Web Services Security Frame

From Guidance Share

Jump to: navigation, search

- J.D. Meier , Jason Taylor , Prashant Bansode , Carlos Farre, Madhu Sundararajan


Here's a snapshot of the frame (the power of the frame is that it's a durable, evolvable backdrop -- in other words, you can shape it to your own purposes.) Notice that the categories serve as a pivot that we can hang other viewpoints (threats/attacks, vulnerabilities, countermeasures.)


Categories

  • Auditing and Logging
  • Authentication
  • Authorization
  • Configuration Management
  • Exception Management
  • Impersonation and Delegation
  • Message Encryption
  • Message Replay Detection
  • Message Signing
  • Message Validation
  • Sensitive Data
  • Session Management


Categories Explained

Category

Description

Auditing and Logging

Who did what and when? Auditing and logging refer to how your application records security-related events.

Authentication

Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.

Authorization

Authorization is how your service provides access controls for resources and operations.

Configuration Management

Configuration management refers to how your service handles database connections, administration and other configuration settings.

Exception Management

Exception management refers to how you handle exceptions within your application, including fault contracts.

Impersonation and Delegation

Impersonation and delegation refers to how your service impersonates users and passes identity information downstream for authorization purposes.

Message Encryption

Message encryption refers to protecting a message by converting the contents to cipher-text using cryptographic methods.

Message Replay Detection

Message replay detection refers to identifying and rejecting messages that are re-submitted.

Message Signing

Message signing refers to signing a message with a digital signature using cryptographic methods, to confirm the source of the message and detect if the contents have been tampered with (i.e. authentication and integrity of the message.)

Message Validation

Message validation refers to how you verify the message payload against schema, as well as message size, content and character sets. This includes how your service filters, scrubs and rejects input and output before additional processing. Input and output includes input from clients consuming the service as well as file-system input, as well as input from network resources, such as databases. Output typically includes the return values from your service or disk / database writes among others.

Sensitive Data

Sensitive data includes data integrity and confidentiality of your user and application data that you need to protect. This includes how you protect sensitive data from being stolen from memory, from configuration files or when transmitted over the network.

Session Management

A session refers to a series of related interactions between a client and your service.


Threats and Attacks Organized by Web Services Security Frame

Category

Threats/Attacks

Auditing and Logging

  • Repudiation
  • Denial of services
  • Disclosure of confidential information

Authentication

  • Network eavesdropping
  • Brute force attacks
  • Dictionary attacks
  • Cookie replay attack
  • Credential theft

Authorization

  • Elevation of privilege
  • Disclosure of confidential data
  • Data tampering
  • Luring attacks
  • Token stealing

Configuration Management

  • Unauthorized access to configuration stores
  • Retrieval of clear text configuration secrets
  • Unauthorized access to administration interfaces
  • Unauthorized access to configuration stores
  • Retrieval of clear text configuration secrets
  • Lack of individual accountability
  • Over-privileged process and service accounts

Exception Management

  • Information disclosure
  • Denial of service
  • Elevation of privilege

Impersonation and Delegation

  • Elevation of privilege
  • Disclosure of confidential information

Message Encryption

  • Stealing sensitive data.
  • Theft of encryption keys.
  • Man in the middle attack.

Message Replay Detection

Session replay

Message Signing

Data tampering.

Message Validation

  • XPath injection
  • XML Bombs
  • Canonicalization issues
  • Cross-site scripting
  • SQL injection

Sensitive Data

Memory dumping

  • Network eavesdropping
  • Configuration file sniffing

Session Management

  • Session hijacking
  • Session replay
  • Man in the middle attack
  • Inability to logout successfully
  • Cross-site request forgery
  • Session fixation
  • Load balancing and session affinity


Vulnerabilities Organized by Web Application Security Frame

Category

Vulnerabilities

Auditing and Logging

  • Failing to audit failed logons
  • Failing to secure log files
  • Storing sensitive information in log files Failing to audit across application tiers Failure to throttle log files

Authentication

  • Using weak passwords
  • Storing clear text credentials in configuration files
  • Passing clear text credentials over the network
  • Permitting over-privileged accounts
  • Permitting prolonged session lifetime
  • Mixing personalization with authentication
  • Using weak authentication mechanisms (For example, using basic authentication over an untrusted network.)

