• State Verified Answer
  • +3 person also asked this people also asked this
  • Replies 14 replies
  • Subscribers 10 subscribers
  • Views 13101 views
  • Users 0 members are here
Related Discussions
Home » Discussions » Administration

Security Attacks in Appian

sachitanands1
Are Appian Applications vulnerable to SQL Injection and Cross site scripting attacks? Yes/No why?

OriginalPostID-263116

  Discussion posts and replies are publicly visible

Parents
  • 0
    Appian Employee
    Appian's security testing includes inspection to discern how user inputs affected application behavior. For example, malicious inputs are provided to attempt to exploit cross-site scripting, metacharacter injection, SQL injection vulnerabilities, etc. Testing is conducted with the application's threat model and technology in mind.
  • 0 in reply to Omesh Agam
    @Omesh - Thanks, is it safe to say that as a cloud customer, we get the protection as a value added service? I just don't want our developers having to put extra validations in forms looking for certain strings that are considered SQL injections.
  • 0
    Appian Employee
     in reply to garym
    Even though Appian works with a third-party to perform penetration testing as part of its development cycle, it is recommended for customers to perform penetration testing specifically tailored to their applications.

    Appian requires customers to notify us about their penetration testing. Customers must provide the start time of the test, the duration as well as the source IP addresses. This is important to prevent Appian or its hosting service providers from blacklisting those IP addresses.
  • 0 in reply to Omesh Agam
    OK but in general, is Appian providing security such as application firewalls to help prevent against SQL injections?
  • +3
    Appian Employee
     in reply to garym
    SQL injection protection is more about how you interact with the database than with how you collect data in a form. Whenever you interact with a database using Appian's out-of-the-box database functionality (like a!queryentity(), query rules, the write to data store smart service, etc), Appian uses prepared statements and parameterized queries when it actually talks to the database. This is the standard way to protect against SQL injection and is recommended by OWASP: www.owasp.org/.../SQL_Injection_Prevention_Cheat_Sheet.

    Long story short, if the way you interact with the database is solely through out-of-the-box functionality then you don't need to worry about adding input validation to all of your forms as the platform will handle the SQL injection protection for you.

    If you're passing the user-entered data through a plug-in or over a web service or through some other mechanism that does not use Appian's out-of-the-box database interactions, SQL injection might be a concern depending on how that plug-in or service is implemented.
  • 0 in reply to Parmida Borhani
    @Parmida - Thanks, that was very informative and helpful
Reply Children
No Data
© 2025 Appian. All rights reserved.
We want to hear from you! Submit a review on Gartner or G2.