Security Vulnerabilities Expected to Grow in 2018

February 09, 2018 Application Development, OpenEdge

The need to protect your Progress OpenEdge application and data from attack has never been more urgent. Take a proactive stance when it comes to data security.

As a year-end wrap up blog on CNN Tech reminded us, 2017 was certainly the year of the big hack. Who doesn’t remember the fallout from the July Equifax hack that stole the personal data of 143 million people. According to that CNN Tech post, it’s considered one of the worst hacks of all time, not only due to its size, but due to the level of sensitive information exposed, including social security numbers.

As it becomes easier and easier to create sophisticated ways to spread malware or ransomware or steal data, companies are going to have to up their game and do things like patch security flaws in a timely manner. As Mark Nunnikhoven, vice president of cloud research at the security company Trend Micro, said, “As we do more and more of our business online, and as criminals realize the value of the data that organizations are protecting, we're seeing more big-name breaches, more high-profile breaches.”

Nunnikhoven also predicts that more “brick and mortar” types of industries like manufacturing will become increasingly vulnerable to attack as the IoT increases exposure and vulnerabilities. “They face the same cybersecurity challenges that our laptops and our phones do, but they're attached to real things in the real world," he said. "If someone hacks my laptop, my data is at risk. But if someone hacks a robotic manufacturing arm, that entire manufacturing line is at risk.”

Get Your Security Health Check

There are a number of things you can do to protect your OpenEdge applications. In fact, one of our customers, a provider of consumer education services, contacted Progress Professional Services to take a look at their OpenEdge environment and perform a Security Health Check. The company was certain there were no vulnerabilities, but wanted recommendations as they had recently implemented Transparent Data Encryption on a test environment and moved that to production. One of Progress' senior cyber assurance and security experts in OpenEdge partnered with the company and almost immediately—within hours—gained access to customer tables, exposing personal and private information.

During this engagement, a discussion of coding best practices was performed. Another vulnerability was found that enabled complete access to the Web Server, the codebase and the database/data. This exposure was blocked on the production system during the engagement. It is important to note that the focus of this engagement was specifically on the OpenEdge application and environment.

With security vulnerabilities likely to increase across a wider spectrum of industries, the Progress OpenEdge Security Health Check is a fast and efficient way to gain insight into your system and take proactive action. This services engagement will enable you to assess and document the current state of your OpenEdge application, and then implement any recommended improvements to minimize identified security vulnerabilities.

The Health Check is conducted in two phases, Discovery and Implementation.

Discovery Phase

The primary purpose of the Discovery phase is to review the state of your current security strategy within your OpenEdge application. The team will assess user authentication, encryption practices, network security and SaaS and/or cloud implementations. Once this task is complete, they will conduct an online meeting to review the results and discuss requirements and options for implementation. Then they will create a project plan and customized statement of work tailored specifically to your needs based on what was identified during the survey, including support for a QA rollout, UAT support and go-live support, if desired. You can also discuss an education program suited to your requirements. 

Implementation Phase

Because every environment is different, implementation will be customized for you.

The Implementation phase can cover a wide range of topics, including:

  • Client-Principle Object
  • User Credential Storage
  • Single Sign On
  • Configuration of Security Domains
  • Progress OpenEdge Authentication Gateway
  • OpenEdge Realm
  • Third Party Authentication
  • Spring Security Setup
  • Enable TLS
  • Upgrade Certifications
  • Web Server configuration to work with your OpenEdge application

The Client-Principle Object (or “CPO”) is an integral security feature that should be implemented within your OpenEdge application. The CPO is a prerequisite for implementing other security features, including OpenEdge Authentication Gateway. If you are not currently using the CPO, during the engagement, the team will identify patterns and a process for implementing the CPO across your entire application. Note that the OpenEdge Authentication Gateway requires implementation of OpenEdge 11.7 and Progress OpenEdge Application Server.

Resolve to Be Proactive on Security

The combination of more sophisticated hackers, along with technologies like IoT that can expose the enterprise to increased risk, mean that a sound resolution for 2018 is to make it a priority to become proactive to security threats. As Trend Micro’s Nunnikhoven concludes, “The number of high-profile international breaches has been a wake-up call this year to businesses that security is a top-level item. It affects the bottom line.”

Don’t wait; schedule a Security Health Check today.

Get Your Security Health Check

Barbara Ware

Barbara Ware is Sr. Product Marketing Manager, responsible for positioning and messaging OpenEdge and OpenEdge Professional Services. She has 19+ years of experience in technology marketing leadership, strategy, content, communications and lead generation activities. You can find her on LinkedIn or on Twitter at @barbara_ware.

Read next Progress DataDirect Now Connects to Denodo