OWASP Top10 2021

BSI IT-Grundschutz 2023 sections covered by this page

• CON.8
• CON.10
• APP.3.1

Open-Xchange reviews the "OWASP Top 10" list of web application security risks regarding OX App Suite and uses it as one input for continuous product improvement. While the ranking may not precisely map to the actual risk related to operating OX App Suite, it provides awareness and insight to our efforts to address security domains.

Broken Access Control

OX App Suite exposes access to user data via a generic web-services API. Access to data and performing methods is only possible for successfully authenticated accounts and any action is checked against access control lists as described in Multi-Tenant Configuration, Permissions and Authorization.

Sensitive functionality is strictly limited by server-side settings and cannot be overridden by changes done at the frontend level. Any access control related check is enforced on the server-side. Each request must include a session identifier, a valid authentication cookie, user agent information and the correct source IP address to identify and authorize the desired action.

Cryptographic Failures

OX App Suite uses modern cryptographic mechanisms and allows operators to configure them as required. All relevant Communication Channels can be configured to use TLS, including "internal" traffic. While opportunistic TLS upgrade protocols like STARTTLS are not optimal from a security perspective, they are supported for compatibility reasons with third-party systems. Operators can disable those protocols if needed.

Cryptographic material is not provided by default and must be supplied by the operator. Deprecated functions are not enabled by default and may only be used for compatibility reasons. OX App Suite does not depend on any insecure or outdated cryptography. See Cryptography for more details.

Operators and users are responsible to determine information classification and adequate processing standards. OX App Suite is a tool for data processing and provides technical measures to safeguard sensitive information. It is not opinionated regarding operational data handling processes.

Injection

Processing of external and user-provided data assumes malicious inputs at all times. While OX App Suite cannot strictly enforce valid content at some interfaces, for example when parsing E-Mail, API requests are checked thoroughly for plausibility and against deny-lists. External data is filtered and sanitized during output, regardless of its origin.

Input that is forwarded to backend systems, like databases or file systems, gets normalized and users do not have the ability to specify details like storage location or query content. Prepared statements are used for all database queries with externally supplied variables, to avoid SQL injection or LDAP injection.

Potentially dangerous and not commonly used elements in content, for example references in XML documents, are filtered and restricted before processing the content. This is especially relevant for OX Documents content, which may not be trusted but must be evaluated to provide functionality. OX App Suite has the ability to perform malware checks when downloading unstructured content, for example from E-Mail attachments or OX Drive.

Insecure Design

Open-Xchange is employing threat modelling techniques when introducing significant changes, and has implemented a security development lifecycle to cover smaller changes as well. Each team has a "Security Champion" role, which is filled by a team member with professional knowledge of software security matters. Security Champions are organized throughout the organization and exchange their learnings on a daily basis.

The software development process itself uses best-practices as defined at SLSA, including peer reviews, internal and external penetration testing, fuzzing, static code analysis, software composition analysis and scans for secrets at our code-base. Best-practices for secure software development are documented and get advocated by the internal security organization.

Implementation specific security patters, like tenant separation, limitation of request resource consumption and logging of security related events, are a foundation of the software design model. Development teams create unit-tests and functional tests to check for misbehavior of the implementation and regressions. Fixes of vulnerabilities lead to mandatory automated test cases which are executed in CI/CD pipelines.

Security Misconfigurations

Configuration is well documented regarding its impact on secure operations. OX App Suite does not provide standard credentials and relevant configuration settings are documented in this resource. The planning, deployment and maintenance of the production infrastructure is in the responsibility of the operator. Please refer to our Configuration Portal to learn more about details.

Vulnerable and Outdated Components

Open-Xchange continuously monitors and provides SBOM resources to allow operators to double-check for outdated or potentially vulnerable components. See Secure Coding for more details. All components shipped in the default delivery of currently supported versions of OX App Suite are actively maintained by their vendor or community. Unmaintained components are removed over time and get replaced by alternatives. Our Software Security Incident Process makes sure that vulnerable third-party components are replaced at our deliveries in due time and operators are informed proactively about such changes.

Container images are created using a trusted build process, see Container Images for more information. This includes transfer of components over secure connections, screening and vetting during the selection process and technical and organizational controls to secure the build process itself. Operators can verify the validity of provided deployment artifacts using digital signatures.

Identification and Authentication Failures

The general best practice is to offload identification and authentication to specialized systems, like Identity Provider (IdP) and federated authentications systems using standard protocols like SAML or OpenID Connect. In cases where OX App Suite is used as authentication endpoint, a couple of security measures is in place to protect the authentication process.

Brute-force attempts are countered using rate-limit patterns and default logging of failed authentication attempts. Further integration with more sophisticated detection mechanisms like OX Abuse Shield are available. Operators should create further alerting based on log messages issued by OX App Suite, for example using a SIEM.

When using the native database password storage, user passwords are stored using modern mechanisms like BCrypt which make local brute-force attempts very expensive. The same is true for privileged administrative accounts. OX App Suite does not come with default credentials set, and the operator is responsible to define and enforce proper complexity standards for passwords and machine-to-machine authentication tokens. Multi-Factor Authentication is offered for user account access.

The authentication process is described in more detail at Session Management and does not re-use authentication tokens or expose any sensitive information. The "Session Identifier" token is indeed used for identification of sessions and not related to the authentication process. Any authentication data is invalidated server-side once a manual or automatic logout has been performed. Client-side data is only used to maintain an existing session, not to perform authentication decisions.

Software and Data Integrity Failures

OX App Suite is provided as container images which are digitally signed and offered over an encrypted and authenticated connection. The signature can be validated using a public key provided by Open-Xchange using standard tooling, like cosign. Operators must make sure that signatures are verified before deployment, and we suggest to use admission controllers to automate the process.

The process to create OX App Suite is highly automated and involves CI/CD patterns and software sources that provide signatures as well. We provide SBOM information to allow operators to double-check the content of our deliveries. All code and configuration is stored at restricted Git repositories, which ensure integrity of the stored code. Any change to the code triggers notifications and a mandatory peer-review process, direct commits to production branches are not possible.

Third-party libraries are constantly monitored for known vulnerabilities and potential supply-chain issues using Software Composition Analysis automation. Open-Xchange strongly suggests that operators use TLS exclusively for client and backend connection to ensure data integrity on all levels. See cryptography for more details.

Security Logging and Monitoring Failures

Security events and logging are provided by OX App Suite based on a configurable logging and metrics system, find more details at error handling and Monitoring. Operators are responsible to configure and consume the produced output, according to the indicated log severity and origin, like authentication logs.

Log and monitoring messages can be sent to a remote endpoint, which avoids the risk of losing or tampering with local log information. This information is provided in near real-time, which allows operators to add alerting, automatic error handling or escalations. Given the distributed nature of an OX App Suite deployment, it is critical to consider all components at the log- and monitoring concept. Security log information may be produced by third party systems like ingress proxies, admission controllers, identity providers and service-mesh components.

Server-Side Request Forgery (SSRF)

Some features of OX App Suite allow end-users to specify external communication endpoints, for example to subscribe to external mail accounts, news feeds and calendars. Since those features are implemented on the server-side, they constitute server-side requests. Mitigation measures are in place to restrict access of those requests, for example to avoid requests to local resources or non-public networks.

Operators can specify custom deny-lists on a feature level and should review this configuration. Also, operators should limit egress traffic to avoid access to internal systems and perform strict network segmentation. This is not only a measure to reduce the risk of SSRF issues, but a general best practice to counter application vulnerabilities. OX App Suite has the ability to route egress traffic over proxies, which can be used to restrict traffic on a protocol and application-layer level.