Every now and then I see someone ask how they can be sure that the applications available on the SDL OpenExchange are safe to use? This is a very valid question and I read in a whitepaper from Adobe, where they quoted a PwC survey carried out in 2013, that nearly 30% of respondents from 123 countries claimed financial losses due to a software related security incident.
Controlling the security of our own applications, and ensuring we have proper controls in place is one thing… but how do we make sure that applications that have been developed by others, for installation and use with our products via the OpenExchange, are similarly controlled?
This brief article is intended to shed a little light on the process we go through, and also to show you what you can do to make sure that the applications you take from us are the same as the ones we have checked.
Viruses or malware
When we receive the application or plugin from a developer the first thing we do is run a check for viruses or malware. To do this we use Symantec Endpoint Protection and we scan both the memory and the installer.
Network activity or disk/registry access
The next thing we do is check to ensure there is no unexpected network activity, nor any unexpected access to the file system or registry. To this, before starting the installation the following monitoring tools are started:
- Fiddler2 – monitoring HTTP traffic
- Process Monitor (Sysinternals) – for monitoring access to the disk and registry
- TCPView – for monitoring all network traffic
Whilst these OpenExchange applications are not ours, and it is entirely up to the developer what functionality they wish to provide, we do install and test the applications so we can see how well they perform in relation to our products. Sometimes we can offer advice based on our own experience where appropriate… but mostly we just want to make sure that the application works and does what it says on the tin!
Signing and Checksum
When a Studio plugin is developed and installed Studio will display a message similar to this:
This is not an error, but is an important message to pay attention to. The signing process we go through is where we add a digital fingerprint to the plugin so that Studio can verify it’s been checked by SDL. If this message comes up then Studio is giving you a chance to abort the loading of this plug-in before it can potentially harm your system in some way. Just getting this message does not necessarily mean that harm is intended (in this case it’s a Beta version of the ApSIC Xbench plugin)… but it does mean that SDL have not signed the application. So all plugins generate this message before they are released through the OpenExchange, or before they are signed and used only by the developer (not all applications are developed for the OpenExchange!)
We also use a SHA (Secure Hash Algorithm) that was designed by the US National Security Agency (if I’m allowed to mention these guys ;-)). This is basically a hexadecimal number that we create based on the downloadable file for the application. We publish this number against the applications on the OpenExchange like this:
This number is also known as a CRC (Cyclic Redundancy Check) checksum and you can see the example 40 character code above. This is actually the checksum for the Author-it filetype you can download from here : Author-It XML File Type
How is this useful for you? Well, there is another application on the OpenExchange called the SDL OpenX Hash Generator downloadable through this link : SDL OpenX Hash Generator All you do is install this application, run it and then drag and drop the downloaded file you get from the SDL OpenExchange, or developers website, into its interface. This generates the hash like this:
If these are different then it may be possible that someone has tampered with the file you are about to install, and you now have the opportunity to double check that it’s not just an oversight where the installer may have been updated perhaps, but not the checksum. If they are the same, as they are in this case, then you can safely install the application.
So, if you are using applications from the SDL OpenExchange, and it’s a good bet you are, then perhaps think about downloading this little OpenX Hash Generator and giving yourself some peace of mind that you have done everything you can do to ensure the security of your computer system.