tailor-made software for
your business

Security is a multifaceted concern. We believe the most reliable and resilient systems are ones with multiple layers of safe-guards and redundancy, and adopt the principles of defensive programming: where we build a barrier, we assume it may one day be broken so we build another barrier behind it; where we expose a programming interface, we assume it may be misused so we validate its behaviour.

Of course, the trade-off for redundancy is reduced efficiency - but we believe that, whilst faster hardware may be expensive, reliable and secure code is priceless. Some specific examples of how we secure our systems include:

• Injection Proof: we use industry standard JSF and JPA to guard against HTML and SQL injection attacks by using validated input, parameterized queries and escaped output.
• Encrypted client side parameters: we do not use HTML hidden fields. Whilst we do use a client-side viewstate for performance reasons, this is encrypted.
• Cross Site Scripting Proof: we tag every viewstate with a unique token and validate its value on every POST-back. We further use randomly generated, constantly changing names for all our HTML fields.
• Cross Site Request Forgery Proof: in addition to tagging the viewstate, we also ensure our GET requests do not have side effects.
• Overflow Proof: all our technologies are Java-based to guard against buffer overflows.
• Obscured IDs: we use UUIDs for all our identifiers. For practical purposes these are unguessable - avoiding the situation where, say, a user who loads a customer record with an ID of 123 might try to load one with an ID of 124.
• Sanitized error messages: we sanitize all our error messages to prevent information leakage such as database table names.
• Sanitized HTTP headers: we suppress all HTTP headers (such as Server and X-Powered-By) that can reveal architectural details of a system and give hackers a head start.
• Role based authentication: we use industry standard JAAS and JSA to restrict access to resources.
• URL parameter filters: we filter all URL query string parameters against JSA roles.
• Minimized attack surface: all data going to and from the database passes through a single point: a JSR-compliant business rules engine. This enforces validation and security constraints, such as whether the logged-in user is allowed to load or save a given record.
• Minimal code: we write as little code as possible and reuse it as much as possible, meaning fewer places for security holes to hide.
• Automated test scripts: we build automated test scripts for all our applications that aggressively try to hack in and either break the code or gain unauthorised access (and we're good at it too - often finding security holes in other people's code)

In addition, we regularly review and update our code to comply with the findings of industry journals and articles such as the Open Web Application Security Project's Top Ten and Improving Web Application Security: Threats and Countermeasures.