By industry definition, the classic AppServer does not meet security requirements and best practices. For example, you would never deploy a classic AppServer as an Internet server. Whatever security an OpenEdge application has is from the diligent efforts of the OpenEdge developers who have written the tools and installation processes around it.
PAS for OpenEdge provides two products:
A completely unsecured development server product
A secured production server product
The two PAS for OpenEdge products are almost identical, with the differences being the security of the configuration. PAS for OpenEdge's goal in the production server product is to meet 95% of the recommended security best practices for an Apache Tomcat server. The remaining 5% is something either the production administrator is required to do according to the company's policies, or the developer does based on the constraints imposed by their application.
The following is a summary of the production server product's security configuration:
Removal of the ABL compiler, preventing any unauthorized source code access
Removal of all remote administration Web applications that can be targeted by intruders
Core server configuration with removal of unsecured debug features, such as auto-deployment
UNIX directory and file permission settings
Additional security valves (in other words, server request filters)
Full administrative capabilities through secure local utilities, such as command-line tools and JMX access
A completely unsecured development server product
