ColdFusion Security and
Risk Management
Justin Mclean
Email: justin@classsoftware.com
Twitter: @justinmclean
Blog: http://...
Who am I?
• Director of Class Software for 10 years
• Developing and creating web applications for 15
years
• Programming ...
Security
• No system is 100% secure
• Security takes time and effort and can be costly
• How much security is actually nee...
Risk Assessment
Risk assessment is a tool used to balance
business objectives and security
requirements in order to achiev...
Process
1. Identify assets
2. Identify and quantify the possible threats
3. Determine the consequence of each threat
4. Ev...
Frequency
• This is not a once off process
• Repeat when:
• System is in place
• Changes are made to the system or assets
...
Identify Assets
• Create list of assets
• Hardware
• Availability of service
• Integrity of information
• Reputation of sy...
Identify Threats
• Create a list of threats
• Be creative include unlikely threats
• Tendency to ignore obvious threats
• ...
How likely is each threat?
NegligibleVeryLowLow
Medium
High
VeryHighExtreme
Unlikely to occurOccurs a couple of times in 5...
How likely is each threat?
NegligibleVeryLowLow
Medium
High
VeryHighExtreme
Unlikely to occurOccurs a couple of times in 5...
How likely is each threat?
NegligibleVeryLowLow
Medium
High
VeryHighExtreme
Unlikely to occurOccurs a couple of times in 5...
How likely is each threat?
NegligibleVeryLowLow
Medium
High
VeryHighExtreme
Unlikely to occurOccurs a couple of times in 5...
How likely is each threat?
NegligibleVeryLowLow
Medium
High
VeryHighExtreme
Unlikely to occurOccurs a couple of times in 5...
How likely is each threat?
NegligibleVeryLowLow
Medium
High
VeryHighExtreme
Unlikely to occurOccurs a couple of times in 5...
How likely is each threat?
NegligibleVeryLowLow
Medium
High
VeryHighExtreme
Unlikely to occurOccurs a couple of times in 5...
Consequence of each threat?
InsignificantMinor
SignificantDamagingSerious
Grave
No extra effort to repairFew people notice. ...
Consequence of each threat?
InsignificantMinor
SignificantDamagingSerious
Grave
No extra effort to repairFew people notice. ...
Consequence of each threat?
InsignificantMinor
SignificantDamagingSerious
Grave
No extra effort to repairFew people notice. ...
Consequence of each threat?
InsignificantMinor
SignificantDamagingSerious
Grave
No extra effort to repairFew people notice. ...
Consequence of each threat?
InsignificantMinor
SignificantDamagingSerious
Grave
No extra effort to repairFew people notice. ...
Consequence of each threat?
InsignificantMinor
SignificantDamagingSerious
Grave
No extra effort to repairFew people notice. ...
Risk
• Risk is a combination of frequency and
consequence
• The more likely a threat increases risk
• The more serious a t...
Risk
Insignificant Minor Significant Damaging Serious Grave
Negligible Nil Nil Nil Nil Nil Nil
Very Low Nil Low Low Low Medi...
Acceptable Risk
• Set level of acceptable risk
• Assign priorities for each threat based on
acceptable risk and risk of th...
Priorities
• A risk greater than acceptable risk + 1 level
• B risk is acceptable risk + 1 level
• C risk same as acceptab...
Treatments
• Addition of security measures
• Reduction of security measures
• Minimisation of harm
• Change of service or ...
Effort and Cost
• May be many ways to treat a single threat
• Amount of effort or cost may decide which
treatment chosen
M...
Election System
Student election system for the
University of Technology Sydney
Monday, 22 November 2010
Student Election System
Monday, 22 November 2010
Server Configuration
• Run with minimal down time
• Perform well under load
• Limited external access to server
Monday, 22...
Server Treatment
• Staging/production system
• Not a shared server
• Standalone separate machines for database and
CF serv...
Network Issues
• Occasional network outages
• Occasional slow access from outside
Monday, 22 November 2010
Network Treatment
• Ability to change the end date after an election
has started
• Date could only be extended not reduced...
SQL Security Issues
• SQL injection attacks
• Sensitivity of data
• Trust and integrity of election results
Monday, 22 Nov...
SQL Injection
• Most common form of attack
• Malformed form or URL parameters to run evil
SQL statements
• Wrap SQL in met...
SQL Security Treatment
• Multiple data sources
• Multiple database users
• Restrict SQL actions. No deletes and almost no
...
Datasource Options
Monday, 22 November 2010
Multiple Database Users
• Table level permissions
• SQL operation permissions
Monday, 22 November 2010
SQL Permissions
• Deny all to all users to all tables
• Add permissions for each SQL operation as
needed
• Don’t be tempte...
