More in this section

Forums / Developing with Sitefinity / PCI Security requirements

PCI Security requirements

4 posts, 0 answered
  1. Adam @Habanero
    Adam @Habanero avatar
    45 posts
    Registered:
    22 Jun 2012
    28 May 2008
    Link to this post
    Hi There

    We have a need from a client to ensure that all sofware we are integrating is PCI (Payment Card Industry) compliant.

    Their requirements for Web apps are as follows:

    Develop all web applications based on secure coding guidelines such as the Open Web

    Application Security Project guidelines. Review custom application code to identify coding

    vulnerabilities. Cover prevention of common coding vulnerabilities in software development

    processes, to include the following:

    6.5.1 Unvalidated input

    6.5.2 Broken access control (for example, malicious use of user IDs)

    6.5.3 Broken authentication and session management (use of account credentials and session

    cookies)

    6.5.4 Cross-site scripting (XSS) attacks

    6.5.5 Buffer overflows

    6.5.6 Injection flaws (for example, structured query language (SQL) injection)

    6.5.7 Improper error handling

    6.5.8 Insecure storage

    6.5.9 Denial of service

    6.5.10 Insecure configuration management



    Is it possible to get a confirmation on wheaterh sitefinity is safe against the above?

    Thanks!
  2. Kalina
    Kalina avatar
    176 posts
    Registered:
    27 Oct 2016
    05 Jun 2008
    Link to this post
    Hi Adam,

    The cited common coding vulnerabilities are covered by the  .NET Framework Standards which Sitefinity follows closely.

    I hope that answers your question.

    Sincerely yours,
    Kalina
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  3. SelAromDotNet
    SelAromDotNet avatar
    912 posts
    Registered:
    18 Jul 2012
    11 Aug 2008
    Link to this post
    I'm glad to hear that sitefinity is following best practices, I would just like some reassurance. Our site has been subject to several injection attack attempts. our error log shows that the news page has been requested with injection query strings attached with malicious code. the response has been "invalid content id" but I'd like to make sure that sitefinity is not in any way accepting this code, because it doesn't throw an argument error, rather an invalid id error, which doesn't necessarily mean that it didn't execute the malicious code!

    on all my custom modules, there are of course checks in place to filter malicious input, and I'm sure sitefinity would never overlook such a basic need, but I'd like to learn more about what is in place, especially since the news page always goes straight to an error state instead of showing some kind of error message. it would be great to mimic the "emptydatatemplate" of the gridview on the news and show a customizeable error message when news is not found or an error was encountered.
  4. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    11 Aug 2008
    Link to this post
    Hello SelArom,

    No one has reported anything similar so far. We would be glad to see your log file and the mentioned queries. Could you please open a support thread with the sitefinity.log file attached?

    Some more information on our protection and the SQL injection attacks:

    First, we don't have any in-line SQL code in our classes. Sitefinity uses either stored procedures or parameterized SQL queries depending on the database and the particular use-case. This approach makes it impossible to inject malicious SQL statements at run time.

    The input variables are filtered by the objects that use the ORM, then by the ORM Data Layer itself. In addition, we use both Client and Server Side Validators in the forms where the user could submit content. We also use the ASP.NET protection techniques, such as Event Validation and Sensative Characters detection on postbacks.

    Sincerely yours,
    Georgi
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
Register for webinar
4 posts, 0 answered