Xojo Saves the Day!

BKeeney's website was hacked and went down, except the part that was built using Xojo!

Xojo, Inc. prides itself on the revolutionary new visual way to make web apps using Xojo, but also has demonstrated high security for web apps. Targeted attacks and data theft are changing web security. According to this study from HP’s Application Security Center, for every known web app, seven out of ten times there is at least one SQL injection flaw that is just waiting to be discovered by a hacker.

Bob Keeney, a longtime Xojo developer, and CEO of BKeeney Software, a consulting, training and custom software development company, was recently victim to a website hack attempt. It unfortunately brought down his entire website, except the section he had created as a web application using Xojo.

Bob’s website was using an older version of the popular CMS, Joomla. When he first started offering Xojo video training, he was relying upon several Joomla components that would stop working if they updated to a newer version. A little more than a year ago, Bob converted the Xojo training section of the website to a Xojo web app.

"We were down for about 24 hours after the hack, as we had to spend some time formatting new webpages, rearranging links and uploading it to get the site back up and running," detailed Keeney. "We believe the hacker was able to upload a PHP file through a flaw in Joomla, which executed a variety of commands that rewrote many of the PHP files, so it could execute arbitrary commands and reinfect itself again if we didn’t eradicate all of the infected files."

“Our main website would not load and it also took down our bug tracking system, which also uses PHP,” continued Keeney. “Our Xojo video training app functioned perfectly, however. In fact, we even had several people sign up for subscriptions and many were watching videos even though the rest of the website was down.”

“We take web security very seriously in the Xojo web application framework,” commented Geoff Perlman, Xojo, Inc. Founder and CEO. “Because web apps are accessible to any number of online users, the security of web apps is paramount.”

“Most traditional web development languages are interpreted, meaning your web app is a set of files on a server,” continued Perlman. “If someone gains access to that server, they gain access to your source code. Xojo compiles your web project to binary code so your source code is not stored on the server. In order for someone to alter your application they would have to be very familiar with x86 assembly code and be willing to spend an extremely long time tracing through that code. This is, at the least, an order of magnitude far more difficult than hacking any other web technology source code.”

The Open Web Application Security Project (OWASP) provides information on web application security and recently posted a list of the top 10 web application security issues. Though a few of these issues require the developer to be more diligent, most cannot be used to hack into a web application created with Xojo.

SQL injection attacks and cross-site scripting remain the most common forms of web app hack attempts. Xojo provides developers with prepared statement support for database access. This takes the values to be used in a query and sends them separately to the database server so that it can determine if the values are valid or contain SQL. Web applications created with Xojo can’t be hacked with cross-site scripting because all data sent to the browser is automatically escaped. As a result, the user cannot inject HTML into a page. Also, because the developer doesn't work in HTML or JavaScript, theres no way for the developer to accidentally create this security breach.

Using Xojo to make web apps is truly unique as you do not need to know numerous web technologies, like HTML, CSS, JavaScript, AJAX, PHP or Java. Instead, Xojo provides a completely visual, drag and drop interface builder that saves hours of time compared to coding HTML and CSS by hand. It’s high-level, object-oriented language allows you to focus on your application’s logic using a single language.

BKeeney’s website receives several thousand website visits per month. In the year that the training area has been running it has served up over 3,100 hours of streaming video to about 800 Xojo users.