Secure Image Scanning, Processing and Uploading in Web App

Nov 26, 2012


Security is always an important factor when choosing a document imaging API. It directly relates to:

  • Whether the control is safe and friendly enough for the end users to download and install.
  • Whether the control will access the local data and communicate with the others silently.
  • Whether it is secure to upload the image data over the network.

In this article, I’ll share with you how Dynamsoft’s Dynamic Web TWAIN scanner control deals with the securities.

About Dynamic Web TWAIN

Dynamic Web TWAIN is an image acquisition API optimized for web applications. The component allows you to scan documents/images from scanners and other TWAIN compliant devices. Extension features including image processing and uploading are also supported.

Security Features

  1. Safe to Download

Dynamic Web TWAIN ActiveX is digitally signed by VeriSign. By signing the component digitally, a dialog box with the publisher’s legal name will appear when a customer first installs the scanning component. The user can choose whether they want to install the component during the download and install process.

Install DWT on the client side

If the control is altered after the publisher has signed it, the digital signature will be broken and the user will be informed. This makes it impossible for the signed control to be infected by a virus or maliciously tampered by hackers. With Dynamic Web TWAIN, there are 2 levels of signatures:

First, the library files “DynamicWebTwainCtrl.dll” and “DynamicWebTwainCtrlTrial.dll” are digitally signed. This ensures that Dynamic Web TWAIN itself won’t be tampered with.

Secondly, the cabinet files “” and “” are digitally signed. These files contain the library files and additional files with the extension “INF” (which are used when the control is being installed on the client machine). This signature makes sure that the files downloaded on the client machines are the correct & unchanged ones.

  1. Marked safe for initialization and scripting

Dynamic Web TWAIN is marked safe for initialization and scripting as you can see in the below screenshot. With these marks, Dynamsoft guarantees there is no security breach when you use Dynamic Web TWAIN.

DWT marked safe for initialization and scripting

  1. Non-disclosure of any personal info.

Dynamic Web TWAIN is a component meant to add scanner support to web applications. For end users, the documents they scan are usually private and important. Any unintentional disclosure of the info cannot be tolerated. When documents are scanned, they’re stored in the buffer of Dynamic Web TWAIN which is part of the physical memory allocated for the web browser on the client machines. Without the permission from the user, the data won’t go anywhere. All interfaces of Dynamic Web TWAIN are secure; it does nothing unless commanded by the current user.

  1. Minimal communication with the outside world.

Users of great security level are concerned about any info that would be sent out to the outside world without them knowing it. They can rest assured when using Dynamic Web TWAIN because the only communication it does with the outside world is verifying the certificate that was used for the digital signature. The certificate is from VeriSign. And the verification process is considered 100% secure.

If the user doesn’t even want the verification, the certificate can be removed. But this is not recommended as discussed in point 1.)

  1. Secure data transmission over the network.

a. Support for SSL

You can use SSL to encode your posted data to further ensure secure data transmission. This is necessary for many web applications that would require data upload/download

b. Authentication

Dynamic Web TWAIN supports authentications including Windows, Forms and Basic Authentication. It gives the software developers the most flexibility to set the access permissions. Cookie and session are also supported by the component.

c. Compatible with Protected Mode and Data Execution Prevention (DEP)

Since Windows 2008, Microsoft set Protected Mode and DEP ON as the default option to protect from virus and other attack on purpose. Dynamic Web TWAIN is fully compatible with Protected Mode and DEP.

Case Study – Lockheed Martin

All the above features are the reasons why Lockheed Martin chose us for their Intranet Quorum system (check out the case study in PDF format). Intranet Quorum®, or IQ, is Lockheed Martin’s web based out-of-the-box enterprise contact management and workflow system for government offices. It is widely used by leading federal agencies, the United States Congress, and numerous state and local government organizations.

If you are interested in the SDK, the trial version is available for you. Dynamic Web TWAIN 30-Day Free Trial Download

You can also see it in action: Dynamic Web TWAIN Online Demo

Search Blog Posts