Going into production: checklist for Applications using GAM

This checklist shows the tasks you need to perform after testing an application which uses GAM, in order to put the application into production. ()

The idea is to mitigate risks which compromise the security of the application. 

Pursuing the purpose of protecting the privacy of the company and keep the information secure, the decision on how to configure the following items depend on the severity and characteristics of the application.

  • Set up HTTPS protocol in the Application Server.

This is essential in case of SD Applications. In case of WEB Applications it´s essential to have HTTPS at least in all objects where passwords are entered, like the login and registration panels.

The password of administrator users of GAM repository have to be changed using GAM Backend.

  • Change "Gamadmin" user password.

This is the password of the administrator of the Repositories.

By default the GAM Connection User is <version_name>, the connection user password needs to be changed when the application is going into production.

  • In production time, when the application is deployed, the file gxmetadata (with all its contents) should not be deployed for security.

That means that the "gxmetadata" folder should be deleted from the deployment (except the files <main_object>.<plataform>.json).

The web server should not serve the connection.gam file.

  • The GAM Backend should be private, so as only Administrator users can execute these web panels.

The web panels of the Backend have the code to keep this privacy (see: Access restricted to GAM Backend). You should take into consideration to check Require Access Permissions Application Property of the Application.

The web panels "GAMExampleRecoverPasswordStep1" and "GAMExampleRecoverPasswordStep2" have to be edited and changed as suggested in GAM: A way to solve Forgot Password, they should not be left as they are distributed (they are examples consolidated in GAM_Examples folder).

Actions programmed by GeneXus users are translated into REST Web Services calls in general. So REST services need to be protected as well as SD objects. Make a search in the KB by "Rest Protocol= TRUE", so you can easily find all the REST services and check the Permissions configuration for each of them.

Depending on the security needed:

  • In case of SD Applications, take into consideration setting Single User Access property.

See Also

Security recommendations for Smart Devices Applications
OWASP Top 10 Security Risks
OWASP 2013 Top 10 in GeneXus Applications
GAM applications deployment
GAM Deploy Tool