| SCN # | SCN-00000010 |
| Title of SCN | Explaining Web Service Architecture Change |
| TRAC # | |
| Effective Version | 9.0.0 |
| Products Affected | Web Service |
| Reason for Change (Summary) | To better address the root of customer questions about Web Service security without creating more confusion. |
Change
Engineering has requested that Support Technicians refrain from explaining the new Web Service as “having a ‘Go’ Web Front End”. Rather, let the customer know that the new Web Server is “Custom”, or “written in-house”. As comparison, it’s unnecessary to offer that ESM is primarily written in Python, or that the Client uses C++ and wxWidgets. For detailed information on why this is necessary, and what customers are really asking, see below.
Additional Documentation
https://trac.exacq.com/DVR/wiki/WebServiceRearch
https://tycosecurityproducts.com/CyberProtection/CyberProtection.aspx
https://www.johnsoncontrols.com/buildings/specialty-pages/product-security
KB 47080 – Configuring Nginx or Apache as web service gateway
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
Other Information
Customers who have been receiving security compliance scans are accustomed to needing to update their Web Service to get the latest security fixes. Since version 2.4.0, the open-source Apache has been used by the exacqVision Web Service. Apache is widely used around the world, and is (along with every other major Web Server) a common target of malicious attack. This necessitated a process of “ever-updating” to make sure the customer is not vulnerable to the latest threats.
Beginning in Web Service version 9.0, the Apache HTTP Server was removed in favor of using a custom, in-house built Web Server. This was not simply to achieve “security through obscurity”, rather we now have much more control over what changes are made to our Web Server, as well as the ability to optimize the functionality with our product. This has led to great gains in the speed of Web Service functions.
Customers are now asking what the new Web Server is and what kind of implication this has to the Security of the Web Service. In trying to understand the change, many Support Technicians are in the habit of explaining the new Web Service as “having a ‘Go’ Web Front End”. This is because the new Web Server is written in the Go Programming Language. However, it’s unnecessary to offer what Language the software is written in. Engineering has requested that we refrain from offering that it’s written in “Go” since this will inevitably lead to further un-needed questions.
What customers are really asking is: “What effect does this change have on maintaining a secure Web Service?” The answer is: “It depends.”
Normally, customers’ concerns regarding Web Service security are raised by a PCI Compliance Scan as required by the ‘Payment Card Industry Data Security Standard’. Since Apache versions are closely monitored in these scans, and the exacqVision Web Service required user interaction to update the embedded Apache, our software commonly showed as problematic on these scans. Since all PCI scans are different, customers should re-run these scans after updating to 9.0 to see if they still show vulnerabilities. If any are found, customers are encouraged to setup their own web service gateway and enforce custom security policies as required by their company’s requirements. Instructions can be found in KB 47080. Customization of the exacqVision Web Server security policies will be limited, but not impossible. If many customers are reporting the same issue, this will need to be escalated to the Engineering team for consideration.