Many companies may feel that information security is far from their own. However, a series of recent security incidents tell us that enterprise information security is far from simple, and even severely exceeds our imagination!

@The Paper:

At the beginning of August, Tencent’s cloud server hard disk failure caused all the data of “Front Edge CNC” company to be lost. Including the accurate registration of users and content data accumulated by long-term promotion and diversion, “Frontier Technology” claimed RMB 11.01 million from Tencent Cloud.

@Sohu science and technology:

On August 28th, the news of the suspected leaks in the 240 million hotels opened by China Lodging Group was rumored on major websites and social media. Affected by the disclosure of personal information, China Lodging Group continued to fall after the US stock market opened, closing down 4.36%.

@Sina Microblog:

On September 19, an engineer from the SF Science and Technology Data Center accidentally deleted the production database. In the case where the selected content is not seen, the deletion is performed by delete. At the same time, the pop-up prompt is ignored and the carriage return is made, causing the RUSS library to be deleted. Eventually, the operation monitoring and control system was faulty. The system’s temporary vehicle departure function could not be used for nearly 10 hours, which had a serious negative impact on business operations.

And when you read this article, two more companies around the world collapsed because of information security issues, and 11 companies caused more than 8 million direct economic losses due to information security issues.

More and more enterprises have realized that data is the oil of the 21st century, the core secret and competitiveness of enterprises, and the security of protecting data has become a link that enterprises have to pay attention to.

As a big data BI vendor with thousands of customer companies, Fanruan is playing an increasingly important role in customer data management. We know how important it is to protect our customers’ data assets.

On the one hand, the external security situation is getting more and more serious, we must upgrade our security level; on the other hand, many of our customers, especially the banking, finance, securities, Internet and military industries, also come up with the development of the business. A higher security requirement.

Therefore, in the design and development of FineReport 10.0, we made “safety” and set safety as one of the key tasks of FineReport.

The newly updated FineReport 10.0 improves the security of the application from both the patching vulnerability and the active defense. The following is a specific solution.

Application security

FineReport 10.0 will use a more secure encryption method, replace the cookie with a token, and fix a series of known vulnerabilities to deal with common threats. Added a series of security protection features such as cookie enhancement, file upload verification, Security Headers and access control.

1.encryption algorithm improvement

All places where encrypted information storage is needed, completely abandon the built-in set of proprietary algorithms we have written ourselves, and use the time-tested, industry-recognized RSA+SHA256 encryption.

2. file upload verification

Filling in the uploaded file will perform a binary header check to prevent the risk file from being spoofed by changing the suffix. At the same time, the background image of the platform appearance configuration adds a binary header check, and it is forbidden to upload a picture exceeding 20M to prevent the program from hanging.

3. Web application protection

Increase SQL anti-injection function, XSS cross-site attack protection function, SessionID encryption to prevent traversal function, increase security headers attribute, use token instead of cookie, prevent CSRF cross-site request forgery.

4. bug repair

Fix all existing cve scanning vulnerabilities and continuously update security patches regularly to ensure system security.

Account security

FineReport 10.0 provides more account security measures, and provides more detailed audit logs, records all access to resources under the account, facilitates security analysis, and meets customer audit requirements.

1.Single sign-on

After opening, the same account is not allowed to log in at the same time, preventing the account from being stolen by others.

2. Last landing prompt

Displays the location information of the last login to help the user determine whether the account is abnormal.

3. Access control

Provide access frequency limit function to limit the number of accesses in a certain period of time. If it exceeds, it will be blacklisted, alleviating abnormal access, crawler crawling and cc attack.

4. Log audit

Record access to resources under the account, including operator, operation time, ip address, resource object, operation name and operation status, facilitate security analysis, and meet customer audit requirements.

5. Login anti-brute force crack

It can be set to verify the user’s login, including SMS verification, email verification and slider verification. It can be used in combination to prevent the machine from logging in and others stealing passwords. Continuous login failure locks the account or ip, and can be unlocked by the administrator to unlock or self-verify the reset password to prevent tampering with the brute force password.

