the Monolog-framework to support all runtime logging. It allows selective logging of precisely the right actions, at the control of the designer.
Encryption of data
How does Ampersand encrypt data? Answer: It doesn't. All data is stored as-is in the database.
Access control for specific purposes
How does an Ampersand application control access for purposes that are known only to the Ampersand application designer? Answer: The designer can use the ROLE mechanism to provide different interfaces to different roles. Also, the designer can model these purposes in the Ampersand-script and take it from there. In the latter case, every possible access control scheme can be built.
How does an Ampersand application prevent injection flaws, by which hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization? Answer: Currently, the Ampersand application is not secured against injection flaws.
Broken Authentication and Session Management
How can we know that application functions related to authentication and session management are implemented correctly? Is there a chance that attackers can compromise passwords, keys, or session tokens, or exploit other implementation flaws to assume other users’ identities? Answer: The authentication and session management are described in the SIAM-module in Ampersand itself. So we have a mathematical handle on this, which gives more certainty than hand-crafted code. We have no security assessment on the SIAM-code for this risk. Of course, when this is embedded in for example a SSO-service, we would have to look for specific risks incurred by that. At the moment I have no idea how good or bad an Ampersand-application will do on this risk.
Can an attacker execute scripts in the browser in which the Ampersand-session is running, and hijack user sessions, deface web sites, or redirect the user to malicious sites? Answer: There are currently no protections against Cross-Site Scripting.
Insecure Direct Object References
Can an attacker get hold of a reference to an internal implementation object, such as a file, directory, or database key? Answer: The Ampersand language offers facilities to hide direct object references from the user. This is not the case in the API. A user with API-access can find direct object references.
How do we know that a secure configuration is defined and deployed, and that security settings are defined, implemented and maintained? Answer: The security configuration concerns more than the Ampersand-application alone. It touches on frameworks, application server, web server, database server and platform, and all components in the landscape in which it performs its duty. The Ampersand-configuration items are described in the architecture. Their parameters have been set to defaults that are "generally secure" without jeopardizing their functioning. Hardening of the database is left to the person who installs the Ampersand-application.
Sensitive Data Exposure
Does Ampersand have extra protection for sensitive data, such as credit cards, tax IDs, and authentication credentials? Answer: No.
Missing Function Level Access Control
Does an Ampersand application re-verify access rights in every API-call? Answer: No
Cross-Site Request Forgery (CSRF)
Suppose the browser has been taken over maliciously. Can an Ampersand application be tempted to send a forged HTTP-request, including the session cookie and any other automatically included authentication information? Answer: We don't know
Using Known Vulnerable Components
How well are libraries, frameworks, and other software modules protected? Are their privileges restrained? How? Answer: We don't know
Unvalidated Redirects and Forwards
Is it conceivable that an Ampersand application forwards its user to other pages and websites?
Answer: The Ampersand-programmer uses the (technical) data type
URL for hyperlinking the user to other sites. She must ensure the trustworthiness of the URL's used in order to build a trustworthy web-application.