Authorization

  • Relying on a single gatekeeper (e.g. relying on client-side validation only)
  • Failing to lock down system resources against application identities
  • Failing to limit database access to specified stored procedures
  • Using inadequate separation of privileges
  • Permitting over-privileged accounts

Configuration Management

  • Using insecure custom administration interfaces
  • Failing to secure configuration files on the server
  • Storing sensitive information in the clear text
  • Having too many administrators Using over-privileged process accounts and service accounts

Exception Management

  • Failing to use structured exception handling (try/catch)
  • Revealing too much information to the client
  • Failure to specify fault contracts with the client
  • Failure to use a global exception handler

Exception Management

  • Failing to use structured exception handling
  • Revealing too much information to the client

Impersonation and Delegation

  • Failure to revert to a lower privilege after using impersonation
  • Improper use of global impersonation across the entire service

Message Encryption

  • Failure to encrypt messages
  • Using custom cryptography
  • Distributing keys insecurely Managing or storing keys insecurely

Message Replay Detection

  • Failure to implement message replay detection feature

Message Signing

  • Unsigned messages that don't confirm the source
  • Unsigned messages that don't detect tampering

Message Replay Detection

  • Failure to implement message replay detection feature

Message Validation

  • Using non-validated input used to generate SQL queries
  • Relying only on client-side validation Using input file names, URLs, or user names for security decisions
  • Using application-only filters for malicious input Looking for known bad patterns of input
  • Trusting data read from databases, file shares, and other network resources
  • Failing to validate input from all sources including cookies, SOAP headers, SOAP parameters, databases, and network resources

Session Management

  • Passing session identifiers over unencrypted channels
  • Permitting prolonged session lifetime Having insecure session state stores
  • Placing session identifiers in query strings


Countermeasures Organized By Web Application Security Frame

Category

Countermeasures

Auditing and Logging

  • Identify malicious behavior.
  • Know your baseline (know what good traffic looks like)
  • Use application instrumentation to expose behavior that can be monitored
  • Throttle logging
  • Strip sensitive data before logging

Authentication

  • Use strong password policies
  • Do not store credentials in an insecure manner
  • Use authentication mechanisms that do not require clear text credentials to be passed over the network
  • Encrypt communication channels to secure authentication tokens
  • Use HTTPS only with forms authentication cookies
  • Separate anonymous from authenticated pages
  • Using cryptographic random number generators to generate session IDs

Authorization

  • Use least privilege accounts.
  • Authentication tied to authorization on the same tier
  • Consider granularity of access
  • Enforce separation of privileges
  • Use multiple gatekeepers
  • Secure system resources against system identities

Configuration Management

  • Use ACLs.
  • Encrypt sensitive sections of configuration files
  • Use secure settings for various operations of web services using configuration files

Exception Management

  • Use structured exception handling (by using try/catch blocks)
  • Catch and wrap exceptions only if the operation adds value/information
  • Do not reveal sensitive system or application information
  • Implement a global exception handler
  • Do not log private data such as passwords

Impersonation and Delegation

  • Use Using statement to automatically revert impersonation
  • Granularly impersonate only those operations that need it

Message Encryption

  • Use message security or transport security to encrypt your messages
  • Use platform-provided cryptography
  • Use platform features for key management
  • Periodically change your keys

Message Replay Detection

  • Cache an identifier for incoming messages, and use message replay detection to identify and reject messages that match an entry in the replay detection cache

Message Signing

  • Verify messages have not been tampered with in transit (data integrity)
  • Verify messages originate from the expected sender (authenticity)

Message Validation

  • Verify the message payload against schema
  • Verify the message message size, content and character sets
  • Filter, scrub and reject input and output before additional processing

Sensitive Data

  • Do not store secrets in software
  • Encrypt sensitive data over the network
  • Secure the channel
  • Encrypt sensitive data in configuration files

Sensitive Data

  • Partition site by anonymous, identified, and authenticated users
  • Reduce session timeouts
  • Avoid storing sensitive data in session stores
  • Secure the channel to the session store
  • Authenticate and authorize access to the session store
Personal tools