3936489 Newbie

Hi When any current browser (IE 5.5 or higher, Firefox 0.8 or higher, Safari 1.0 or higher, etc) talks to NetSuite, TSLv1 is the default protocol and SSLv3 is the secondary. Both are considered secure. Customers who connect to NetSuite webstores with contemporary browsers can shop with the confidence that NetSuite meets…

The following response was copied from a prior thread on this topic: "This vulnerability report is a false positive. Below is the information we have provided McAfee. In the past, it has resulted in McAfee removing the vulnerability from each account: "NLShopperId is a persistent cookie that does not contain any personally…

ScanAlert has remediated the errors causing false positives. All accounts that we can see are in a good state. Chris Blum NetSuite

I have no direct visibility for the scan results of any customer that is showing this false positive. I have spoken with ScanAlert support and exchanged multiple emails with them. The last email from them indicated that it was a false positive in their system and requested that it be flagged as a false positive.…

HackerSafe has not notified NetSuite of any such vulnerabilities. The asserted vulnerability is definitely a false positive. You should immediatley login to your HackerSafe account, click the asserted vulnerability, and choose False Positive under Resolve. When you buy HackerSafe services, you tell them your domain (e.g.…

HackerSafe has given NetSuite access to see the vulnerabilities that they are reporting against several of the sites referenced on this thread. They are reporting some false positives against several of those sites. Two are seeing the "Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel"…

You can flag the asserted Persistent Cookie vulnerability as a false positive in your ScanAlert account. In the body of your false comment reason you can provide the following information: "The cookie in question is called NLShopperId. It is used to track page views and clickstreams by anonymous visitors. It does not…

The asserted port 3306 vulnerability is a false positive. The port is not open and has never been open. The ScanAlert support staff that provided you with the nmap output require retraining on nmap. Consider the output: PORT STATE SERVICE VERSION 3306/tcp filtered mysql 5.0.11beta-nt Notice that STATE = filtered.…

HackerSafe's decision to remove your logo was not related to any action or inaction on behalf of NetSuite. Dozens of NetSuite customers still have their HackerSafe logos at this time because there is no vulnerability on the NetSuite site. There are flaws, however, with HackerSafe's mechanism for scanning sites. When you…

Ryan, Interesting question. Here are 6 different Hacker Safe logos for checkout.netsuite.com. They should function in your checkout sequence. Do not put them on any page that does not have checkout.netsuite.com in the url. <!-- START SCANALERT CODE --> <a target="_blank"…

checkout.netsuite.com didn't complete its scan until ~1:30pm today. I would expect the logo to be displayed correctly in your checkout process. Let me know if it is not. Chris Blum NetSuite Edited for clarity.

I have spoken with HackerSafe this morning. They have agreed to remove the false positive from all known accounts that are reporting the port 3306 vulnerability. All logos on those accounts will return in "about an hour." Bill C: NetSuite has never made a statement regarding the suitability or value of contracting with any…

The Verisign logo can be displayed on any of the pages protected by an Versign certificate. In most cases, this means that you can display the image on any of the https://checkout.netsuite.com/... pages. As part of our PCI compliance efforts, NetSuite is audited and scanned regularly by a PCI-certified auditor (Trustwave).…

There is a parallel forum post which addresses the current XSS assertion. NetSuite has determined that the currently asserted vulnerability is a false positive. None of the testcases that Hacker Safe's automated scanner identified as vulnerabilities were genuine vulnerabilities. NetSuite is working with Hacker Safe to…

Dr. Elaine: For the Verisign logo, you can construct a block of html at http://www.verisign.com/ssl/secured-seal/installation-instructions/index.html You have the option of choosing GIF or Flash, along with the logo size. In order to place the logo on the checkout page, make sure you enter "checkout.netsuite.com" (no…

Any time you begin talking about solutions where you are storing NetSuite user credentials externally, you are going to run into problems. It is important to recognize precisely how sensitive the information that NetSuite stores can be, and how a single set of credentials may have access to multiple roles in multiple…

I will gladly highlight your desire for this feature to our Product Management team. I understand your requests for a branded login page, logout page, and error page. However, I represent the interest of security for NetSuite's customers. Wrapping the NetSuite login page with your own login page is a very poor security…

Our Support organization is going to follow-up with all the notified customers to help them understand the underlying vulnerability and to clarify that NetSuite is not going to take any action until after we have delivered a better solution. I'll leave the scripting question to someone who is better qualified to answer it.…

can you detail exactly what the security risk is ?. and how it differs from a customer center login say. . The risks are not obvious, even to many people who design websites. Login forms on insecure pages that forward to a secure page are not secure. This design flaw was common, even among secure institutions such as…

Lee, It definitely does meet the requirements, as does Farrago's scenario above. The page on which the credentials are entered, and on which the <form> tag exists, needs to be on an https://*.netsuite.com domain. If you are redirecting, automatically or via a link or any other way, to https://*.netsuite.com for the users…

The iframe login box doesn't solve the trust issue between the user and the site that the user is visiting. The certificate and the domain in the URL do not match, making the page susceptible to DNS spoofing. -Chris

I'd like to highlight a particular security concern that NetSuite's current login mechanism addresses. The current design ensures that a company's users and customers are presented with an SSL signed page prior to providing their credentials. NetSuite buys its certificates from Verisign to ensure maximum browser…

All communications with Merchant e-Solutions are via SSL and there is no security flaw with HTTP GET over SSL when directly communicating with Merchant e-Solutions to transmit credit card data. Merchant e-Solutions specified HTTP GET as the standard for communicating Credit Card transactions to their service. Concerns with…

NetSuite's security practices are audited by multiple independent entities each year. The two audits that tend to be most interesting to our customers are our SAS70 Type II audit and our Payment Card Industry Data Security Standard (PCI DSS) audit. You can speak to your NetSuite account representative to discuss details of…

I think you are asking whether NetSuite's webstore solution operates like a simple webserver which can have entries for each domain that it serves, and a certificate for each of those servers. The NetSuite webstore is complex. As a result, implementing completely unique domains with EV SSL support is complex. Enhancement…

Erik, McAfee has made an error which has led to this False Positive. NetSuite has filed a False Positive report with McAfee in response to this error. You may also file a False Positive report from within your McAfee account: click the "Resolve" link on the Vulnerability page and choose "False Positive" as the type of…

This is a False Positive. There is no vulnerability on NetSuite at this time. NetSuite does not use any PHP server technology. McAfee found the vulnerability on a random server on the web, and McAfee made an error by assigning that vulnerability to NetSuite. NetSuite has filed a false positive for this error, but you can…

Regarding McAfee's latest vulnerability assertion, NetSuite is not operating any of the PHP or SSL versions listed. In fact, NetSuite does not use PHP in any of its applications. It is a new false positive. NetSuite has filed a remediation with McAfee. You can file a similar False Positive report to indicate that the…

We are working with McAfee to help them fix their own errors. The reason that McAfee did not resolve the problem is that they currently have the wrong IP address for all web stores. It is not clear why they make this mistake from time to time. McAfee has unilaterally decided for no apparent reason that these webstores use…

This is a McAfee False Positive. NetSuite completely de-supported all remaining SSL v2 ciphers in January. See the following thread for details: https://usergroup.netsuite.com/users/showpost.php?p=82468&postcount=2 I will remediate the issue for all McAfee accounts into which NetSuite has visibility, however, I would…