L1 - Introduction to Applications Security Flashcards
Core Principles of Information Security
C: Confidentiality - Ensures that only authorized individuals are able to view information
I: Integrity - Ensures that only authorized individuals are able to change (delete) information
A: Availability - Ensures that the data, or the system is available to authorized individuals when required
CIA Extensions
A: Authenticity - Ability to verify a sender had sent the message to recipient
N: Non-repudiation - Either party cannot deny that they did not send or receive the message
Vulnerability
Weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.
Threat
Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service
Protection Equation
Protection = Prevention + (Detection + Response)
Examples of Preventive Measures
Access Controls, Firewalls, Encryption
Examples of Detection Measures
Audit logs, intrusion detection systems
Examples of Responsive Measures
Backups, Incident Response Teams, Computer Forensics
Securing Network
Router - Routers are your outermost network ring. They channel packets to ports and protocols that your application needs. Common TCP/IP vulnerabilities are blocked at this ring.
Firewall - The firewall blocks those protocols and ports that the application does not use. Additionally, firewalls enforce secure network traffic by providing application-specific filtering to block malicious communications.
Switch - Switches are used to separate network segments. They are frequently overlooked or overtrusted
Preventive Measures
- Host
– Firewall
– Hardening
– Secure Accounts
– Log activities
– Data Protection - Web App
– Write Secure code
– Data Protection
– Testing
Detective Measures
- Host
– IDS (inspect log files) - Web App
– ? Hint : Entry points
– Anti bot (Captcha)
– Account lockout
– Authentication mechanism
Securing Host
Patches and Updates - When new vulnerabilities are discovered, exploit code is frequently posted on Internet within hours of the first successful attack. Patching and updating your server’s software is the first step toward securing the server.
Services - The service set is determined by the server role and the applications it hosts. By disabling unnecessary and unused services, you quickly and easily reduce the attack surface area.
Protocols - To reduce the attack surface area and the avenues open to attackers, disable any unnecessary or unused network protocols.
Accounts - The number of accounts accessible from a server should be restricted to the necessary set of service and user accounts. Additionally, you should enforce appropriate account policies,such as mandating strong passwords.
Files and Directories - Files and directories should be secured with restricted NTFS permissions or perform necessary encryption.
Shares - All unnecessary file shares, including the default administration shares if they are not required, should be removed. Secure the remaining shares with restricted NTFS permissions.
Ports - Services running on a server listen on specific ports to serve incoming requests. Open ports on a server must be known and audited regularly to make sure that an insecure service is not listening and available for communication.
Auditing and Logging - Auditing is a vital aid in identifying intruders or attacks in progress. Logging proves particularly useful as forensic information when determining how an intrusion or attack was performed.
Securing your application
Input Validation - How do you know that the input that your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing.
Authentication - “Who are you?” Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
Authorization - “What can you do?” Authorization is how your application provides access controls for resources and operations.
Configuration Management - Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues.
Sensitive Data - Sensitive data refers to how your application handles any data that must be protected either in memory, over the wire, or in persistent stores.
Cryptography - How are you keeping secrets, secret (confidentiality)? How are you tamperproofing your data or libraries (integrity)? Cryptography refers to how your application enforces confidentiality and integrity.
Parameter Manipulation- Form fields, query string arguments, and cookie values are frequently used as parameters for your application. Parameter manipulation refers to both how your application safeguards tampering of these values and how your application processes input parameters.
Exception Management - When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?
Auditing and Logging - Who did what and when? Auditing and logging refer to how your application records security-related events.
SDLC
The Software development life cycle (SDLC) is a structure imposed on the development of a software product
Traditional SDLC:
– Requirements
– Design
– Implementation
– Testing
– Deployment
– Maintenance
SDLC Secure Software Requirements
– Confidentiality (e.g. all data in transit must be encrypted)
– Integrity (e.g. all input must be validated against a set of allowable input)
– Availability (e.g. availability must be 99.9999%)
– Authentication (e.g. must have 2 or more factor of authentication)
– Authorization (e.g. access to secret files restricted to users with secret or top secret clearance)
– Audit/Logging (e.g. audit logs must be kept for 3 years)
– Session Management (e.g. session id must be encrypted)
– Errors and Exception Management (e.g. all exceptions are to be explicitly handled)
