ColdFusion Security and
                         Risk Management
                         Justin Mclean
                  ...
Who am I?
                     • Director of Class Software for 10 years
                     • Developing and creating we...
Security
                     •   No system is 100% secure
                     •   Security takes time and effort and can...
Risk Assessment
                         Risk assessment is a tool used to balance
                         business objec...
Process
                     1. Identify assets
                     2. Identify and quantify the possible threats
       ...
Frequency
                     • This is not a once off process
                     • Repeat when:
                      ...
Identify Assets
                     • Create list of assets
                       • Hardware
                       • Av...
Identify Threats
                     •   Create a list of threats
                     •   Be creative include unlikely t...
How likely is each threat?




                                                  gh
                                     e...
How likely is each threat?




                                                  gh
                                     e...
How likely is each threat?




                                                  gh
                                     e...
How likely is each threat?




                                                  gh
                                     e...
How likely is each threat?




                                                  gh
                                     e...
How likely is each threat?




                                                  gh
                                     e...
How likely is each threat?




                                                  gh
                                     e...
Consequence of each threat?



                                         t
                                      an



    ...
Consequence of each threat?



                                         t
                                      an



    ...
Consequence of each threat?



                                         t
                                      an



    ...
Consequence of each threat?



                                         t
                                      an



    ...
Consequence of each threat?



                                         t
                                      an



    ...
Consequence of each threat?



                                         t
                                      an



    ...
Risk
                     • Risk is a combination of frequency and
                         consequence
                  ...
Risk
                                                               Consequence
                                       Ins...
Acceptable Risk
                     • Set level of acceptable risk
                     • Assign priorities for each thre...
Priorities
                     •   A required risk > actual risk + 1 level
                     •   B required risk = act...
Treatments
                     •   Minimisation of harm
                     •   Change of service or system specificatio...
Effort and Cost
                     • May be many ways to treat a single threat
                     • Amount of effort o...
Election System
                         Student election system for the
                         University of Technology...
Student Election System

Tuesday, 27 April 2010
Server Configuration
                     • Run with minimal down time
                     • Perform well under load
    ...
Server Treatment
                     • Staging/production system
                     • Not a shared server
             ...
Network Issues
                     • Occasional network outages
                     • Occasional slow access from outsid...
Network Treatment
                     • Ability to change the end date after an election
                         has sta...
SQL Security Issues
                     • SQL injection attacks
                     • Sensitivity of data
              ...
SQL Security Treatment
                     • Multiple data sources
                     • Multiple database users
       ...
Datasource Options

Tuesday, 27 April 2010
Multiple Database Users
                     • Table level permissions
                     • SQL operation permissions


...
SQL Permissions
                     • Deny all to all users to all tables
                     • Add permissions for each...
Deny All
                         deny all on elections to electionvoter,
                         electionadmin, election...
Grant Access
                         grant select on roll to electionvoter,
                         electionadmin;
     ...
Login Issues
                     • Dictionary attacks
                     • Timing attacks
                     • Storin...
Login Treatment
                     • Account lock out if password wrong x times
                     • Random time delay...
Java Sleep
                  <!--- delay is to hinder timing style attacks --->
                <cfset thread=createObject...
Code Modification
                     • Pages code not modified
                     • Only run trusted pages




Tuesday...
Code Modification Treatment
                     • Finger print each page via MD5
                     • Check finger prin...
onRequest
                        <!--- read the cfm file --->
                     <cftry>
                         <cffi...
Limiting Information
                     •   Assume someone will break into the system
                     •   What info...
Why do this?
                     • Know that you’re spent you budget efficiently
                     • Confidence that y...
Questions?
                         Ask now, see me after the session or email me at
                         justin@class...
Upcoming SlideShare
Loading in...5
×

ColdFusion Security and Risk Management

1,112

Published on

This talk shows how you can via a risk assessment process work out how to minimise risk and what security features you should implement that is cost effective. It then shows how this risk assessment process was applied to a ColdFusion project.

