By using encryption you safeguard stored, or in transit, sensitive data from being read by third-parties. However, the most common flaw in software is not encrypting sensitive data.
Usually, attackers don’t attempt to break the encryption itself, they break something else. Some examples of attack vectors are stealing plain text data, using Man-in-the-Middle (MITM) attacks, or stealing keys.
The following example illustrates how a MITM attack can be used to listen to a communication between two computers and impersonate a legitimate user after stealing his session (green arrows represent secure connections, while red arrows represent plain text connections):
How to do it with OutSystems
OutSystems encrypts all the stored data of Cloud customers automatically. For customers with on-premise environments, the recommended strategy is to encrypt all channels and sensitive data. To do so with OutSystems Platform follow these recommendations for each scenario:
|Secure apps' communications||HTTPS, SSL/TLS: Use HTTP Security SSL in Web Flows and Web Services (Requires SSL certificate). Use only trusted SSL certificates.|
|Protect how Cookies are transmitted||HTTPS, HSTS: Enable secure cookies in your applications/server. Enable HSTS headers (forced HTTPS at the client-side - see Enforce HTTPS Security.)|
|Encrypt data (stored or in transit)||AES-128, AES-256:OutSystems hashes the built in end users and IT users passwords with a salted SHA512 algorithm. Use CryptoAPI component to encrypt your data. Use a Key Management System. Use OutSystems Platform built-in SHA512 algorithms for hashing.|