Intuit Partner Platform: What should I expect during my federated application security review?

Overview

When you go to publish your federated IPP application, you have to go through a technical check. Intuit works with a 3rd-party vendor to ensure that your application isn't doing “bad things”.

The 3rd-party vendor is going to run an automated vulnerability scanning tool against your server (IBM Rational AppScan, http://www-142.ibm.com/software/products/us/en/subcategory/rational/SWI50), checking for thousands of different known vulnerabilities. It's going to submit all of your forms, log in to your application and poke around, send junk data through the URL, check for common vulnerable URLs, etc.

In addition to the automated scan, you're going to be asked to submit your code so that they can review it. An actual person is going to look over you code (especially your SAML gateway) and see if they find anything wrong with it.

Things They Check

General Requirements

Code Review

Intuit is going to ask you to submit your code to them/the 3rd-party security company they use. They're going to want any code which:

  • Deals with SAML
  • Deals with OAuth (if applicable, not all apps will use OAuth)
  • Touches any IPP APIs
  • Touches any IDS APIs

Commonly Vulnerable URLs

The automated scanning tool tests for common URLs which may provide access to sensitive data. Things like:

  • /phpMyAdmin/
  • /cgi-bin/test.cgi

XSS Attacks

  • Any input you accept from the user (via GET, POST, COOKIE, or otherwise) should be checked for nasty things like:
"><script>alert('Do something bad!');</script>

Input Filters

Make sure you check to ensure that user input is valid. If it should be an integer, make sure it's an integer, if it should be a float, make sure it's a float, etc. etc. etc.

Output Filters

  • Any output you display should be run through an HTML entity filter to convert things like > and < to &gt; and &lt;

HTML Forms

Unique tokens or "nonce"

Any HTML forms you display should embed a one-time use token generated by the server. The one-time user token should be tied to that specific user, and should be then checked on form submission to ensure that it is valid and from the correct user. Invalidate the token after a reasonable time (a few hours maybe?) or after it has been used. More details here:

Server Configuration

  • Turn your server signature *off*. In Apache, you can do this:
ServerSignature Off
ServerTokens Prod
  • Disable TRACE/TRACK support. In Apache, you can do this:
TraceEnable off
  • Disable LOW/MEDIUM strength SSL ciphers and old protocols. In Apache, you can do this:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLProtocol -ALL +SSLv3 +TLSv1
quickbooks_ipp_techcheck.txt · Last modified: 2013/01/21 12:44 (external edit)