This talk was presented at the cf.Objective() conference in Minneapolis in April 2010.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,112
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ColdFusion Security and Risk Management

  1. 1. ColdFusion Security and Risk Management Justin Mclean Email: justin@classsoftware.com Twitter: @justinmclean Blog: http://blog.classsoftware.com Tuesday, 27 April 2010
  2. 2. Who am I? • Director of Class Software for 10 years • Developing and creating web applications for 15 years • Programming for 25 years • Adobe Community Professional • Adobe certified developer and trainer in ColdFusion and Flex • Based in Sydney Australia Tuesday, 27 April 2010
  3. 3. Security • No system is 100% secure • Security takes time and effort and can be costly • How much security is actually needed? • Is a security feature actually effective? Tuesday, 27 April 2010
  4. 4. Risk Assessment Risk assessment is a tool used to balance business objectives and security requirements in order to achieve cost effective security measures. Tuesday, 27 April 2010
  5. 5. Process 1. Identify assets 2. Identify and quantify the possible threats 3. Determine the consequence of each threat 4. Evaluate the current risk 5. Decide acceptable level of risk 6. Treat each risk Tuesday, 27 April 2010
  6. 6. Frequency • This is not a once off process • Repeat when: • System is in place • Changes are made to the system or assets • Made aware of new threats Tuesday, 27 April 2010
  7. 7. Identify Assets • Create list of assets • Hardware • Availability of service • Integrity of information • Reputation of system and/or organisation • Staff Tuesday, 27 April 2010
  8. 8. Identify Threats • Create a list of threats • Be creative include unlikely threats • Tendency to ignore obvious threats • Careful of preconceived attitudes Tuesday, 27 April 2010
  9. 9. How likely is each threat? gh e w ibl me m Lo Hi glig diu tre gh ry ry w Ne Me Lo Ex Ve Ve Hi Occurs coupleevery times asix5 years OccursOccurstime six months OccursUnlikelyof every year Occurs once times a months Occurs everyoccur month a couple to month multiple Occurs multipletimes in day Tuesday, 27 April 2010
  10. 10. How likely is each threat? gh e w ibl me m Lo Hi glig diu tre gh ry ry w Ne Me Lo Ex Ve Ve Hi Occurs coupleevery times asix5 years OccursOccurstime six months OccursUnlikelyof every year Occurs once times a months Occurs everyoccur month a couple to month multiple Occurs multipletimes in day Tuesday, 27 April 2010
  11. 11. How likely is each threat? gh e w ibl me m Lo Hi glig diu tre gh ry ry w Ne Me Lo Ex Ve Ve Hi Occurs coupleevery times asix5 years OccursOccurstime six months OccursUnlikelyof every year Occurs once times a months Occurs everyoccur month a couple to month multiple Occurs multipletimes in day Tuesday, 27 April 2010
  12. 12. How likely is each threat? gh e w ibl me m Lo Hi glig diu tre gh ry ry w Ne Me Lo Ex Ve Ve Hi Occurs coupleevery times asix5 years OccursOccurstime six months OccursUnlikelyof every year Occurs once times a months Occurs everyoccur month a couple to month multiple Occurs multipletimes in day Tuesday, 27 April 2010
  13. 13. How likely is each threat? gh e w ibl me m Lo Hi glig diu tre gh ry ry w Ne Me Lo Ex Ve Ve Hi Occurs coupleevery times asix5 years OccursOccurstime six months OccursUnlikelyof every year Occurs once times a months Occurs everyoccur month a couple to month multiple Occurs multipletimes in day Tuesday, 27 April 2010
  14. 14. How likely is each threat? gh e w ibl me m Lo Hi glig diu tre gh ry ry w Ne Me Lo Ex Ve Ve Hi Occurs coupleevery times asix5 years OccursOccurstime six months OccursUnlikelyof every year Occurs once times a months Occurs everyoccur month a couple to month multiple Occurs multipletimes in day Tuesday, 27 April 2010
  15. 15. How likely is each threat? gh e w ibl me m Lo Hi glig diu tre gh ry ry w Ne Me Lo Ex Ve Ve Hi Occurs coupleevery times asix5 years OccursOccurstime six months OccursUnlikelyof every year Occurs once times a months Occurs everyoccur month a couple to month multiple Occurs multipletimes in day Tuesday, 27 April 2010
  16. 16. Consequence of each threat? t an t g can gin i fic us r ave ma nifi ign rio no Da Ins Gr Sig Mi Se Serious.No extra effort outageSystem of Few people notice. Small effortor loss Loss of harm. compromised. repair. SomeExtend Some effort to to repair Completely system to repairMajor confidence/reputation. permanently closed or offline. effort to repair. customers. Tuesday, 27 April 2010
  17. 17. Consequence of each threat? t an t g can gin i fic us r ave ma nifi ign rio no Da Ins Gr Sig Mi Se Serious.No extra effort outageSystem of Few people notice. Small effortor loss Loss of harm. compromised. repair. SomeExtend Some effort to to repair Completely system to repairMajor confidence/reputation. permanently closed or offline. effort to repair. customers. Tuesday, 27 April 2010
  18. 18. Consequence of each threat? t an t g can gin i fic us r ave ma nifi ign rio no Da Ins Gr Sig Mi Se Serious.No extra effort outageSystem of Few people notice. Small effortor loss Loss of harm. compromised. repair. SomeExtend Some effort to to repair Completely system to repairMajor confidence/reputation. permanently closed or offline. effort to repair. customers. Tuesday, 27 April 2010
  19. 19. Consequence of each threat? t an t g can gin i fic us r ave ma nifi ign rio no Da Ins Gr Sig Mi Se Serious.No extra effort outageSystem of Few people notice. Small effortor loss Loss of harm. compromised. repair. SomeExtend Some effort to to repair Completely system to repairMajor confidence/reputation. permanently closed or offline. effort to repair. customers. Tuesday, 27 April 2010
  20. 20. Consequence of each threat? t an t g can gin i fic us r ave ma nifi ign rio no Da Ins Gr Sig Mi Se Serious.No extra effort outageSystem of Few people notice. Small effortor loss Loss of harm. compromised. repair. SomeExtend Some effort to to repair Completely system to repairMajor confidence/reputation. permanently closed or offline. effort to repair. customers. Tuesday, 27 April 2010
  21. 21. Consequence of each threat? t an t g can gin i fic us r ave ma nifi ign rio no Da Ins Gr Sig Mi Se Serious.No extra effort outageSystem of Few people notice. Small effortor loss Loss of harm. compromised. repair. SomeExtend Some effort to to repair Completely system to repairMajor confidence/reputation. permanently closed or offline. effort to repair. customers. Tuesday, 27 April 2010
  22. 22. Risk • Risk is a combination of frequency and consequence • The more likely a threat will occur increases risk • The more serious a threat increases risk Tuesday, 27 April 2010
  23. 23. Risk Consequence Insignificant Minor Significant Damaging Serious Grave Negligible Nil Nil Nil Nil Nil Nil Very Low Nil Low Low Low Medium Medium Low Nil Low Medium Medium High High Threat Medium Nil Low Medium High High Critical High Nil Medium High High Critical Extreme Very High Nil Medium High Critical Extreme Extreme Extreme Nil Medium High Critical Extreme Extreme Tuesday, 27 April 2010
  24. 24. Acceptable Risk • Set level of acceptable risk • Assign priorities for each threat based on acceptable risk and risk of threat Tuesday, 27 April 2010
  25. 25. Priorities • A required risk > actual risk + 1 level • B required risk = actual +1 level • C required risk = actual risk • D required risk < actual risk Tuesday, 27 April 2010
  26. 26. Treatments • Minimisation of harm • Change of service or system specifications • Addition of security measures • Reduction of security measures • Transference of risk • Acceptance of risk Tuesday, 27 April 2010
  27. 27. Effort and Cost • May be many ways to treat a single threat • Amount of effort or cost may decide which treatment chosen Tuesday, 27 April 2010
  28. 28. Election System Student election system for the University of Technology Sydney Tuesday, 27 April 2010
  29. 29. Student Election System Tuesday, 27 April 2010
  30. 30. Server Configuration • Run with minimal down time • Perform well under load • Limited external access to server Tuesday, 27 April 2010
  31. 31. Server Treatment • Staging/production system • Not a shared server • Standalone separate machines for database and CF server • No access to production server • Code reviewed by external agency Tuesday, 27 April 2010
  32. 32. Network Issues • Occasional network outages • Occasional slow access from outside Tuesday, 27 April 2010
  33. 33. Network Treatment • Ability to change the end date after an election has started • Date could only be extended not reduced Tuesday, 27 April 2010
  34. 34. SQL Security Issues • SQL injection attacks • Sensitivity of data • Trust and integrity of election results Tuesday, 27 April 2010
  35. 35. SQL Security Treatment • Multiple data sources • Multiple database users • Restrict SQL actions. No deletes and almost no updates few inserts and mainly selects. • Table level permissions Tuesday, 27 April 2010
  36. 36. Datasource Options Tuesday, 27 April 2010
  37. 37. Multiple Database Users • Table level permissions • SQL operation permissions Tuesday, 27 April 2010
  38. 38. SQL Permissions • Deny all to all users to all tables • Add permissions for each SQL operation as needed • Don’t be tempted to give admin user all permissions Tuesday, 27 April 2010
  39. 39. Deny All deny all on elections to electionvoter, electionadmin, electionlogin deny all on candidates to electionvoter, electionadmin, electionlogin; deny all on rolls to electionvoter, electionadmin, electionlogin; deny all on ballots to electionvoter, electionadmin, electionlogin; Tuesday, 27 April 2010
  40. 40. Grant Access grant select on roll to electionvoter, electionadmin; grant update on roll to electionvoter; grant insert on roll to electionadmin; Tuesday, 27 April 2010
  41. 41. Login Issues • Dictionary attacks • Timing attacks • Storing passwords Tuesday, 27 April 2010
  42. 42. Login Treatment • Account lock out if password wrong x times • Random time delay Tuesday, 27 April 2010
  43. 43. Java Sleep <!--- delay is to hinder timing style attacks ---> <cfset thread=createObject("java","java.lang.Thread")> <cfset thread.sleep(300 + int(rand()*21)*10)> Tuesday, 27 April 2010
  44. 44. Code Modification • Pages code not modified • Only run trusted pages Tuesday, 27 April 2010
  45. 45. Code Modification Treatment • Finger print each page via MD5 • Check finger print when page is run via Application onRequest method Tuesday, 27 April 2010
  46. 46. onRequest <!--- read the cfm file ---> <cftry> <cffile action="read" variable="pagecontents" file="#CGI.PATH_TRANSLATED#"> ....... </cftry> <!--- get page from database ---> <cfquery name="dbpage" datasource="#request.datasource#"> select page, hash from pages where page = <cfqueryparam value="#hash(listlast(arguments.page,'/')) #" cfsqltype="cf_sql_varchar"> </cfquery> <!--- check if page exists and page hash is correct ---> <cfif dbpage.recordcount is 1 and hash(pagecontents) is dbpage.hash> <cfinclude template="#arguments.page#"> <cfelse> <cfinclude template="./elections/security.cfm"> </cfif> Tuesday, 27 April 2010
  47. 47. Limiting Information • Assume someone will break into the system • What information can they obtain? • What could they modify? • Limit what they can see • Minimise damage they can do • Log everything Tuesday, 27 April 2010
  48. 48. Why do this? • Know that you’re spent you budget efficiently • Confidence that your system is secure as you need it to be • An understanding of the risks in your system • Minimal or no damage occurs if the worse does happen Tuesday, 27 April 2010
  49. 49. Questions? Ask now, see me after the session or email me at justin@classsoftware.com Tuesday, 27 April 2010
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×