November 2006 - Posts
Application security 10 Commandments
Many people ask "what should I do to implement Application Security?"
Well, it is not so simple but if you want to make a long story short you should do the following:
- Create a threat modeling document.
- Make sure you take care of the following issues:
· Input Validation
o Map all your inputs and make sure all inputs coming from an untrusted source are properly validated.
· Authentication
o Users are properly authenticated, and the authentication ticket is properly handled.
· Authorization
o The right to perform an action is given to the correct user. Authorization is handled with a secure technology.
· Configuration Management
o Configuration information is well secured as it is holding super sensitive data.
· Sensitive Data
o Define which data is sensitive in the application context.
· Session Management
o Make sure the session data is well protected.
· Cryptography
o Use the correct cryptographic algorithm. Use cryptography only when needed.
· Parameter Manipulation
o Parameters which the application uses and transfers between modules and UI are properly secured.
· Exception Management
o Exception information are properly sanitized and logged.
· Auditing and Logging
o Information about the application runtime state is logged to enable monitoring. Proper tools are supplied to enable querying this info.
- Perform security testing.
- Make sure your product is properly deployed.
- Communicate security issues with your customers.
manu
The truth about Application Security
There is a problem with Application Security today, It is really in bad shape.
As a security consultant my customers are software companies that develops products for other companies to use.
Those companies use those products to supply services for their final customers. If there are security issues those customer are the ones to actually suffer.
Today The awareness for security is rising but still most people believes that security is somewhere between the OS and the firewall server. Application Security is unknown and untouched. The result is no surprise. Many products are dangerously unsecured, breaches are everywhere.
If you supply a service to a customer you do not want to raise his awareness to security, especially when you know that you use unsecured products.
The result is silence – You know there is a problem but you do not say or do anything.
As a software developer you do not want to raise your customer awareness to security.
You know that for years you create unsecured products, but nobody has to know about this…
To start developing secure products a great deal of effort is needed. If your customers will see that suddenly you invest in security they will immediately understand that the product they just bought from you is unsecured.
The result again is silence – You know there is a problem but you do not say or do anything.
But attacks happen…
Especially for that issue, The idea of "Insurance" was invented.
Instead of dealing with the problem everybody insure themselves.
The final customer does not want to know that there is a problem. He is happy with the silence around. If he happens to think about it for a minute the thought immediately disappears when he is told he is insured.
Lets us take as an example the credit card business.
Your credit card number is everywhere! You give it to the guy in the gas station when he fuels your car or to the young waitress in the restaurant, not to mention internet shopping…
For that reason they tell you to check you monthly bill.
You know that there are credit card thefts, but there is insurance . We are happy to pay the insurance fee and not to deal with the security problem.
Application security is something new.
No body really understands it and can tell you exactly how much it will cost.
Application security is not easy, especially when dealing with legacy code.
Application security is a huge challenge for management, architects ,developers and testers.
It is no surprise that most managements decide not to invest in it.
The insurance solution looks a much easier and cheaper…
As security professionals we understand that this situation must change.
How to do it ? This is a great question for us to answer.
We need to give answers to the management when they ask us "why to bother with Application Security when we are insured"
And then there is standardization.
Today there is no clear standard that can identify a properly secured application.
If a customer want to demand a secure product from a vendor he has to understand the mechanics of security. With standardization he can just demand a product that follow the standard.
Standardization will bring a huge push to the application security issue.
I believe that when a proper application security standard will exist we will see many organizations demanding the vendors to develop application that apply to it.
There is a lot to do
So let us get to work.
manu
נמל התעופה בן גוריון – דוגמא למחדל אבטחה.
במאמרים קודמים ציינתי לא פעם כי Application Security מחייבת הסתכלות כוללת על המערכת.
אם נאבטח במקום אחד אבל נשאיר פרצה במקום אחר כאילו לא עשינו דבר.
דוגמא מעניינת לכך מצאתי בנמל התעופה בן גוריון.
רבים מאיתנו רשומים לשירות "הרישום המהיר" . יש לנו כרטים מיוחד להפעלת זיהוי ביומטרי בעזרת כף היד. הזיהוי עצמו מבוצע בעזרת טכנולוגיה מתקדמת ובטוחה. אבל האם שמתם לב מה קורה מיד אחר-כך ?
ובכן בסיום תהליך הזיהוי מייצרת המכונה Authenticator בדמות פתק קטן המודפס על ניר טרמי. פתק כזה ניתן להדפיס בכל חנות מכולת.
את הפתק אנו צריכים להראות לשוטרי הגבולות הנמצאים רחוק מהמכונה ולכן אין להם מושג אם באמת השתמשנו במכונה או אולי יצרנו את הפתק לבד.
אם חלילה יש נגדך צו איסור יציאה מהארץ, כל שעליך לעשות כדי לצאת מהארץ, הוא ללמוד את מבנה הפתק (Authenticator) ולייצר כזה בעצמך.
אז תגיע לשוטרת הגבולות ובנון שלאנטיות תן לה את הפתק שייצרת – ואתה בחוץ !
זו היא דוגמא קלאסית בה תהליך ה – Authentication מבוצע יפה אבל ה – Authenticator עצמו לא מוגן כלל.
ומה קורה באפליקציה שלך ?
לפני יומיים נולדה לי ילדה חמודה. עם הכניסה לבית החולים קיבלתי סרט פשוט (שגם אותו קל לייצר בבית) אשר יאפשר לי כניסה לתינוקיה והוצאת התינוקת ממנה.
בכניסה לתינוקיה נדהמתי לגלות כי כל מה שאני צריך לעשות זה להראות מרחוק לשומר המנונם שיש לי סרט על היד.
אף אחד לא יודע האם הסרט אמיתי או לא !!! והנה נכנסתי למקום השמור ביותר בבית החולים – מחדל !
שוב תהליך ה – Authentication מבוצע יפה אבל ה – Authenticator עצמו לא מוגן כלל.
ומה קורה באפליקציה שלך ?
מנו כהן-ישר
Application Security
There is no doubt that today's applications must be secure. We are living in a world of data and communications, in which the most valuable asset is information.
Everybody knows that valuable assets must be protected.
Security Standards are created to insure products will implement security measures to protect their data.
Security is an "all-inclusive" term, which means it must be implemented "everywhere", in all levels:
Users: Train your users and build awareness to help them to reduce the risk of performing irresponsible actions which will be used by the attacker.
Infrastructure: Firewalls, Network Admin, Host & Server Hardening, Network traffic encryption etc.
Application: Authentication, Authorization, Input validation, Encryption, Configuration management, Parameters manipulation, Auditing, Error Handling etc.
The application must be designed and implemented while taking security issues into consideration. We have to remember that the attacker needs to find just one security breach while we have to protect everywhere.
Leaving one of the above levels unhandled will result in a completely unsecured product.
Application security is not just another feature. You can not just turn it on.
Application security demands a lot of thinking. A lot of design work must be done, and many concrete actions must follow in every phase of the development cycle.
To bring Application security into your product a known and tested methodology must be followed.
Many issues must be taken into consideration and so check lists, published guidance and tools must be used.
Bringing application security into your development cycle is a great management and technological challenge.
manu