Security scan checklist
After the IBM TRIRIGA Application Platform installation is complete, if you prefer to perform a security scan, you can verify that your installation is running without security vulnerabilities by using scanning software to perform any security scans. This security scan checklist is not intended to replace your company testing and security procedures.
Item | Description |
---|---|
1. Applying latest fix pack |
Make sure to apply the latest IBM TRIRIGA Application Platform Fix Pack for your Version and Release (following the IBM® numbering standard of V.R.F). If necessary, search Fix Central for the latest available Fix Pack, and apply that Fix Pack before continuing. For example, if Fix Pack 4.0.1 is the latest available Fix Pack for Version 4.0, then apply that Fix Pack before continuing. Note: All fixes are done on the latest Fix Pack for the latest Release of a Version.
Note: Starting with 11.0 / 4.0, V.R.F refers to the Version, Release, and Fix Pack number of a
release. For example, Fix Pack 4.0.1. Before 11.0 / 4.0, V.R.M.F referred to the Version, Release,
Modification (Mod), and Fix Pack number of a release. For example, Fix Pack 10.6.1.1 or
3.6.1.1.
|
2. Upgrading to latest release |
For IBM TRIRIGA Application Platform 3.4.2 and older, plan a platform upgrade to the latest release as soon as possible. If you must remain on IBM TRIRIGA Application Platform 3.4.2, then Production mode must be enabled (set to Y) so that ProductionMode=Y in TRIRIGAWEB.properties. This setting will prevent stack traces from being shown to the end user. |
3. Configuring SSL |
A web server with Secure Sockets Layer (SSL) should be configured, and HTTP Secure (https) must be used with IBM HTTP Server (IHS), Apache HTTP Server, or Microsoft Internet Information Services (IIS). Some scanning software will flag http (not secure) as a vulnerability. The SSL layer should also be configured with strong encryption. Some scanning software will flag 128-bit encryption as a vulnerability. This encryption is a function of the web server layer, not central to the IBM TRIRIGA product. |
4. Configuring SSO |
A web server with Single Sign-On (SSO) should be configured in front of IBM TRIRIGA, so that company-wide password policies can be followed. Make sure that the SSO solution strips the headers (from the browser) that are used in the SSO process. For example, with Apache HTTP
Server,
research the module |
5. Restricting application server ports |
The default application server ports should be protected by a firewall. Make sure to disable direct access to the IBM TRIRIGA-related application server that is running Single Sign-On (SSO). No scans should be performed directly on the application server ports, since those ports are restricted to Administrators and/or the web server only. |
6. Disabling admin consoles |
Make sure to disable any web-based administration consoles (or admin consoles) on the web server and application server. |
7. Verifying scan results |
Make sure that the scan results are verifiable, reproducible, and make sense. For example, if the scan results show an Apache Struts vulnerability, consider that IBM TRIRIGA does not use Struts. So, all of the results should be suspect, because the scan flagged a package that was not used. Similarly, if the scan results show a Cross-Site Scripting (XSS) vulnerability, replicate the vulnerability by hand. If you cannot replicate the result by hand, then it is likely a false positive. |
8. Encrypting passwords |
Encrypt any plain-text passwords. You should encrypt your database password in the server.xml file. To set the value of the password to an encrypted value, see the WebSphere Application Server Liberty usage of securityUtility. |
9. Setting account lockout |
Set the IBM TRIRIGA account lockout options. Depending on your company requirements, you can update TRIRIGAWEB.properties to set UNSUCCESSFUL_LOGIN_ATTEMPT=X where X is the number of incorrect login attempts that are allowed before the account is disabled. |
10. Adding HTTP response headers |
Some scanning software will flag any missing security-based HTTP response headers as a vulnerability. But these headers are somewhat arbitrary and the requirements change from scanning software to scanning software.
|
11. Setting JSESSIONID cookie flags |
Some scanning software will flag any missing
|
12. Comparing scanning methodologies |
Methodologies for vulnerability scanning include static source scans and dynamic web scans as follows.
For more information about known vulnerabilities or vulnerability management, see IBM Product Security Central or IBM Security Vulnerability Management. |
13. Submitting a Support ticket |
If all of these prerequisites are followed and a vulnerability still appears in the scan, Support tickets can be opened with the IBM Support team. If you are entitled to IBM Support, follow the same process that you would normally use for any Support ticket. Note: IBM Support will not review a generic Problem Management Report (PMR) that is opened to review
a vulnerability scan. The triage must happen before the PMR is opened, and an actual use case that
proves the exploit must be opened. Scanning tools are intended as a starting point to look further
into potential problems. Not every flagged item in a scanning report is necessarily a vulnerability
in the application.
Important: A penetration test should be conducted according to the scanning results.
Before submitting a Support ticket, each flagged item must be proven to be exploitable within the
context of the application.
For more information about known vulnerabilities or vulnerability management, see IBM Product Security Central or IBM Security Vulnerability Management. |