By using encryption you safeguard stored, or in transit, sensitive data from being read by third-parties. However, the most common flaw in software is not encrypting sensitive data.
Usually, attackers don’t attempt to break the encryption itself, they break something else. Some examples of attack vectors are stealing plain text data, using Man-in-the-Middle (MITM) attacks, or stealing keys.
The following example illustrates how a MITM attack can be used to listen to a communication between two computers and impersonate a legitimate user after stealing his session (green arrows represent secure connections, while red arrows represent plain text connections):
How to do it with OutSystems Platform
OutSystems encrypts all the stored data of Cloud customers automatically. For customers with on-premise environments, the recommended strategy is to encrypt all channels and sensitive data. In order to do so with OutSystems Platform follow these recommendations for each scenario:
|Secure apps' communications||HTTPS, SSL/TLS
Use HTTP Security SSL in Web Flows and Web Services (Requires SSL certificate).
Use only trusted SSL certificates.
|Protect how Cookies are transmitted||HTTPS, HSTS
Enable secure cookies in your applications/server.
Enable HSTS headers (forced HTTPS at the client-side - see Enforce HTTPS Security.)
|Encrypt data (stored or in transit)||AES-128, AES-256
Use CryptoAPI component to encrypt your data.
Use a Key Management System
Use OutSystems Platform built-in SHA512 algorithms for hashing.