Security is a growing concern while building public-facing digital services. The security-related costs of creating and maintaining digital services often represents a significant fraction of the total development cost. Improper testing of digital services may cause very expensive security breaches and strongly affect the organization reputation. While coding an application, especially when using a custom coding approach, a small change in an application may easily introduce vulnerabilities requiring costly extensive vulnerability testing each time.

Fortunately, a Rapid Application Development tool like SmartGuide^® can strongly reduce the burden of building and maintaining secure applications by implementing out-of-the-box security features in their core engine and by reducing potentially dangerous custom coding. SmartGuide^® 7.5 has gone one step further by implementing a set of features to easily ensure OWASP compliance of your digital services without requiring advanced expertise in security.

What is SmartGuide^®?

SmartGuide^® is a leading secure Web, Mobile and digital service Solution Development. SmartGuide^® enables organizations to easily create, deploy and manage intelligent and personalized user-centric applications. It provides organizations with the agility to quickly deliver efficient Web and Mobile services to all their stakeholders while unleashing the full value of corporate IT assets.

New Security-Related Features in SmartGuide^® 7.5

This new version is focused on making your applications secure out of the box.  Our team basically reviewed the top security vulnerabilities typically found in web applications and ensured that each was covered by native functionalities in SmartGuide^®.

Cross Site Request Forgery Prevention

SmartGuide^® 7.5 integrates features to prevent CSRF native support for CSRF (cross site request forgery) through a new Security tab for your Smartlets. Each web interaction is secured through the exchange of tokens. Tokens are unique to each session preventing session fixation vulnerability. When malicious CSRF requests are detected, default or custom actions can be configured directly from the SmartGuide^® Designer Security tab

Ensure Safe Content

A new validation type, called safe content validation, has also been added to text type fields. The safe content validation prevents typical code injection attacks that can often result in loss of information or breaches of confidential content.

Not only SmartGuide^® provides out-of-the-box an algorithm to validate the content, but a plug-in mechanism allows each organization to customize the strength of the validation according to their internal security rules.

This validation is enabled by default on newly created fields. You can specify a personalized error message or just use the default message specified on the Security tab.

Validation of values for select fields can also now be verified to ensure the values received by the application are part of the allowed set of values for this field. This also provides additional code injection prevention feature. Also, validations can now be set when adding/editing/removing instances in a repeat group.  So, you can associate a service with the add instance action for example, and then validate the return from the service to decide whether the new instance is valid or not.

Secure Variables

Another significant security enhancement comes in the form of variables.  You no longer need to create and manipulate hidden fields just to hold transient information used by your services for example, or to toggle field/group visibility.  A new Variables tab is provided where you can define your variables,

The variables are accessible everywhere in SmartGuide^®, in calculations, assignation of values, mappings, etc. 

Since variables are not exposed in the theme this greatly reduces the risk of rendering sensitive information in the client browser like a hidden field could.

Diagnostics

Diagnostics are an integral part of securing applications. Without appropriate diagnostics and logging tools, malicious attack attempts cannot be understood or even detected. Diagnostics logging has been significantly improved in SmartGuide^® 7.5 to increase information logging and log format. It is now easier to track information by user sessions or import logs into other logs analysis tools. Finally, a new Diagnostics tab was added at the Smartlet level to allow the definition of custom logging properties,

These properties will appear on each log line in your logfiles, making it easier to trace all actions performed by your users or debug issues in development environments.

Other Improvements 

Dynamic value editor

The dynamic value editor now provides access directly to the runtime environment allowing;

• Reading and writing session variables directly or using an existing field,
• Fetching parameters from the URL,
• Obtaining configuration parameters from the web.xml/web.config files, etc.
• Cookie reading and setting

This makes it much easier to fetch parameters for example, like the ones returned by a payment gateway to your Smartlet with transaction results.

Advanced Grid / Table support

A set of new features has been added to SmartGuide Repeat group for an improved grid and table support:

• On-Demand Large Dataset Support: the most important improvement is the ability to populate a repeat group on demand.  This is especially important when you have a large dataset to present (like hundreds of thousands of rows).  By invoking a service on repeat group render you can populate the group page by page and return only the necessary rows to the client.
• Repeats can now have a checkbox or radio button displayed next to each row, allowing single or multiple selections. SmartGuide’s API has been extended to get the selected rows, the number of rows, etc. A useful improvement was also added to repeat groups which now remain in table mode even when fields are on more than one row, when such fields are hidden.

Advanced Services Features

Services are core component in SmartGuide application as they allow the intereactions with the back-office mission systems. The current version enables a new set of features while creating services within SmartGuide:

• Targeted auto-mapping and auto-creation of fields:
  When creating a connection to a service, the auto-create option allows specifying the page where fields should be created.  Also, the auto-map fields option allows specifying a page or a group where the fields should be mapped.
• Conditional actions based on Service Response:
  SmartGuide now support creating actions that are only executed depending on the outcome of other previous service calls directly. Service call errors are now also available such that your actions can be based on whether or not an error occurred in a previous service call.
• Extended attributes mapping for services:
  Input and output mappings now include the ability to specify which field attribute to set or get. So, it’s now possible to populate a dropdown with option labels and values being mapped to different service outputs. You can also assign values to a data attribute of a field and even set the label of a field from a service return.

Other Improvements

Flexibility has been added to a number of existing functionalities.

For example, the Go to Smartlet action can now take a dynamic value instead of a static value determined at Design time.

Page validation messages are also now dynamic, allowing you to compose messages and making use of service returns for example.

And finally, visibility conditions can now be set on the summary Modify button.  This makes it easier to design review type application where the buttons should not be exposed depending on the role of the currently logged on user.

Out-of-the-box Default Materialize Theme

The materialize flavored theme is also now available in the .Net version of SmartGuide^®.

Yet some more minor Improvements

Flexibility has been added to a number of existing functionalities:

• Enhanced Go to Smartlet action: Goto Smartlet action can now make use of dynamic value instead of a static value determined at Design time.
• Dynamic message on page validation: page validation messages accept dynamic content, allowing you to compose messages and making use of service returns for example.
• Summary Review Button Visibility: Visibility conditions can now be set on the summary Modify button.  This makes it easier to design review type applications where the buttons should not be exposed depending on the role of the currently logged on user.

Try it out now!

What better way to learn all about this latest release than trying it out for yourself? If you’re an existing SmartGuide^® user, please contact your Alphinat representative. If you’re new to SmartGuide^®, you can request a free trial here.

In either case, we hope you enjoy using version 7.5 as much as we enjoyed building it! And as always, please let us know what you think so we can keep making SmartGuide^® better with each release. Thank you for your continued support!