Most security issues arise from access to the data, and that means the database is the primary concern for security.

Having a secure password policy on your application will prevent most issues, but you can never prevent a disgruntled employee from access data with malicious intent. What you CAN do is to track all user id/login activity, and follow basic security principles:
- remove the logon when a employee leaves
- change pwd every X number of days, usually 90
- require decent pwds with a minimally complex structure


JM2¢W,

Olan

Hi Olan,

thanks for your response, it gives me some ideas ,however we still need to do entire audit of codes. so still looking for a tool that will allow scanning of PowerBuilder application code!

thanks,

Ajay

Hi Ajay, I'm not aware of any free tools that does this kind of scan for PowerScript.

Another issue to watch for is use of InfoMaker or other query tools.

What you can do is make all tables select only and then at application startup it would somehow gain full update access. The exact method would depend on your database. Tables with sensitive data could have default access be none with with a view that returns only the non-sensitive columns.

Hi Ajay;

  Most people don't know this but, yes you can scan PB Apps for security vulnerabilities. This requires the PB developers to think C/C++. So let's answer your question in  parts....

A) Security Vulnerabilities Scanning Software.

    There are lots of products out there that can do this. Check out the following open source products.

B) One good free C/C++ tool is FlawFinder as one example. It's "open source" BTW.

C) Any PB App can be compiled into Machine Code. Which in PB's case is C++. Not only can products like FlawFinder scan Apps resulting  machine code EXE, you can also capture the generated C++ source code from the actual PB IDE compilation. The generated C++ source is in essence a 100% reflection of the original PowerScript. So any vulnerabilities found in the C++ source can be directly traced back to your Apps PowerScript coding.

HTH

Regards ... Chris

Thanks Chris, our feedback is very helpful!

Thanks everyone for your feedback. It is much appreciated!

Hi Jeff;

   The C++ code can be retrieved as follows:

1) Create a Machine Code compile "Project" object.

2) Run the MS project to create a C++ EXE and/or DLL's

3) The IDE will write the C++ code to your MS-Windows default TEMP folder as XXXXX.C named files.

4) If you open an XXXX.C file, you will see the PB object class that it represents.

For example:

HTH

Regards ... Chris

Hi everyone,

For information, we just added a new set of features in Visual Expert, to Audit PowerScript based applications.

This will scan code for security vulnerabilities, maintainability issues and bugs.

It will also cover Oracle and SQL Server code.

You can read more in this announcement,

and subscribe to the beta program - the beta version will be available in a few days.

Regards,

Christophe