Security cockpit
The security cockpit is located in the administration area of the BPC. It is designed to give you an overview of the status of the application from an IT security perspective. The BPC has several security checks Security checkswhich are carried out periodically or when configuration changes are made. The Results of these checks are summarized in a Overall rating. In addition, the last results of the individual Security tests are displayed. A Monitor is available for displaying all saved test results.
In addition, a Plugin that provides a quick overview of the status even outside the administration page.
|
The evaluation of IT security is a very complex topic and should always be carried out additionally by appropriate experts. The Security tests do not provide a conclusive evaluation of IT security. The aim is to highlight insecure configurations and system conditions. |
Overall rating
The overall rating is intended to provide an indicator of the overall status of the system.
It is calculated from the points that are added together by the Security tests.
100% are achieved when all tests have been completed with a full score.
Security tests
In the BPC, individual aspects of the application are checked and evaluated using various tests. Each test has a defined number of points that can be achieved. In most cases, this maximum score is 1, as often only individual aspects are tested.
In addition, the test results contain detailed information that provides information about possible shortcomings.
Monitor
This monitor shows the current and past test results of Security tests. It is automatically created by the BPC and can also be found in the list of available monitors.
Exclude tests from the overall ranking
It is possible to exclude Security tests from the overall ranking. This should only be done deliberately in individual cases if the aspects affected by the test are protected by other measures.
A test can be excluded from the overall ranking via the KARAF/etc/de.virtimo.bpc.core.security.checks.cfg file.
To do this, an entry in the form of TEST_ID.ignoreInReport=true must be created there.
Excluded tests are no longer displayed in the list of Security tests and are also not taken into account in Overall rating. However, these tests are still executed and their results can be found in Monitor.
KARAF/etc/de.virtimo.bpc.core.security.checks.cfg# General Security Check Settings
deleteCheckResultsOlderThan=10 days ago
# Check Report Settings
IpPinningCheck.ignoreInReport=false
TlsCheck.ignoreInReport=false
HttpsCheck.ignoreInReport=false
BpcBaseUrlHttpsCheck.ignoreInReport=false
BackendConnectionHttpProxyCheck.ignoreInReport=false
# TlsCheck Configuration
mozillaTlsRecommendationType=intermediateList of security checks
All security checks of the BPC are described in the following table. A more detailed description and instructions on how to make the system more secure with regard to the test can be found on the corresponding page of the check.
| Name (identifier) | Description |
|---|---|
TLS check (TlsCheck) |
Checks whether only algorithms that are considered secure are permitted in the Java security configuration for TLS. The check is based on Mozilla’s recommendations. |
IP pinning check (IpPinningCheck) |
Checks whether IP pinning is activated. |
HTTPS check (HttpsCheck) |
Checks whether the BPC can only be accessed via HTTPS. |
BPC base URL HTTPS check (BpcBaseUrlHttpsCheck) |
Checks whether the configured BPC base URL uses HTTPS and not HTTP. This is an indicator that accessibility from outside is also encrypted. |
HTTP proxy check (BackendConnectionHttpProxyCheck) |
Checks whether the existing backend connections of type |
