Xojo: Operation Lockdown

It’s always nice when a client gets to talk in the keynote address at Real World (now Xojo Developer Conference).  Brent Huston, CEO of Microsolved, was invited to speak during the Xojo keynote address last week.  Brent talked about the Operation Lockdown that his company, Real Software (Xojo, Inc.) and BKeeney Software are participating in.

Brent has been using Real Studio desktop applications for some of his security apps for a number of years with great success.  He’s now interested in Web Edition and wanted to see where the vulnerabilities were in the framework and what we could to do fix them.

We (BKeeney Software) came up with a simple Web Edition app that mimics what a typical web app would have in it (Login page, admin only pages, user pages, etc) and hardened it to the best of our ability.  Brent’s team then took the standalone web app and used their hundreds of hacking and infiltration tools to see if it would fail.  They also attempted manual penetration testing of the web app.

I’d love to say they found nothing but that’s not the case.  They found a few critical, a few minor, and a few false positive issues.  The good thing is that the critical issues have already been taken care of by Real Software and will be in Xojo Release 1.  Some of the minor issues and other requirements will be added later, according to Xojo, Inc.

The very good news is that the Web Edition framework is pretty stable.  The Session management, according to Brent, is very robust against all known forms of attack.  Using some very simple coding techniques Web Edition web apps proved to be immune to SQL injection attacks and other common vulnerabilities.

Brent recommended that when Xojo R1 is released all Web Edition developers re-release their web apps compiled with it since a number of items his team found are fixed in the upcoming version.

During a Friday session Brent shared, with a packed room, how bad guys (and certain nation states) view your web applications and data.  It was very, very scary stuff and I think everyone walked out of the room wondering not IF our personal/business data has been hacked but how long ago it was compromised.  Scary stuff.

Lot’s of things to think about but it was encouraging to hear that Web Edition was pretty secure.  Perhaps what’s even better is that I overheard a Xojo engineer saying something to the effect of, “That will be changed for R1 to prevent THAT issue from happening,” in reference to a “man in browser” vulnerability.  It’s nice to know they’re taking security seriously in Web Edition (though the irony of their website getting hacked did not go unnoticed by conference attendees).

4 thoughts on “Xojo: Operation Lockdown

  1. It’s good to have a security proof framework for web development. By the way, what are those coding techniques? Also how about a feature request to have the analyzer complain about building SQL statements without prepared statement?

    • The big one is using PrepareStatements on all database activity. The other one that I’d recommend is not showing end users any sort of error details – especially no SQL errors as that will tell them exactly what’s going on.

      Limit the number of failed login attempts. Limit the number of sessions a particular IP address can have.

  2. Thanks Bob for the good little write-up, reassuring to know security is getting more importance and resulting in improvements to the framework. As CS alludes, would be good for xojo in consultation with experts to provide some guidelines, or at least raise awareness of OWASP.

  3. Hi, are there any other security tips? Prepared statements and login attempts is quite standard practice on any software (web or not) but is there anything else?

    I’ve been for a while evaluating converting my server side + web interface from PHP, java etc to realbasic and I’m almost done with the evaluation BUT, I read a few times it’s just “plain” not stable, either standalone or cgi. I mean, my web applications get about 1k people simultaneously, are there performance limitations? (does the cgi or standalone crash for no reason?)

Comments are closed.