Problem

What is the Connection and Security Architecture of Screen Designer?  More specifically, what are the answers to the following questions:

1.  What data attributes will be used/shared by the tool when connecting to the Mitratech's server? Based on the data attributes, what is the data
sensitivity of the data exchanged/processed by the tool?

2.  What is the encryption mechanism in transit?

3.  Does the tool perform contextual output encoding?

4.  What input validation mechanism is used?

5.  What protocol is used for connection and data exchange between Screen Designer and the server?

6.  Is HTML formatting required when displaying user input?

7.  Using SAML authentication, how are developers differentiated from regular users trying to access Mitratech's web portal? Are there LDAP groups in place?

8.  What is the worst case scenario if the service/system is compromised?

Resolution

The answers to the questions are below:

1.  Screen Designer will pull information of the screens and will allow the user to edit locally. Only design elements for screens are propagated.  No other data is transmitted.

2.  Accessing https endpoint, all communication is encrypted

3.  Yes, UTF-8.

4.  If IP Filtering is enabled by default, the IP Filtering validation rules will apply.

5.  The https is used.

6.  There is an HTML component, however most text is added via message key's, which do not require HTML.

7.   Screen designer only supports basic authentication. SAML is not supported.

8.  Screen display issues will occur.  Matter Management data the user entered will not be accessible.  Only custom screen information would be available.

Reference

Case # 2021-0218-735857