Detecting Security Vulnerabilities in PowerBuilder Code

The increasing number of cyberattacks has made application security a critical issue.
To ensure application security, it is essential to regularly scan the code to detect vulnerabilities that could be exploited to steal data or hijack the application's functionalities.

Visual Expert is the first tool to scan PowerBuilder code and detect security vulnerabilities.

Which Code Inspection Rules does VE follow for Security Scanning?

VE comes with 300+ pre-defined code inspection rules. To list some:

  • Always use AES encryption algorithm in a secure mode
    AES offers several modes (ECB, CBC, CFB…), some of them being faster or safer.
    If you are using AES in your PowerBuilder code, your calls should use the most secure modes.
    Visual Expert will scan your application, find less secure calls and highlight them in your code.
  • Never use Console logging in production
    Console logging is a method to discreetly find out what the code is doing and warn if a problem has occurred. It should be disabled in production, as it could expose sensitive data and reveal information about the inner workings of your application. Visual Expert will track such issues in your Powerbuilder code, to help you disabled them before going live.
  • Never use CoSetProxyBlanket or CoInitializeSecurity
    Calls to subroutines CoSetProxyBlanket, CoInitializeSecurity and CoInitializeSecurityAlias can generate security breaches. Visual Expert will find such calls in PowerBuilder code to help remove them.
  • Encryption keys should be long enough
    To make cryptographic keys robust against brute force attacks, they must have a sufficient key size. Visual Expert will tell you if non-robust keys are used in your PowerBuilder code.
  • Database queries should not be vulnerable to injection attacks
    Code Injection is an attack injecting malicious code that will be interpreted/executed by the application. In particular, SQL code injection allows performing illegal operations in your database (access to sensitive data, server takeover or shutdown…).
    By nature, PowerBuilder applications are database-intensive and mission critical.
    They handle large volumes of important data, which make them premium targets for hackers.

    For instance, Visual Expert will search for string concatenations, used for building SQLs, and are not properly validated or escaped. They may create major loopholes for the SQL injection. Identifying and refactoring such queries will strengthen your database protection.

    Learn more about How to Protect PowerBuilder Apps against Code Injection Attacks.
  • DES (Data Encryption Standard) or 3DES should not be used
    The Data Encryption Standard (DES) is a symmetric key algorithm for encrypting digital data.
    Its short key length of 56 bits makes it insecure. It should not be used anymore.
    Visual Expert will find all DES calls in your PowerBuilder code, so you can remove them.
  • Encryption algorithms must be used with the appropriate secure mode and padding scheme.
    When securing your code with encryption algorithms, operation modes and padding schemes should be used correctly. Depending on the encryption algorithm used, Visual Expert will determine the proper padding and mode values, and verify that they are correctly used in your PowerBuilder code.
  • Generic exceptions should not be ignored
    In terms of exception handling, CATCH blocks should always have a proper catching mechanism. Visual Expert identifies empty catch blocks to secure your code with a meaningful Exception handling.
  • IP addresses should not be Hardcoded
    Hardcoding sensitive information like IP addresses, encryption keys or pass codes may expose them to hackers.If someone can access your runtime files, they may decompile them and expose this info. Leaking information protected by official regulations like GDPR, SOX, HIPPA can lead to major legal consequences.
    Visual Expert will search for any hard coded IP Address for you to remove this security breach.
  • User IDs and Passwords should not be Hardcoded
    Hardcoding sensitive information, such as usernames or passwords, IP addresses, and encryption keys can expose them to hackers. Anyone accessing the executable files may decompile them and find the sensitive information. Leaking data protected by official regulations like GDPR, SOX, HIPPA can generate severe legal consequences.

    Visual Expert will search for hard coded user IDs and passwords, to let you remove these security breaches.
  • User input should not allow path injection or path transversal attacks
    Data entered by users such as URL parameters or cookies should be considered suspicious. If your code dynamically generates a file system path from this data, a hacker could inject specific values such as '../' and change the originally intended path.

    These attacks are often called "path traversal" or "directory traversal". They allow the attacker to access forbidden directories to read, modify or delete sensitive data or execute operating system commands.

    Visual Expert will identify the code introducing such vulnerabilities to let you sanitize it. A possible defense strategy consists in defining a whitelist of authorized paths or characters.
  • OS commands should not allow injection attacks
    If your code executes operating system commands based on user input, it must check the name of each command. Otherwise, a hacker could inject his own commands to perform illegal operations and compromise your system.

    Visual Expert will detect these flaws in your PowerBuilder code, so you can fix them. For example, you can define a whitelist of safe commands and sanitize shell meta-characters.
  • Regular expressions should not allow Denial of Service attacks
    It is highly unrecommended to generate regular expressions from user data, because it can lead to Regular expression denial of service (ReDoS).This type of attack exploits the possibility to drastically slow down the evaluation of regular expressions by maliciously using specific characters. An attacker can induce this situation when a program uses a regular expression and blocks it for a very long time (hence the denial of service).

    Visual Expert pin-points such calls in your PowerBuilder code, allowing you to remove them or sanitize the input by removing/annihilating regex meta-characters.
  • Cryptographic Hash Functions should not use SHA-1 or Message-Digest Algorithms
    The SHA-1 and Message-Digest algorithms: MD2, MD4, MD5 and MD6 algorithms are no longer considered secure. Visual Expert will check if such algorithms are used in your PowerBuilder code and locate the corresponding calls, to help you update them with more secure ones.
  • SOAP and INET objects should not be used
    SOAP and INET PowerBuilder objects do not support use of TLS 1.2 and that makes it vulnerable to attacks.
Vulnerability Scanner for PowerBuilder, Oracle & SQL Server

 

Visual Expert 2021, PowerBuilder, Code Security Scanning, Code Security Rules, Vulnerability Assessment