Every major release of LCDS goes through an external security audit, you can view the report in the LCDS product PDF portfolio (the portfolio also includes a great performance brief).
The LCDS attack surface is very small, but there are a number of things to consider:
- Use AMF in production (also consider AMF for performance as it is better at handling large complex Object graphs).
- If you are using AMFX use LCDS 3.1, which fixes a number of known XML vulnerabilities. If you are unable to upgrade to LCDS 3.1 then you should apply this security patch.
- Use secure channels (refer to Using LiveCycle Data Services ES2 Version 3.1).
- If you are using the proxy service then secure it as per this post.
- If you are concerned about XSS attacks then validate incoming client data using a custom queue processor (refer to Using LiveCycle Data Services ES2 Version 3.1).
- Try to ensure end users are on the latest Flash player.
- Ensure RDS is not enabled in production (comment out the RDSDispatchServlet in web.xml).
- Make sure your app server is secure per best practices of the vendor (you should also look at Hardening and Security for LiveCycle ES, which provides some general recommendations).
There are a number of useful resources that discuss securtiy:
- Enterprise security for Flex
- Creating more secure SWF web applications
- OWASP Flash Security Project
- Adobe Flash Player 10 Security
- Adobe AIR HTML Security
The following tools can be used to help find and fix security vulnerabilities: