An Architect's View of Application Security

32 slides
1.47 MB

Similar Presentations

Presentation Transcript


An Architect’s View of Application SecurityMulti-tiered Systems Rick Carlin, Security Architect February 2009


GoalsUnderstand how applications fit into a multi-tiered architecture Enhance awareness of risk outside the application Illustrate 10 basic principles to mitigate application security risks


What is a Multi-tiered System (MTS)?MTS is a layered architecture that meets a business need consisting of: Presentation layer Application layer Messaging layer (for multi-DB systems) Data layer Network Layer (interconnections)


Risk: Tunnel VisionMulti-tiered architectures are put together by teams, each with their unique vision for the system: System administrators Database administrators Developers Quality Assurance Security analysts Marketing Communications Web masters Business Analysts Help Desk Business Units Legal Compliance Human Resources Project Managers


Risk: OwnershipWe are hampered in securing “the system” because of ownership issues for “our system” which is a single component in MTS. There is often no responsibility for “System Security” which includes each layer, interconnections and enterprise services


Other Risks to MTSVulnerabilities in systems Vulnerabilities in applications Vulnerabilities in networks Vulnerabilities in design Vulnerabilities in enterprise services External threats Internal threats


Mitigating RiskReduce “Attack Surface” through: System design Layered security Consistent processes Application of security principles (GASP)


1. Separation of NetworksNo direct traffic from external to internal networks (zones) Routers, switches don’t maintain state! “Deny all that is not explicitly allowed”


2. Isolated Network (DMZ)Buffer network between external and internal networks. “Presents” the system to the user Do not mix production and test networks


3. Sterile EnvironmentTreat DMZ systems as unsafe Practice good housekeeping (debugs, dumps, temporary files…) Secrets are hard to keep


4. No RA to Mgmt SystemsMany applications offer administrative controls directly via presentation layer (port, url, etc) Network or server remote access should be blocked (ssh, telnet, pca, rdp, http, etc) Only allow this access via authenticated, secure RA services (IPSec, VPN, SSL-VPN)


5. Lockdown before exposureRequire Dev, QA, SA, Sec to complete testing from documented processes Require an approval process to place system in DMZ Accept “residual risk” and authorize system operation in writing


6. Least AccessAccess granted at the minimum level required Practice at system and network level Document and restrict use of built-in accounts


7. Least UseServers only used for one purpose Remove unused services and applications Example: Web server is not the SMTP server


8. O.S. IsolationNever install applications on the operating system partition Use native ACL’s on application directories No parent paths in applications


9. MonitoringUse IDS/IDP Offload logs to central repository Custom apps need to generate logs Understand what’s going on - situational awareness


10. Encrypted Data TransferUnderstand what data is in your system Use standard encryption protocols for data in transit (SSL/TLS) End-to-end encryption (transit to rest)


Enterprise ServicesDNS Time Patching Anti-Virus Logging Management Authentication Code deployment


The Application InterfaceDon’t trust input! Always perform - INPUT VALIDATION BOUNDS CHECKING Never trust the client!


Layer InterconnectionsUse discrete channels Firewalls track state End-to-end encryption requires change to host IDS Don’t reinvent the encryption wheel


Unique to PresentationAuthentication should occur at this layer Debugging – monitor for use No dynamic data calls! Point of attack if everything else is set up properly


Tracking the UserParameterize the user name Ensure uniqueness of session ID Parameterize the session ID Pass username and session id through successive layers


Unique to ApplicationSecurity is defined by business rules Support teams at tier 2 Forgotten management interfaces Data cross-roads

Browse More Presentations

Last Updated: 8th March 2018