Data Encryption and Security

One of the keys to data protection is accounting for the possible states in which your data may occur, and what controls are available for that state:

  • Data in transit. When data is being transferred between components, locations or programs, such as over the network, across a service bus, or during an input/output process, it is thought of as being in-transit.
  • Data at rest. This includes all information storage objects, containers, and types that exist statically on physical media, be it magnetic or optical disk.

Data in transit is encrypted using the industry standard TLS min. 1.2 encryption algorithm.

Data at rest is encrypted using the AES-256 encryption algorithm.

To establish identity and trust between FintechOS web-based platform and the web browser, the connection is secured via SSL certificates.

The SSL-secured communication between FintechOS and the client is done using the symmetric encryption keys that are established during the authentication process.

The data model and all scripts defined within FintechOS can be exposed through REST APIs to enable integration with 3rd party systems / solutions. FintechOS APIs are secured through OAuth 2.0 and follow the OWASP security standards.

You can encrypt the data at rest using security best practices provided by the infrastructure provider of choice where you install and deploy FintechOS (Microsoft Azure, AWS, IBM Cloud, other).

XSS Prevention

To prevent Cross-Site Scripting (XSS) and keep FintechOS users safe, all user input data is sanitized by default, except for the following attributes: JavaScript, HTML and XML.

In FintechOS, the XSS prevention secures your web apps by escaping user input of type JavaScript, HTML and XM. It censors the data received by the web pages in a way which disallows the following characters: ”<”, “</”, “>”, “&lt;” and “&gt;” (e.g., <text, </text, &lt;text or &gt;text) from being rendered.

IMPORTANT!  When importing deployment packages or adding new metadata in FintechOS versions which have XSS prevention enabled, you have to eliminate the following tags from metadata and packages: ”<”, “</”, “>”, “&lt;” and “&gt;”; otherwise, you will get an error message and you will not be able to import them.

XSS prevention when upgrading to FintechOS 20.1

When upgrading FintechOS to version 20.1, you should enable the request validation to the latest version; otherwise you will be vulnerable to cross-site scripting attacks. To do so, go to the web.config file and set the request validation version to 4.5:

Copy 
<httpRuntime targetFramework="4.6.2" requestValidationMode="4.5" ... />