3 Replies Latest reply on Jun 2, 2016 7:43 AM by baronzemm

    Struggling with understanding and explaining Jive app security / architecture


      Ryan Rutan et al


      We have started developing several POC apps inside of RBC.

      We need to provide a clearer description of how apps work to our security and architecture teams.


      I did talk to some folks at jive world and had some information filled in but I was also met by several puzzled looks...


      A simple example might illustrate some points.


      We built some HTML widget + Javascript based "apps" that are executed through group overview pages in order to do bulk tagging, moving, etc of documents.


      In converting those to Jive apps we will be asked to do a security and architecture review. Mostly because it has the word "app" in it.


      My basic thought is that this is really no different functionally than an HTML widget. The apps run inside of an iframe and perform the same api function calls as before.


      If anything its alot more secure now, as the apps must request oauth permission to perform most tasks on behalf of the user. We can cleanly uninstall them and install. etc.


      There are many benefits in other words.


      I was curious if a breakdown already exists that either compares widgets to apps (a weird comparison I know) from a security and architecture perspective.

      How much could you break core jive using an app?

      What overall risk to the platform exists from installing an app?

      Is the risk higher or lower than a custom theme + javascript embedded html widgets?


      Things like that.


      I would like to make a light doc explaining these concepts to our architecture and security teams so that we can have a more carte blanche agreement for producing apps internally.

      I am assuming that other financial institutions would have similar concerns or have already went through the same challenges.


      So I am very curious to hear what everyone thinks!