Application Security


Because web apps are accessible to any number of online users, the security of web apps is paramount. SmoothPay's web apps are serious about security.

goPayroll and our other products are web applications developed and supported by SmoothPay Limited using a development platform called Xojo.

Most traditional web development languages are interpreted, meaning the web app is a set of files on a server. If someone gains access to that server, they gain access to the source code. Xojo web apps are compiled to binary code so that source code is not stored on the server. In order for someone to alter such a web app they would have to be very familiar with x86 assembly code and be willing to spend a lot of time tracing through that code. This is, at the least, an order of magnitude far more difficult than hacking HTML, JavaScript, CSS, AJAX, and PHP or Java source code.

The Open Web Application Security Project (OWASP) provides information on web app security and posts a list of the top 10 web app security issues. While a few of these issues require the developer to be more diligent, most cannot be used to hack into a web app created with Xojo.

Hack Protection Comment text text text text text text text text
SQL Injection Attacks Xojo provides developers with prepared statement support for database access. This takes the values to be used in a query and sends them separately to the database server so that it can determine if the values are valid or contain SQL. All user-initiated updates use prepared statements text text text text text text text text
Cross-Site Scripting Xojo web apps can’t be used for this purpose because all data sent to the browser is automatically escaped. As a result, the user cannot inject HTML into a page. Also, because the developer doesn’t work in HTML or JavaScript, there’s no way for the developer to accidentally create this security breach. text text text text text text text text
Broken Authentication/Broken Access Control Xojo does not have authentication routines to compromise and session tokens are automatically protected from theft. User authentication utilises hashed values over an encrypted connection. Users are admonished to not share credentials and reset their credentials or request the HelpDesk to do so if they think they have been compromised. text text text text text text text text
Insecure Direct Object References Xojo does not allow direct object references in this manner so it would be impossible for such a security hole to be created. text text text text text text text text
Cross-Site Request Forgery When the user logs into a web site (such as a banking site) and then leaves by navigating to a page of another site without first logging out, the original site will still see the user is logged in until their session times out. text text text text text text text text
Security Misconfiguration This involves the developer making sure they have good passwords for their server, not exposing data that does not need to be exposed, etc. Access to the server is highly restricted to a single account from a known IP-address pool using Public Key Authentication. text text text text text text text text
Insecure Cryptographic Storage/Sensitive Data Exposure Databases, the data they contain and even the file system on which such data resides can be encrypted at rest. Encryption at rest is possible but not implemented. Server access is highly restricted. Users have the ability to download an entire copy of their own database. All data is encrypted in transit between the server and browser. text text text text text text text text
Failure to Restrict URL Access Because Xojo web apps create the HTML page on the fly, there’s no way for a hacker to access any page except the one that is currently in their browser. However, if the developer chooses to support bookmarking, they would need to make sure they authenticate the user before taking the user to the requested page. Bookmarking is not available text text text text text text text text
Insufficient Transport Layer Protection Web Servers provide SSL support which is the appropriate place to handle this issue. SmoothPay applies strict security measures ensuring only modern browsers supporting modern cryptographic standards can access our web applications text text text text text text text text
Unvalidated Redirects and Forwards There is nothing any development tool can do to prevent this. It’s up to the developer to make sure their app doesn't depend on untrusted data when redirecting or forwarding the user to another site. Applications may rely on external sites for resources and references and are vetted for production use. text text text text text text text text
Insufficient Logging and Monitoring Developers are responsible for providing sufficient log information to identify malicious actions (e.g. repeated attempts to login from the same IP-Address using invalid credentials) and to follow user actions throughout use of the application. SmoothPay logs and monitors these types of interactions text text text text text text text text
Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. All developers are to some extent dependent on the suppliers of their toolset and third-party component suppliers to maintain up-to-date libraries. We maintain all such modules at the latest available release. text text text text text text text text
text text text text text text text text text text text
text text text text text text text text text text text
text text text text text text text text text text text
text text text text text text text text text text text
text text text text text text text text text text text
text text text text text text text text text text text
text text text text text text text text text text text
text text text text text text text text text text text
Go here to read a full description of each of these types of hacks.