Security Considerations

Various security features and options ensure the overall security of SmartBear License Management.

General

  • Development and Production: SmartBear follows industry best practice in regard to development and production security:

    • uses industry-leading third parties for static and dynamic code analysis, and software composition analysis (SCA)

    • proactive approach to common vulnerabilities and exposures (CVEs)

On-Premise

  • On-Premise License Server is powered by Apache Tomcat.

  • Built-in Administrator Account: Each On-Premise License Server instance has a built-in administrator account, called system_admin. During the first installation, you will be prompted to set up a password.

  • File System Security: Several sensitive items are stored in the local On-Prem server in an in-memory database, including:

    • database credentials

    • LDAP credentials (if used)

    • file contents

    It is important to maintain the system security of the server's operating system in order to avoid compromising this information. We recommend that you follow the guidance from the vendor of your operating system.

  • HTTP Transport Security: By default, On-Premise License Server operates over regular HTTP, meaning all communications between clients and servers are unencrypted on the wire. This may expose the below to network sniffing tools:

    • license requests

    • file contents

    • authentication credentials (usernames and passwords)

    To avoid this, administrators should configure the server to use secure HTTP (HTTPS - see Configure On-Premise License Manager for set-up guidance).

  • Cookies and User Session Information Storage: Note the following security considerations regarding session cookies in the On-Premise License Server:

    • When "Access for Everyone" is enabled - floating license users do not need to log in, and no cookies are stored

    • When "Access for Everyone" is not enabled - an unencoded cookie appToken is created, expiring after one day

    • HTTPOnly attribute is not set, Secure flag is not set - this is so that the License Server page works on both HTTP and HTTPS protocols. See Configure On-Premise License Manager for set-up guidance.

SaaS

  • Data security: Data encryption is as follows:

    • All data sent to our SaaS platform is encrypted at rest

    • All transmitted data communication is encrypted over the wire

See Also

In this section:
© 2024
Publication date: