Wednesday, March 12, 2008

Understanding Web Application Security Challenges

Inception - Defining Security Requirements

1) Application Environment:

* Identity, understand and accomodate your organization's security policies.

* Reconize infrastructure restrictions, such as services, protocols and firewalls.

* Identify hosting environment restrictions (e.g., virtual private network [VPN], sandboxing)

* Define the application deployment configuration.

* Define network domain structures, clustering and remote application servers.

* Identify database servers

* Identify which secure communication features the environment supports

* Address Web farm considerations (including session state management, machine-specific encryption keys, SSL, certificate deployment issues and roaming profiles). If the application uses SSL, identify the certificate authority (CA) and types to be used.

* Address required scalability and peformance criteria.

* Investigate the code trust level.

2) Input/Data validation and authentication:

* Assume that all client input is potentially dangerous.

* Identify all trust boundaries for identifiy accounts and/or resources that cross those boundaries.

* Define account management policies and a least-privileged accounts policy.

* Specify requirements for strong passwords and enforcement measures.

* Encrypt user credentials using SSL, VPN, IPsec or the like, and ensure that authentication information (e.g., tokens, cookies, tickets) will not be transmitted over non-encrypted connections.

*Ensure that minimal error information will be returned to the client in the event of authentication failure.

3) Session Management:

* Limit the session lifetime.

* Protect the session state from unauthorized access.

* Ensure that session identifiers are not passed in query strings.

No comments: