Overview
When you have an application in a production environment, it is important to consider best practices that provide an adequate level of security.
Such best practices include the configuration recommendations issued by the vendor of the application, but within these, you should also adopt best practices that suit your infrastructure setup and that apply to your whole company.
We recommend that you commit to and enforce compliance with the guidelines and procedures as set by the policies and standards related to information security. This way, aspects regarding control, monitoring, auditing, and other features, are included within the definition of what constitutes application security.
Bizagi deploys a Work portal for end-users to use, as a web application. Therefore, we recommend implementing the necessary measures for application hardening in every project, to mitigate certain risks and vulnerabilities from which web applications are not exempt.
Hardening
Follow the detailed hardening procedures described in the links below. They are presented as mandatory and recommended.
Mandatory Hardening
•Configure a secure SSL/TLS cipher suite
•Authorization and authentication
•Encrypting information using HTTPS
•Filtering unauthorized requests
•Configure SQL Server Transparent Data Encryption (TDE)
Recommended Hardening
•Include additional protection in Bizagi Web Services
•Delete unused folders in the production environment
•Rewrite values in server variables
•Customize the user's preferences form
•Database attribute encryption
Important
For Bizagi, security is an aspect of critical importance.
Therefore, Bizagi periodically releases new versions which feature improvements and fixes for issues detected in previous versions.
Fixes for those detected issues may include specific solutions for security vulnerabilities.
We strongly recommend that you consider a periodic upgrade in your solution to Bizagi's newest releases, by always following the usual guidelines for an upgrade procedure such as:
•Plan, coordinate and test appropriately all upgrades.
•Rely on your different environments (development, testing, pre-production when applicable, and production).
•Take proper contingency measures (e.g. backups) before starting the update.
•Evaluate customizations or additional security configurations such as the ones listed above, so stakeholders are aware that it is part of the plan to reconfigure certain features after the upgrade.
|
When you have customizations or applying hardening measures such as the ones above, follow one of two alternatives when carrying out a version upgrade:
1. If upgrading through the Bizagi Management Console, reconfigure and verify that such measures are still applied after the upgrade (we recommend backing up customizations before starting the upgrade). An upgrade done through the Management Console will not check whether you have done modifications to the original files and file structure.
2. You may upgrade through a manual procedure, without using the Bizagi Management Console. If you do, consider all the relevant components and files that you need to replace manually for the Work Portal and Scheduler, while avoiding overwriting your configured customizations or the already applied hardening measures. |
For highly critical security issues, Bizagi may issue hot fixes and recommend that you apply them without waiting for a newer version.
Considerations regarding the platform
Always review and apply recommendations issued by Microsoft, the vendor of the base platform on which Bizagi runs for .NET environments.
Consider bulletins and notifications about fixes and patches announced by Microsoft regarding your Windows OS or the IIS.
Remember to carry out proper tests after applying fixes and patches to verify you are not affecting your Bizagi project.