Mashup Security Issue: Storing Username and Password in the HTML
We have a project where there are concerns about Mashup security. The comment came as:
Security issue as mashup user and password are stored on the page.
How do we address and communicate this issue? My expectation is we don't do this in production environment but this is just an uneducated assumption.
Have you came across similar situation? What did you do?
Thanks a lot for your help in advance.
Accepted Solution
Pegasystems Inc.
US
Hi Jiri,
To further expand on Matt's remark, Pega Web Mashup has several capabilities designed to facilitate development, testing and debugging of complex mashup implementations. Allowing the use of stored credentials on a page is one of those. In addition, the Pega Gadget Manager is provided to allow developers to easily create gadgets; this UI tool is part of the Pega Gateway. While these Pega Web Mashup capabilities provide developers with some great tools they should never be used/deployed in production environments.
Lastly, it is a best practice to use token-based authentication for seamless or single sign-on for your website that embeds Pega gadgets.
See the PDN for more information about authentication with Pega Web Mashup.
I hope you find this information useful and thank you for your post!
Regards,
David
Updated: 26 Aug 2015 9:15 EDT
Pegasystems Inc.
US
Jiri,
You are absolutely correct about that. The security team just did an assessment of Pega Web Mashup and found the issue. It is my understanding that this only occurs when we are doing configuration tasks during development and should not be seen in production.
If you find issues in any Pega Application, I would urge you to contact the SpyVsSpy team.
Matt
Accepted Solution
Pegasystems Inc.
US
Hi Jiri,
To further expand on Matt's remark, Pega Web Mashup has several capabilities designed to facilitate development, testing and debugging of complex mashup implementations. Allowing the use of stored credentials on a page is one of those. In addition, the Pega Gadget Manager is provided to allow developers to easily create gadgets; this UI tool is part of the Pega Gateway. While these Pega Web Mashup capabilities provide developers with some great tools they should never be used/deployed in production environments.
Lastly, it is a best practice to use token-based authentication for seamless or single sign-on for your website that embeds Pega gadgets.
See the PDN for more information about authentication with Pega Web Mashup.
I hope you find this information useful and thank you for your post!
Regards,
David
Pegasystems Inc.
GB
Hi David, Hi Matthew,
thanks both for your comment. We are happy to read this and it will definitely help to address concerns customer has.
Thanks again
Jiri