Skip to Content

Security overview for Jitterbit App Builder

Overview

App Builder promotes the rapid development of secure applications along with their ability to be quickly deployed in a secure environment. Native security features and configuration options available within the App Builder platform enable developers to configure and secure their applications.

App Builder supports the following security options:

HTTPS

App Builder mandates HTTPS. When HTTPS is enabled, cookies are set with the Secure flag. This prevents the browser from transmitting the cookie across an unsecure (HTTP) channel. Cookies are set with the HttpOnly flag by default. The HttpOnly flag mitigates Cross-Site Scripting (XSS) attacks.

Single sign-on (SSO) provider

App Builder recommends delegating authentication to a Single Sign-On (SSO) provider. App Builder supports various industry standards, including SAML SSO and WS-Federation. These use the PKCS #1 digital signature specification with SHA-256 digests.

Claims-based authentication

User authentication providers pass claims into App Builder. Security administrators map the claims to user attributes, including group membership. Documentation:

Local authentication and password configuration

App Builder also supports a local, password-based authentication mechanism. Password storage is documented on the following page:

In short, passwords are stored using the PBKDF2 key derivation function with the SHA-256 hash algorithm, a key length of 16 bytes, a salt length of 16 bytes, and 10,000 iterations.

The Local Authentication provider supports the following security features:

Security tokens and data encryption

App Builder encrypts and validates security tokens, such as session cookies. As well, App Builder encrypts server and security provider credentials (passwords). Encryption provides confidentiality; validation, authenticity (a.k.a. tamper-proofing). App Builder encrypts data using AES-256 in the CBC block cipher mode with PKCS #7 padding. App Builder ensures the integrity of the encrypted data using HMAC-SHA256.

The same encryption and validation can be used to protect application-level data at rest.

App Builder supports encryption of data at rest via the vendor's native implementation of Transparent Data Encryption.

App Builder now uses FIPS validated cryptographic implementations and algorithms.

Sessions

App Builder provides configurable session storage policies. By default, App Builder persists session information to the database. Administrators can view sessions and forcibly sign out user sessions. Tracking sessions guards against certain vulnerabilities, such as cookie-replay attacks.

Roles-based security

Access to data can be controlled using roles-based security. A user's group membership determines the user's roles. The user's roles determine permission to business data. Groups organize users; roles organize permissions.

In App Builder, realms allow administrators to delegate administrative tasks such as the user provisioning and group membership. These operations are constrained to the realm.

Security topics

How-tos

Resources