The basis for the application security of Evention® is the OWASP Application Security Verification Standard (ASVS). OWASP is an independent, worldwide community with the goal to support the op-eration of secure web applications and to provide corresponding instruments free of charge.

The OWASP Application Security Verification Standard forms the framework for the Evention® Web Security Package (hereinafter referred to as E-WSP), which contains the following 10 security measures:

1. SQL injection avoidance
E-WSP eliminates injection vulnerabilities, such as SQL, OS or LDAP injection, so that untrustworthy data cannot be processed by the interpreter as part of a command or query. This prevents a poten-tial attacker from manipulating input data in such a way that it can execute unauthorized com-mands or access data without authorization.

2. Prevention of authentication errors
E-WSP prevents the incorrect implementation of application functions related to authentication and session management. This prevents potential attackers, passwords or session tokens from compro-mising or exploiting the corresponding vulnerabilities to temporarily or permanently assume the identity of other users.

3. Prevention of loss of sensitive data
E-WSP protects all sensitive data, such as guest data (personal information) or event data (company-related information), with comprehensive security measures, such as encryption of stored data or encrypted data transmission. This prevents attackers from reading or modifying data.

4. Protection from XML External Entities (XXE)
The securely configured XML processor of Evention® excludes references to external entities within all XML documents. This means that external entities cannot be used to use URI file handlers to disclose internal files or file shares, or to perform internal port scans, remote code executions, or denial of service attacks.

5. Prevention of errors in the access control
E-WSP guarantees that all access rights for authenticated users are implemented correctly and con-sistently. This prevents potential attackers from exploiting vulnerabilities to access functions or data for which they do not have access authorization. Access to accounts of other users as well as to con-fidential data or the manipulation of user data, access rights etc. are generally excluded.

6. Avoidance of safety-relevant misconfigurations
E-WSP prevents misconfigurations of security settings, such as insecure default configurations, incom-plete or ad-hoc configurations, unprotected cloud storage, misconfigured HTTP headers, and error output containing confidential data. All operating systems, frameworks, libraries and applications are securely configured and kept up to date by permanent security patches.

7. Protection against Cross-Site Scripting (XSS)
E-WSP prevents Evention® from receiving untrusted data and sending it to the web browser without validation or recoding. Furthermore, HTML or JavaScript code cannot be generated on the basis of user input. This prevents potential attackers from executing script code in the user's browser and thus taking over user sessions, modifying page content or redirecting the user to malicious pages.

8. Prevention of unsafe deserialization
E-WSP ensures secure, sufficiently audited deserializations to block remote code execution vulnera-bilities. All attack patterns such as replay attacks, injections and obtaining extended access rights are excluded.

9. No use of components with known vulnerabilities
Evention® uses only secure components, libraries and frameworks. This prevents the implemented protective measures of the core application from being undermined and attacks from being carried out through the back door.

10. Avoiding insufficient logging & monitoring
E-WSP protects against continuous or repeated attacks by sufficient logging and monitoring. Many studies show that the time taken to detect an attack is approximately 200 days and is typically de-tected by third parties rather than by internal monitoring and control measures.

figure

Selected References

Discover Evention®

Get your free test account now

  • This field is for validation purposes and should be left unchanged.