An Architect's View of Application Security

32 slides
1.47 MB
751 views

Similar Presentations

Presentation Transcript

1

An Architect’s View of Application SecurityMulti-tiered Systems Rick Carlin, Security Architect rickrcarlin@spherion.com February 2009

2

GoalsUnderstand how applications fit into a multi-tiered architecture Enhance awareness of risk outside the application Illustrate 10 basic principles to mitigate application security risks

3

What is a Multi-tiered System (MTS)?MTS is a layered architecture that meets a business need consisting of: Presentation layer Application layer Messaging layer (for multi-DB systems) Data layer Network Layer (interconnections)

4

Risk: Tunnel VisionMulti-tiered architectures are put together by teams, each with their unique vision for the system: System administrators Database administrators Developers Quality Assurance Security analysts Marketing Communications Web masters Business Analysts Help Desk Business Units Legal Compliance Human Resources Project Managers

5

Risk: OwnershipWe are hampered in securing “the system” because of ownership issues for “our system” which is a single component in MTS. There is often no responsibility for “System Security” which includes each layer, interconnections and enterprise services

6

Other Risks to MTSVulnerabilities in systems Vulnerabilities in applications Vulnerabilities in networks Vulnerabilities in design Vulnerabilities in enterprise services External threats Internal threats

7

Mitigating RiskReduce “Attack Surface” through: System design Layered security Consistent processes Application of security principles (GASP)

8
9

1. Separation of NetworksNo direct traffic from external to internal networks (zones) Routers, switches don’t maintain state! “Deny all that is not explicitly allowed”

10
11

2. Isolated Network (DMZ)Buffer network between external and internal networks. “Presents” the system to the user Do not mix production and test networks

12
13

3. Sterile EnvironmentTreat DMZ systems as unsafe Practice good housekeeping (debugs, dumps, temporary files…) Secrets are hard to keep

14

4. No RA to Mgmt SystemsMany applications offer administrative controls directly via presentation layer (port, url, etc) Network or server remote access should be blocked (ssh, telnet, pca, rdp, http, etc) Only allow this access via authenticated, secure RA services (IPSec, VPN, SSL-VPN)

15

5. Lockdown before exposureRequire Dev, QA, SA, Sec to complete testing from documented processes Require an approval process to place system in DMZ Accept “residual risk” and authorize system operation in writing

16

6. Least AccessAccess granted at the minimum level required Practice at system and network level Document and restrict use of built-in accounts

17

7. Least UseServers only used for one purpose Remove unused services and applications Example: Web server is not the SMTP server

18

8. O.S. IsolationNever install applications on the operating system partition Use native ACL’s on application directories No parent paths in applications

19

9. MonitoringUse IDS/IDP Offload logs to central repository Custom apps need to generate logs Understand what’s going on - situational awareness

20

10. Encrypted Data TransferUnderstand what data is in your system Use standard encryption protocols for data in transit (SSL/TLS) End-to-end encryption (transit to rest)

21

Enterprise ServicesDNS Time Patching Anti-Virus Logging Management Authentication Code deployment

22

The Application InterfaceDon’t trust input! Always perform - INPUT VALIDATION BOUNDS CHECKING Never trust the client!

23

Layer InterconnectionsUse discrete channels Firewalls track state End-to-end encryption requires change to host IDS Don’t reinvent the encryption wheel

24

Unique to PresentationAuthentication should occur at this layer Debugging – monitor for use No dynamic data calls! Point of attack if everything else is set up properly

25

Tracking the UserParameterize the user name Ensure uniqueness of session ID Parameterize the session ID Pass username and session id through successive layers

26

Unique to ApplicationSecurity is defined by business rules Support teams at tier 2 Forgotten management interfaces Data cross-roads

Browse More Presentations

Last Updated: 8th March 2018