Deny All
deny all on elections to electionvoter,
electionadmin, electionlogin
deny all on candidates to electionvoter,
ele...
Grant Access
grant select on roll to electionvoter,
electionadmin;
grant update on roll to electionvoter;
grant insert on ...
Login Issues
• Dictionary attacks
• Timing attacks
• Storing passwords
Monday, 22 November 2010
Login Treatment
• Account lock out if password wrong x times
• Random time delay
Monday, 22 November 2010
Java Sleep
<!--- delay is to hinder timing style attacks --->
<cfset thread=createObject("java","java.lang.Thread")>
<cfse...
Code Modification
• Pages code not modified
• Only run trusted pages
Monday, 22 November 2010
Code Modification Treatment
• Finger print each page via MD5
• Check finger print when page is run via
Application onReque...
onRequest
<!--- read the cfm file --->
<cftry>
<cffile action="read" variable="pagecontents"
file="#CGI.PATH_TRANSLATED#">...
Limiting Information
• Assume someone will break into the system
• What information can they obtain?
• What could they mod...
Why do this?
• Know that you’re spent you budget efficiently
• Confidence that your system is secure as it needs
to be
• A...
Questions?
Ask now, see me after the session,
follow me on twitter @justinmclean
or email me at justin@classsoftware.com
M...
Upcoming SlideShare
Loading in...5
×

ColdFusion Security and Risk Management

1,000

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,000
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ColdFusion Security and Risk Management

  1. 1. ColdFusion Security and Risk Management Justin Mclean Email: justin@classsoftware.com Twitter: @justinmclean Blog: http://blog.classsoftware.com Monday, 22 November 2010
  2. 2. Who am I? • Director of Class Software for 10 years • Developing and creating web applications for 15 years • Programming for 25 years • Adobe Community Professional • Adobe certified developer and trainer in ColdFusion and Flex • Based in Sydney Australia Monday, 22 November 2010
  3. 3. Security • No system is 100% secure • Security takes time and effort and can be costly • How much security is actually needed? • Is a security feature actually effective? Monday, 22 November 2010
  4. 4. Risk Assessment Risk assessment is a tool used to balance business objectives and security requirements in order to achieve cost effective security measures. Monday, 22 November 2010
  5. 5. Process 1. Identify assets 2. Identify and quantify the possible threats 3. Determine the consequence of each threat 4. Evaluate the current risk 5. Decide acceptable level of risk 6. Treat each risk Monday, 22 November 2010
  6. 6. Frequency • This is not a once off process • Repeat when: • System is in place • Changes are made to the system or assets • Made aware of new threats Monday, 22 November 2010
  7. 7. Identify Assets • Create list of assets • Hardware • Availability of service • Integrity of information • Reputation of system and/or organisation • Staff Monday, 22 November 2010
  8. 8. Identify Threats • Create a list of threats • Be creative include unlikely threats • Tendency to ignore obvious threats • Careful of preconceived attitudes Monday, 22 November 2010
  9. 9. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  10. 10. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  11. 11. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  12. 12. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  13. 13. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  14. 14. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  15. 15. How likely is each threat? NegligibleVeryLowLow Medium High VeryHighExtreme Unlikely to occurOccurs a couple of times in 5 yearsOccurs couple time every six monthsOccurs once every yearOccurs every six monthsOccurs every monthOccurs multiple times a monthOccurs multiple times a day Monday, 22 November 2010
  16. 16. Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
  17. 17. Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
  18. 18. Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
  19. 19. Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
  20. 20. Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
  21. 21. Consequence of each threat? InsignificantMinor SignificantDamagingSerious Grave No extra effort to repairFew people notice. Small effort to repairLoss of confidence/reputation. Major effort to repair. Some harm. Some effort to repair.Serious. Extend system outage or loss of customers. Completely compromised. System permanently closed or offline. Monday, 22 November 2010
  22. 22. Risk • Risk is a combination of frequency and consequence • The more likely a threat increases risk • The more serious a threat increases risk Monday, 22 November 2010
  23. 23. Risk Insignificant Minor Significant Damaging Serious Grave Negligible Nil Nil Nil Nil Nil Nil Very Low Nil Low Low Low Medium Medium Low Nil Low Medium Medium High High Medium Nil Low Medium High High Critical High Nil Medium High High Critical Extreme Very High Nil Medium High Critical Extreme Extreme Extreme Nil Medium High Critical Extreme Extreme Consequence Threat Monday, 22 November 2010
