Security Attacks in Appian

Appian collaborates with a third party for penetration and vulnerability testing. Check this link:forum.appian.com/.../Appian_Cloud_FAQ.html
Companies using Appian can still carry out penetration testing on their own, but they need to notify Appian - if they are doing it on Appian cloud env.
Also, Appian uses SAIL - data submitted on SAIL forms is sent/received in encrypted format to some extent. There are extensive checks that happen at the server side.
Also, I think "Cross site scripting" is not likely - because Appian does not allow JavaScript/Ajax for creating UI. Such kind of attacks are more likely when the UI is being developed in JS/Ajax.

There is one place where JS/Ajax gets used - in Embedded SAIL. However, that too is unlikely - because the admin needs to allow IP addresses/hosts for CORS in Appians "Allowed CORS hosts " in the admin console.

So, overall I think such attacks are very unlikely with Appian.

Thanks Chetan...that was really helpful!!!!!

Welcome.

I echo the above but would add that it is certainly possible to enable sql injection using some of the plugins and undocumented expressions in Appian.

Hi,
Is it possible for sql injection just on a text box? If so, should we putting in validations on these text boxes to look for certain strings?

Can document uploads like excel which can contain macros make it vulnerable? Are the default checks sufficient enough?

Thanks.
Hitesh

My understanding is that Appian protects against SQL injection on text boxes under the hood to prevent that kind of thing.

@andriyr - Do you have any documentation that says that Appian protects against SQL injection?

Appian's security testing includes inspection to discern how user inputs affected application behavior. For example, malicious inputs are provided to attempt to exploit cross-site scripting, metacharacter injection, SQL injection vulnerabilities, etc. Testing is conducted with the application's threat model and technology in mind.

@Omesh - Thanks, is it safe to say that as a cloud customer, we get the protection as a value added service? I just don't want our developers having to put extra validations in forms looking for certain strings that are considered SQL injections.