Analysis of open source systems with Observatory

Analiza otwartych systemów CRM

There are many tools available online that allow producers, providers, and customers to verify the current security status set for an online system. Although CRM/ERP systems are not usually publicly available, demo versions can be easily accessed. We will try to explain security issues that are significant for every web system, especially for open source projects that can be adjusted to everyone’s individual requirements, including those related to security.

Testing tool

The tool that we are going to use [https://observatory.mozilla.org] verifies the following securities:

  • Content Security Policy
  • Cookies Secure
  • Cross-origin Resource Sharing
  • HTTP Public Key Pinning
  • HTTP Strict Transport Security
  • Redirection
  • Referrer Policy
  • Subresource Integrity
  • X-Content-Type-Options
  • X-Frame-Options
  • X-XSS-Protection

We will not describe the above mentioned securities in this article because there are many articles on the Internet that clearly and transparently discuss them and help to understand their importance. The quote from the authors is worth mentioning here:

„When nine out of 10 websites receive a failing grade, it’s clear that this is a problem for everyone. And by “everyone”, I’m including Mozilla — among our thousands of sites, a great deal of them fail to pass.” Source: Mozilla, news.softpedia, cyberkendra

This means that the problem is common and producers are not keeping up with the development of technology. Everyone should implement appropriate internal policies that are responsible for improving code quality and verifying the compliance with applicable standards. Especially because there are many online tools. Mozilla uses the following rating for particular securities: https://github.com/mozilla/http-observatory/blob/master/httpobs/scanner/grader/grade.py that uses grades from F [the worst] to A+ [the best].

Comparison of open source systems

Below are examples of how open source producers secure their products:

 System name  Grade  Score
YetiForce 4.2  B+ 80
VtigerCRM 7.0.1 F 0
JoForce 7.0 F 0
SuiteCRM 7.9.4 F 0
CoreBOS 7.0 F 0
EPESI 1.8 F 0
oroCRM 2.3 F 0

Some producers solve the problem by appropriate server configuration for the system’s sub domain but this problem still exists because mechanisms and securities should be built into the application. While, from a security perspective, it does not matter on which layer the security will be implemented, from a practical perspective, if there is no security in the application, then it should at least verify whether the server has been properly configured.

From a practical perspective, it is very easy to verify any application by submitting its login page address as well as improve the application, because Mozilla has prepared some practical tips of what one can do to increase the score. Below are examples of screenshots from tests:

YetiForce

SuiteCRM

SugarCRM

coreBOS

Summary

One may think that producers do not know about this type of securities, which significantly hinder a possibility of breaking into the application for some types of vulnerabilities. The truth is that this is ignored and most companies either do not understand the problem or disregard it despite the fact that every security audit should demonstrate:

  • No verification of server configuration.
  • No built-in mechanisms in the application [this is particularly important for open applications that everyone can download and configure].

The latest version of YetiForce received a score of 80 out of 100 points which sets already standards [10 out of 11 tests] according to which software should be created. In the future, we plan to solve the last problem that will allow to pass the 11th test.

Interestingly, some tests are very simple to pass and every producer can accomplish the requirements in a short time, but some others require rebuilding of architecture, so it will comply with the standards.

Keep in mind that this problem does not apply only to open source systems, but also to most commercial systems, including the expensive ones.

  • wtorek, 18 lipiec 2017