SecureAEM is the successor of SecureCQ, developed at Cognifide by Tomasz Rękawek in 2013. The application, awarded in the Small Applications, Great Ideas contest organized by Adobe, is a scanner that tests for typical AEM security vulnerabilities that can be exploited by malicious users. In this article you will find out about the tool: how it can help secure your AEM instances, how it works and our latest findings when we tested it with AEM 6.5.
AEM, as a host of default configuration, provides potential attackers with the potential to get access to the platform. To prevent information disclosure and protect your system against cross-site request forgery or DoS attacks, SecureAEM checks if:
- default credentials have been changed,
- the admin console has been disabled,
- access to sensitive information stored in various files has been disabled,
- access to several resources and servlets has been externally restricted.
The tool can be installed and run as an AEM package from the AEM Tools page or compiled in a standalone mode and used from the CLI without any additional dependencies. It tests a set of rules that represent a security misconfiguration that AEM Administrators tend to forget about, leaving them open as when instances are accessible locally only. As an output it generates a detailed report for the AEM installation (inc. author, publish and dispatcher).
Last month we tested SecureAEM against AEM 6.5 SP1. The application needs no upgrading to work with the newest version of AEM. However, there are still a few issues worth addressing and we are planning to do that this year to make the tool even better. But you can write your own tests that may check vulnerabilities that have not been addressed yet.
SecureAEM has been instrumental in many projects that Cognifide has developed for clients over the last 7 years. Setting standards of security, it solves a lot of problems when launched before the application goes live. What is worth noting is that it works with AEM 6.5. To find out more visit: https://github.com/Cognifide/SecureAEM.