6. Strong password strategy

By adding five password strength limit options, the administrator can set the password complexity limit. If the password does not meet the strength limit during login, you need to change the password before you can log in to the platform. Provide the option to change the password periodically, prompt the customer to change the password when the specified time, and the old and new passwords are not allowed to be the same. You can open the password verification method, you need to verify by SMS/email to change the password.

Data security

FineReport 10.0 provides complete permission control, multiple authentication methods, and avoids the need for horizontal and vertical overrides. At the same time, the password information is uniformly encrypted and stored. Finally, provide a more customized watermarking feature that reduces the risk of data breaches.

1.Authority  control

Provide complete permission control, provide multiple authorization verification methods, open the role permission control, no matter from the platform or through the url, unauthorized users can not access the corresponding report, and avoid the level of excessive and vertical override.

2. Storage encryption

The password information is uniformly encrypted and stored.

3. Secure watermark

Reports can be watermarked and not obscured by backgrounds, reducing the risk of data leakage.

Operation and maintenance safety

FineReport 10.0 provides regular system backups to ensure that the system can be recovered after being maliciously altered. At the same time, when the administrator account operates on the user or changes the system settings, there will be a log save operation record.

1. Operational audit

When the administrator account operates on the user or changes the system settings, there will be a record of the log save operation, including the operator, operation time, source IP address, resource object, operation name, and operation status. Customers can implement security analysis, resource change tracking, and compliance auditing.

2. Backup recovery

Provide regular system backups to ensure that the system can be recovered after being maliciously altered.

Mobile APP security

Fanruan Mobile APP (FineMobile) has also been strengthened in data security, from the aspects of identity security, data security, network communication security, client operation security, mobile app security hardening, security auditing and other six aspects.

1.Identity security

The Fanruan mobile app can uniquely identify and authenticate the logged-in user, and provide a corresponding security protection policy for the common attack methods of the terminal. It includes login verification of dynamic SMS verification code, authorization binding for devices that log in to the account, and gesture password to enhance identity authentication.

2. Data security

Fanruan Mobile APP’s resource and data authorization system inherits from the PC side, and its capabilities and security protection standards are consistent (such as watermarks). In addition, Fanruan products can be licensed separately for mobile and PC at the platform directory level.

3. Network communication security

The Fanruan Mobile App supports the HTTPS protocol, communicates over HTTPS, and encrypts packets using SSL/TLS to prevent access to website accounts and private information.

Supports VPN to establish a trusted and secure connection with the intranet of the enterprise, and solves the security problems of the terminal, access, and link in the remote access process of the user. The Fanruan Mobile App embeds a deep convincing VPN and also supports integration with other vendors’ clients. Support proxy server configuration to achieve mobile external network access, and achieve internal and external network isolation scenarios.

4. Mobile running security

To ensure the security of the client operation, the core is the hijacking protection of the Activity. If the APP finds that the login page activity is hijacked, a prompt will pop up to prevent the malicious attacker from replacing the fake malicious activity interface for attack and illegal use.

At the same time, the user behavior can be logged, and the analysis can be performed based on the recorded data to generate an audit report.

At last

At present, the customers who have upgraded the FineReport10.0 version have already experienced the new version of the security protection function. Most of the customers, especially the financial and Internet customers, have high security requirements, indicating that the security level of the new version has greatly improved. The security features they want are basically included, and they are more secure to use.

At the same time, Fanruan will also release a security white paper on cooperation with 360 in the upcoming “Fanruan 2018 New Product Launch Conference”. In the context of data becoming more and more a core resource of the enterprise, Fanruan is willing to use its own strength to contribute to the information security of the enterprise.

Get the FineReport 10.0 security solution for free

[AuthorRecommendedPosts post-id="4858"]