  24. 24. Acceptable Risk • Set level of acceptable risk • Assign priorities for each threat based on acceptable risk and risk of threat Monday, 22 November 2010
  25. 25. Priorities • A risk greater than acceptable risk + 1 level • B risk is acceptable risk + 1 level • C risk same as acceptable risk • D risk less than acceptable risk • Aim to do all of A,B and C priorities • Do D priorities if you have time and budget Monday, 22 November 2010
  26. 26. Treatments • Addition of security measures • Reduction of security measures • Minimisation of harm • Change of service or system specifications • Transference of risk • Acceptance of risk Monday, 22 November 2010
  27. 27. Effort and Cost • May be many ways to treat a single threat • Amount of effort or cost may decide which treatment chosen Monday, 22 November 2010
  28. 28. Election System Student election system for the University of Technology Sydney Monday, 22 November 2010
  29. 29. Student Election System Monday, 22 November 2010
  30. 30. Server Configuration • Run with minimal down time • Perform well under load • Limited external access to server Monday, 22 November 2010
  31. 31. Server Treatment • Staging/production system • Not a shared server • Standalone separate machines for database and CF server • No access to production server • Code reviewed by external agency Monday, 22 November 2010
  32. 32. Network Issues • Occasional network outages • Occasional slow access from outside Monday, 22 November 2010
  33. 33. Network Treatment • Ability to change the end date after an election has started • Date could only be extended not reduced Monday, 22 November 2010
  34. 34. SQL Security Issues • SQL injection attacks • Sensitivity of data • Trust and integrity of election results Monday, 22 November 2010
  35. 35. SQL Injection • Most common form of attack • Malformed form or URL parameters to run evil SQL statements • Wrap SQL in methods with type safe arguments • Cfqueryparam is your friend! Monday, 22 November 2010
  36. 36. SQL Security Treatment • Multiple data sources • Multiple database users • Restrict SQL actions. No deletes and almost no updates few inserts and mainly selects. • Table level permissions Monday, 22 November 2010
  37. 37. Datasource Options Monday, 22 November 2010
  38. 38. Multiple Database Users • Table level permissions • SQL operation permissions Monday, 22 November 2010
  39. 39. SQL Permissions • Deny all to all users to all tables • Add permissions for each SQL operation as needed • Don’t be tempted to give admin user all permissions Monday, 22 November 2010
  40. 40. Deny All deny all on elections to electionvoter, electionadmin, electionlogin deny all on candidates to electionvoter, electionadmin, electionlogin; deny all on rolls to electionvoter, electionadmin, electionlogin; deny all on ballots to electionvoter, electionadmin, electionlogin; Monday, 22 November 2010
  41. 41. Grant Access grant select on roll to electionvoter, electionadmin; grant update on roll to electionvoter; grant insert on roll to electionadmin; Monday, 22 November 2010
  42. 42. Login Issues • Dictionary attacks • Timing attacks • Storing passwords Monday, 22 November 2010
  43. 43. Login Treatment • Account lock out if password wrong x times • Random time delay Monday, 22 November 2010
  44. 44. Java Sleep <!--- delay is to hinder timing style attacks ---> <cfset thread=createObject("java","java.lang.Thread")> <cfset thread.sleep(300 + int(rand()*21)*10)> Monday, 22 November 2010
  45. 45. Code Modification • Pages code not modified • Only run trusted pages Monday, 22 November 2010
  46. 46. Code Modification Treatment • Finger print each page via MD5 • Check finger print when page is run via Application onRequest method Monday, 22 November 2010
  47. 47. onRequest <!--- read the cfm file ---> <cftry> <cffile action="read" variable="pagecontents" file="#CGI.PATH_TRANSLATED#"> ....... </cftry> <!--- get page from database ---> <cfquery name="dbpage" datasource="#request.datasource#"> select page, hash from pages where page = <cfqueryparam value="#hash(listlast(arguments.page,'/')) #" cfsqltype="cf_sql_varchar"> </cfquery> <!--- check if page exists and page hash is correct ---> <cfif dbpage.recordcount is 1 and hash(pagecontents) is dbpage.hash> <cfinclude template="#arguments.page#"> <cfelse> <cfinclude template="./elections/security.cfm"> </cfif> Monday, 22 November 2010
  48. 48. Limiting Information • Assume someone will break into the system • What information can they obtain? • What could they modify? • Limit what they can see/use • Minimise damage they can do • Log everything Monday, 22 November 2010
  49. 49. Why do this? • Know that you’re spent you budget efficiently • Confidence that your system is secure as it needs to be • An understanding of the risks in your system • Minimal damage occurs if the worse does happen Monday, 22 November 2010
  50. 50. Questions? Ask now, see me after the session, follow me on twitter @justinmclean or email me at justin@classsoftware.com Monday, 22 November 2010
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×