IBM Support

Security Vulnerability Questions regarding TRIRIGA

Question & Answer


Question

Twenty questions regarding Security Vulnerabilities and Protection within IBM TRIRIGA

Answer


IBM TRIRIGA Platform Development follows the strict rules set within the IBM Secure Engineering Framework (SEF). The full book on the SEF can be found at:
http://www.redbooks.ibm.com/redpieces/abstracts/redp4641.html


Here are answers to 20 specific questions. If there are additional questions or concerns not outlined below please refer to the link above. 

1. Allocation of Resources Without Limits or Throttling: Have Denial of Service (DOS) scenarios been considered or tested?

a. The IBM TRIRIGA Platform has been tested for DOS attacks


 

2. Missing Encryption of Sensitive Data: Is sensitive personal information stored encrypted?

a. Sensitive data can be configured to be encrypted in the IBM TRIRIGA Platform


 

3. Unrestricted Upload of File with Dangerous Type: Are only input files with valid Multipurpose Internet Mail Extensions (MIME) types accepted?

a. Files can be configured to be scanned by standard Virus and thread protection software in the IBM TRIRIGA Platform

 

4. URL Redirection to Untrusted Site ('Open Redirect'): Is input validation performed at the server to prevent URL redirection to an invalid site?

a. URL are validated to prevent unwanted redirection by the IBM TRIRIGA Platform

 

5. Integer Overflow or Wraparound: Is input validation performed at the server on any numeric input by ensuring that it is within the expected range?

a. The IBM TRIRIGA Platform is protected against Integer overflow/wraparound.

 

6. Improper Validation of Array Index: When accessing a user-controlled array index is input validation performed at the server to ensure that the ranges are within the target array?

a. Array indexes are validated by the IBM TRIRIGA Platform


 

7. Incorrect Calculation of Buffer Size: When buffer size calculations are dependent on user input are buffer size ranges checked to be within expected values?

a. IBM TRIRIGA Platform is protected from buffer size ranges.

 

8. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'): When copying user input at the server does the code manage buffer boundaries to avoid buffer overflows?

a. IBM TRIRIGA Platform is protected from Classic buffer overflow

 

9. Buffer Access with Incorrect Length Value: Does the code manage input length at server to avoid buffer overflows?

a. IBM TRIRIGA Platform properly protects against buffer overflows.

 

10. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): Is input data sanitized and validated at the server to protect from OS Commanding Attacks?

a. IBM TRIRIGA Platform is protected from OS Command Injection

 

11. Improper Neutralization of Input During Web Page Generation ('Cross- site Scripting'): Is input data sanitized and validated at the server to identify cross-site scripting attacks?

a. IBM TRIRIGA Platform is protected from Cross-site Scripting

 

12. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): Is input data sanitized and validated at the server to identify SQL Injection attacks?

a. IBM TRIRIGA Platform is protected from SQL Injection

 

13. Cross-Site Request Forgery (CSRF): Is input data validated at the server to identify cross-site request forgery attacks?

a. IBM TRIRIGA Platform is protected from CSRF

 

14. Improper Check for Unusual or Exceptional Conditions: Does error handling account for exception conditions such that stack trace info is not presented to the user when an unexpected condition or result in a undefined state ?

a. IBM TRIRIGA Platform does not display stack traces to the end users.

 

15. Information Exposure Through an Error Message: Does the application use generic error/warning messages such that sensitive or application specific information is not disclosed?

a. IBM TRIRIGA Platform does not disclose sensitive or specific information in errors or warnings

 

16. Race Condition: Has code been written and reviewed to ensure race conditions are avoided?

a. IBM TRIRIGA Platform has been reviewed to ensure no race conditions


 

17. Download of Code Without Integrity Check: Has all vendor or freeware software used by the Application been TSS approved and obtained from a trusted source?

a. IBM TRIRIGA Platform validates and verifies all third part software via IBM process

 

18. Use of a Broken or Risky Cryptographic Algorithm: Does the application use an AT&T approved strong cryptographic algorithms?

a. IBM TRIRIGA Platform does not use risky algorithms

 

19. Reliance on Untrusted Inputs in a Security Decision: Is implicit trust between components avoided wherever possible?

a. IBM TRIRIGA Platform does not rely on untrusted inputs


 

20. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): Is access blocked to unlinked application content located outside of the domain directory or web root?

a. IBM TRIRIGA Platform is protected against path traversal.

Related Information

Referenced Redbook

TRIRIGA Vulnerability 20-Questions.doc

TRIRIGA Vulnerability 20-Questions.doc

[{"Product":{"code":"SSHEB3","label":"IBM TRIRIGA Application Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":"IBM TRIRIGA Application Platform","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFDAS","label":"IBM Facilities and Real Estate Management on Cloud (TRIRIGA)"},"ARM Category":[{"code":"a8m0z0000001jyYAAQ","label":"CDS Security-\u003EAudit Request"},{"code":"a8m0z000000cxNoAAI","label":"TRIRIGA Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Document Information

Modified date:
15 August 2018

UID

swg21968469

Page Feedback