It’s always nice when a client gets to talk in the keynote address at Real World (now Xojo Developer Conference). Brent Huston, CEO of Microsolved, was invited to speak during the Xojo keynote address last week. Brent talked about the Operation Lockdown that his company, Real Software (Xojo, Inc.) and BKeeney Software are participating in.
Brent has been using Real Studio desktop applications for some of his security apps for a number of years with great success. He’s now interested in Web Edition and wanted to see where the vulnerabilities were in the framework and what we could to do fix them.
We (BKeeney Software) came up with a simple Web Edition app that mimics what a typical web app would have in it (Login page, admin only pages, user pages, etc) and hardened it to the best of our ability. Brent’s team then took the standalone web app and used their hundreds of hacking and infiltration tools to see if it would fail. They also attempted manual penetration testing of the web app.
I’d love to say they found nothing but that’s not the case. They found a few critical, a few minor, and a few false positive issues. The good thing is that the critical issues have already been taken care of by Real Software and will be in Xojo Release 1. Some of the minor issues and other requirements will be added later, according to Xojo, Inc.
The very good news is that the Web Edition framework is pretty stable. The Session management, according to Brent, is very robust against all known forms of attack. Using some very simple coding techniques Web Edition web apps proved to be immune to SQL injection attacks and other common vulnerabilities.
Brent recommended that when Xojo R1 is released all Web Edition developers re-release their web apps compiled with it since a number of items his team found are fixed in the upcoming version.
During a Friday session Brent shared, with a packed room, how bad guys (and certain nation states) view your web applications and data. It was very, very scary stuff and I think everyone walked out of the room wondering not IF our personal/business data has been hacked but how long ago it was compromised. Scary stuff.
Lot’s of things to think about but it was encouraging to hear that Web Edition was pretty secure. Perhaps what’s even better is that I overheard a Xojo engineer saying something to the effect of, “That will be changed for R1 to prevent THAT issue from happening,” in reference to a “man in browser” vulnerability. It’s nice to know they’re taking security seriously in Web Edition (though the irony of their website getting hacked did not go unnoticed by conference attendees).