Web Application Security Methodology

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan


Mantra

  • Know your threats
  • Secure the network, host and application
  • Bake security into your application life cycle


Secure Your Network, Host, and Application

Logical

Image:WebAppSecurityMethodology_Logical.gif


Physical

Image:WebAppSecurityMethodology_Physical.gif


Server Security

Image:HostSecurity.gif


Categories

Area

Practice

Patches and Updates

Patching and updating your server software is a critical first step. If you do not patch and update your server, you provide opportunities for attackers and malicious code.

Services

If the service is necessary, secure it and maintain it. Consider monitoring any service to ensure availability. If your service software is not secure, but you need the service, try to find a secure alternative.

Protocols

Avoid using protocols that are inherently insecure. If you cannot avoid using these protocols, take the appropriate measures to provide secure authentication and communication.

Accounts

Accounts grant authenticated access to your computer, and these accounts must be audited. Configure accounts with least privilege to help prevent elevation of privilege. Remove any accounts that you do not need. Slow down brute force and dictionary attacks with strong password policies, and then audit and alert for logon failures.

Files and Directories

Secure all files and directories with restricted NTFS permissions that only allow access to necessary Windows services and user accounts. Use Windows auditing to allow you to detect when suspicious or unauthorized activity occurs.

Shares

Remove all unnecessary file shares including the default administration shares if they are not required. Secure any remaining shares with restricted NTFS permissions. Although shares may not be directly exposed to the Internet, a defense strategy — with limited and secured shares — reduces risk if a server is compromised.

Ports

Services that run on the server listen to specific ports so that they can respond to incoming requests. Audit the ports on your server regularly to ensure that an insecure or unnecessary service is not active on your server.

Registry

Many security-related settings are stored in the registry and as a result, you must secure the registry. You can do this by applying restricted Windows ACLs and by blocking remote registry administration.

Auditing and Logging

Auditing is one of your most important tools for identifying intruders, attacks in progress, and evidence of attacks that have occurred. Configure auditing for your server. Event and system logs also help you to troubleshoot security problems.


Web Server Security

Image:WebServerSecurityCategories.gif


Database Server Security

Image:DatabaseServerSecurityCategories.gif


Web Application Security Frame

Categories

  • Input Validation
  • Authentication
  • Authorization
  • Configuration Management
  • Sensitive Data
  • Session Management
  • Cryptography
  • Parameter Manipulation
  • Exception Management
  • Auditing and Logging


Threats to Your Web Application

  • Input Validation: Buffer overflows; Cross-Site Scripting; SQL Injection; Cannonicalization attacks
  • Authentication: Network eavesdropping; Brute force attacks; Dictionary attacks; Cookie replay attacks; Credential theft
  • Authorization: Elevation of privilege; Disclosure of confidential data; Data tampering; Luring attacks
  • Configuration Management: Unauthorized access to administration interfaces; Unauthorized access to configuration stores; Retrieval of clear text; configuration secrets; No individual accountability; Over privileged process and service accounts
  • Sensitive Data: Access sensitive data in storage; Network eavesdropping; Information Disclosure
  • Session Management: Session Hijacking; Session Replay; Man in the Middle
  • Cryptography: Poor key generation or key management; weak or custom encryption
  • Parameter Manipulation: Query string manipulation; Form field manipulation; Cookie manipulation; HTTP header manipulation
  • Exception Management: System or Application Details Are Revealed; Denial of service
  • Auditing and Logging: User denies performing an operation; Attacker exploits an application without trace; Attacker covers his tracks


Guidelines for Your Web Applications

  • Input Validation : Don’t trust input; validate input: length, range, format and type; constrain, reject, sanitize input
  • Authentication: Use strong password policies; Don’t store credentials; Encrypt communication channels to secure authentication tokens; use HTTPs only with Forms cookies
  • Authorization: Use least privilege accounts; Consider granularity of access; Enforce separation of privileges
  • Configuration Management: Use least privileged service accounts; Don’t store credentials in plaintext; Use strong authentication and authorization on administrative interfaces; Don’t use the LSA; avoid storing sensitive information in the web space
  • Sensitive Data: Don’t store secrets in software; Enforce separation of privileges; Encrypt sensitive data over the wire; Secure the channel
  • Session Management: Partition site by anonymous, identified and authenticated; reduce the timout; avoid storing sensitive data in Session; Secure the channel
  • Parameter Manipulation: Don’t trust fields the client can manipulate (Query string, Form fields, Cookie values, HTTP headers)
  • Exception Management: Use structured exception handling (try-catch); Only catch and wrap exceptions if the operation adds value/information; Don't reveal sensitive system or app info; Don't log private data (passwords ... etc.)
  • Cryptography: Don’t roll your own; XOR is not encryption; RNGCryptoServiceProvider for random numbers; Avoid key management (use DPAPI); Cycle your keys
  • Auditing and Logging: identify malign or malicious behavior; know your baseline (what does good traffic look like); instrument to expose behavior that can be watched (the big mistake here is typically app instrumentation is completely missing)


Life Cycle Approach

Baking Security Into Your Application Life Cycle

Image:SecurityEngineering.gif

Security Engineering for Applications:

  • Architecture and Design
    • Security Design Guidelines
    • Threat Modeling
    • Security Design Inspection
  • Development
    • Security Code Inspection
  • Deployment
    • Security Deployment Inspection


Threat Modeling

Image:ThreatModelingSteps.gif

The five threat modeling steps are:

  • Step 1: Identify security objectives. Clear objectives help you to focus the threat modeling activity and determine how much effort to spend on subsequent steps.
  • Step 2: Create an application overview. Itemizing your application's important characteristics and actors helps you to identify relevant threats during step 4.
  • Step 3: Decompose your application. A detailed understanding of the mechanics of your application makes it easier for you to uncover more relevant and more detailed threats.
  • Step 4: Identify threats. Use details from steps 2 and 3 to identify threats relevant to your application scenario and context.
  • Step 5: Identify vulnerabilities. Review the layers of your application to identify weaknesses related to your threats. Use vulnerability categories to help you focus on those areas where mistakes are most often made.
Personal tools