kdb Insights Enterprise
The Data Timehouse
kdb+ Time Series Database
PyKX Python Interoperability
Services & Support
Industry & IoT
Energy & Utilities
Healthcare & Life Sciences
KX University Partnerships
Partner with Us
Become a Partner
Find a Partner
Connect with Us
by Brighde Mulholland
All good developers involved with production systems know the criticality of building secure and fit-for-purpose releases. Security configuration isn’t always the most exciting or glamourous aspect of a developer’s workload, but as recent high-profile data breaches show, it may even be the most important part of the jobT.
In this blog I will detail five easy, out-of-the-box configurations that will ensure the security of your application specific instance of the KX platform. They will address the following security configuration options, which should be set to the OWASP (Open Web Application Security Project) recommendations:
The majority of these changes require ‘DELTADASHBOARD_PASSWORD_POLICY=yes’ in the delta.profile, so it would be best to confirm this before you begin.
The first configuration is restricting the session timeout of the KX Platform. OWASP recommends an idle timeout range of 2-5 minutes for high-value applications and 15-30 minutes for low risk applications.
The file upload functionality available via Dashboards for KX can be integrated with clamAV to allow configurable support for virus scanning all files uploaded to the platform environment.
IP restrictions can be added on a user group basis in Control. This will prevent users in this group from accessing the Platform UI’s unless they are connecting from a whitelisted IP. This is useful if you have a requirement to prevent certain user’s access if they aren’t on the network.
Following these changes users attempting access from an unapproved IP will get an “Invalid IP” error on attempted login.
Environments that use netscalers, may need to enable passthrough mode (on the netscaler) to allow the end users IP through to the platform for authentication.
Another form of access restriction can be implemented by allowing a user group access to specified urls only. This is extremely useful for allowing a certain user group access to Dashboards in viewer rather than edit mode (where queries and dashboards could be modified).
This quick implementation is even faster if you’ve already added IP restrictions and is recommended in the OWASP Top Ten.
The KX Platform also offers the functionality to enforce a password policy on a user group basis. This is especially useful when using the “forgot password” functionality introduced in release 4.0.0. Enforcing a strong password policy can help in blocking brute force attacks.
So, there you have it, 5 simple suggestions to enforce the security of your application specific KX platform install.
To learn more about KX solution please click on the links below.