none
Is SharePoint 2013 is secure? RRS feed

  • Question

  • Hi,

      As we all know that SP 2013 supports app model which is client based. I've a requirement to implement some apps for my client who is from Banking domain. This model supports REST API and can hack the list or whatever on the web. I found the link that using Fiddler, they create a list and item etc. Using Fiddler and Request Header, we can do the operation right. In that case, if any one of the customer inside the bank can hack the portal right. Plz advice how to secure...


    Balaji -Please click mark as answer if my reply solves your problem.

    Saturday, May 16, 2015 10:28 AM

Answers

  • It is only as secure as you implement it. You can make it very secure or you can literally leave security holes everywhere - it depends on you more than it depends on the platform.

    To make it secure, the entire team needs to understand how the security model works.

    - SharePoint-hosted apps run in the context of the user, so you can do whatever the user can.

    - Provider-hosted apps perform OAuth-based authentication patterns with tokens. These apps are as secure as any OAuth 2 based application. Not more, not less. The OAuth protocol has a lot written about how to secure it and how secure it is in the specification. Every developer has to read it at least once per year.

    Attacks in this space come from bad javascript. Because JavaScript is in the picture, you are exposed to every rule about security in JavaScript. If you have a snippet, you can execute it within the context of the user, but that is with every javascript application in the world with the current state of JS and browsers.

    And next is Fiddler - one of the greatest tools ever. You can simulate OAuth message patterns and log in with whatever the server lets you log in with and access whatever the authorization framework lets you access. But you can do that with JavaScript, with .net and with everything else that could send packets over HTTP.

    We run a significant amount of SharePoint apps in banking, both on-prem and O365, we consult on security and get penetration testers involved. With the right set of planning everything can be as secure as the client needs it to be.


    Independant SharePoint Consultant. Feel free to contact me. Blog: http://www.sharepoint.bg/radi Twitter: @RadiAtanassov

    • Marked as answer by Rebecca Tu Wednesday, May 27, 2015 9:34 AM
    Sunday, May 17, 2015 6:16 AM