Security Attacks in Appian

Appian's security testing includes inspection to discern how user inputs affected application behavior. For example, malicious inputs are provided to attempt to exploit cross-site scripting, metacharacter injection, SQL injection vulnerabilities, etc. Testing is conducted with the application's threat model and technology in mind.

@Omesh - Thanks, is it safe to say that as a cloud customer, we get the protection as a value added service? I just don't want our developers having to put extra validations in forms looking for certain strings that are considered SQL injections.

Even though Appian works with a third-party to perform penetration testing as part of its development cycle, it is recommended for customers to perform penetration testing specifically tailored to their applications.

Appian requires customers to notify us about their penetration testing. Customers must provide the start time of the test, the duration as well as the source IP addresses. This is important to prevent Appian or its hosting service providers from blacklisting those IP addresses.

OK but in general, is Appian providing security such as application firewalls to help prevent against SQL injections?

SQL injection protection is more about how you interact with the database than with how you collect data in a form. Whenever you interact with a database using Appian's out-of-the-box database functionality (like a!queryentity(), query rules, the write to data store smart service, etc), Appian uses prepared statements and parameterized queries when it actually talks to the database. This is the standard way to protect against SQL injection and is recommended by OWASP: www.owasp.org/.../SQL_Injection_Prevention_Cheat_Sheet.

Long story short, if the way you interact with the database is solely through out-of-the-box functionality then you don't need to worry about adding input validation to all of your forms as the platform will handle the SQL injection protection for you.

If you're passing the user-entered data through a plug-in or over a web service or through some other mechanism that does not use Appian's out-of-the-box database interactions, SQL injection might be a concern depending on how that plug-in or service is implemented.

SQL injection protection is more about how you interact with the database than with how you collect data in a form. Whenever you interact with a database using Appian's out-of-the-box database functionality (like a!queryentity(), query rules, the write to data store smart service, etc), Appian uses prepared statements and parameterized queries when it actually talks to the database. This is the standard way to protect against SQL injection and is recommended by OWASP: www.owasp.org/.../SQL_Injection_Prevention_Cheat_Sheet.

Long story short, if the way you interact with the database is solely through out-of-the-box functionality then you don't need to worry about adding input validation to all of your forms as the platform will handle the SQL injection protection for you.

If you're passing the user-entered data through a plug-in or over a web service or through some other mechanism that does not use Appian's out-of-the-box database interactions, SQL injection might be a concern depending on how that plug-in or service is implemented.

@Parmida - Thanks, that was very informative and helpful