This checklist shows the tasks you need to perform after testing an application which uses GAM, in order to put the application into production.
The idea is to mitigate risks which compromise the security of the application.
Pursuing the purpose of protecting the privacy of the company and keep the information secure, the decision on how to configure the following items depend on the severity and characteristics of the application.
- Set up HTTPS protocol in the Application Server.
This is essential in case of SD Applications. In case of WEB Applications it´s essential to have HTTPS at least in all objects where passwords are entered, like the login and registration panels.
The password of administrator users of GAM repository have to be changed using GAM Backend.
- Change "Gamadmin" user password.
This is the password of the administrator of the Repositories.
- Delete all users defined for testing purposes.
- Create new Repository Connections.
By default the GAM Connection User is <version_name>, the connection user password needs to be changed when the application is going into production.
- In production time, when the application is deployed, the gxmetadata directory (with all its contents) should not be deployed for security.
That means that the "gxmetadata" directory should be deleted from the deployment (except the files <main_object>.<plataform>.json and the gxversion.json file). The appid.json file is necessary to be kept, if dynamic services URL are used.
The web server should not serve the connection.gam file.
- The GAM Backend should be private, so as only Administrator users can execute these web panels.
The web panels of the GAM Web Backoffice have the code to keep this privacy (see: Access restricted to GAM Backend).
If you don't use the GAM Web Backoffice distributed binaries to take into production, but compile the GAM Examples, consider that the web panels "GAMExampleRecoverPasswordStep1" and "GAMExampleRecoverPasswordStep2" have to be edited and changed as suggested in GAM: A way to solve Forgot Password, they should not be left as they are distributed (they are examples consolidated in GAM_Examples folder).
The same happens with the GAMExampleRegisterUser, GAMExampleUpdateRegisterUser and the GAMExampleChangePassword panels.
Actions programmed by GeneXus users are translated into REST Web Services calls in general. So REST services need to be protected as well as SD objects. Make a search in the KB by "Rest Protocol= TRUE", so you can easily find all the REST services and check the Permissions configuration for each of them.
Depending on the security needed:
Security recommendations for Smart Devices Applications
OWASP Top 10 Security Risks
OWASP 2013 Top 10 in GeneXus Applications
GAM applications deployment
GAM Deploy Tool