Operational Security: Impact on Developing Secure Applications

OPERATIONAL SECURITY IMPACT ON DEVELOPING SECURE APPLICATIONS OWASP Belgium 20/11/2007 – Patrick Debois

A Common Enterprise Pattern It works on my PC

Pattern Name & Known As Also know As Me developer, you operational You developer, me operational

Intent and Motivation Intent No communications means faster to production No communications means less dependency Motivation Doing things faster gives us more time for other things

Applicability Applicability Separated groups between projects and operations Typically waterfall oriented project environments Operational environments without developers knowledge Developers without operational environment knowledge

Participants People Developers Try to please their project manager Project Managers Try to push the new application to production Operational people Try to please their operations manager Operations Managers Try to control the situation, avoid problems Product New Application Existing Operational environment

Structure Project Test Phase: (Clash 1) Project has to delivered new functionality Test environment is different from operational. Production Phase: (Clash 2) Operations take over the application. Maintenance phase: (Clash 3) IT environment changes Operations can’t change and Project Team has left

Types of (None) Collaboration Operational Manager does not allow Operational People to interact with developers. Incidents first. Project Manager avoids the Operational People as they are not reliable as a project resource. Developer do not talk to Operational People because they do not understand the ‘operational domain’ Operational People do not talk to the Developers because they do not understand the ‘development domain’

Creating awareness How it all got started ... And sorry no sample code, I’m not a developer ;-)

In the beginning there was ... A happy developer Working on his application No worried about the enterprise standards Driven to deliver functionality Everybody loved his new application A super-duper Intranet Application Portal system based on His favourite database, application server, framework Fully featured, enduser configurable Spidering content for search engine

Moving the server behind a firewall “We need to move the system to the DMZ to get access from the internet” Identity ALL Ports mail , other websites for spidering TCP Session timeout long idle connections Think reporting services Long application session times / relogin

Moving to 3-tier Architecture “We need to split our one server into three layers: Web, App and database” Identity ALL Ports Also between the servers” TCP Session timeout Impact on the database connection pooling.” Backup & Restore Sync of different backups Static published files, database meta data, Search Data

Moving to HTTP/S (Server) “We need to move to HTTP/S instead of HTTP because the data is confidential” Identify ALL Places for the URL Does the browser know the CA certificate Did you make a redirect for HTTP to HTTP/S for easy transition? Using secure cookies Content in HTML pages , do they refer to the HTTP/S? Bookmarks of endusers

Moving to HTTP/S (Client) “Our data supplier also switched to HTTP/S” HTTP/S is not only about the URL What happens if the certificate has expired from the supplier? Do we need to check the validity of the server certificate What is the CA server of the server certificate Do we need CRL’s or OCSP checking. Do we need a client certificate or a simple username/password?

Moving to SSL to hardware “Switching to SSL overloads the server” Typically a reverse proxy, loadbalancer” Request to application is HTTP and the enduser in HTTP/S . Not anymore relative to request. Proxies can rewrite some HTML Javascript generated URL’s are difficult Using HTTP/1.1 also will help to avoid the Nagle algorithm (short request/lot of negotation overload)

Connecting to a Directory System “Users are complaining that they have to remember all different passwords” Applications attributes not in main directory but still in the own database Profiles need to be synched between directory and local application profile Disable the change password module Be sure that you have a system to manage special users and users that are not in Directory. Directory groups vs. Application groups

Enabling Single-Sign-On “One password is fine , they want it automatically” Reverse Proxy system capable of doing Radius,LDAP, AD, whatever. Either Agent/API. Easier with passing HTTP_Header”. No passwords passed to application mean it can be used for connecting as that user to a backend system Monitoring needs to bypass the login system Some people need to login as different users for different tasks.

Central Authorization “Now that everything passes through our reverse proxy we can decide who has access to what” Does limiting a funtion equals limiting the URL? Problem with parameter based URL’s Some Access control remains in the application (coarse grained) ACL’s group based Central logout vs. Local logout URL’s.

Moving to central Logging “Some people are trying our passwords, we need more logging”. Logging is not about debugging alone. Who did what, when, ... Make it parseable Central database for logging can slow you down. Local logging needs handling. Consider buffering writing these request Performance hit when signing logfiles to avoid tampering

Moving to Mail System “Endusers complain the application send no email anymore” SMTP can go down. By design. Consider queuing it SPAM: set the correct sender Authenticated SMTP for sending Attachments extensions rejected by Antivirus systems.

Using Proxies “All outgoing HTTP traffic now needs to go through our proxy so we can log better and see what’s happening with our bandwith”. JVM’s also have HTTP proxy settings Automatic proxy settings pose problems JVM enduser (applets) Server systems Proxy authentication is not always supported by the app. Consider transparent proxies (problem with auth-n)

Moving to Hardened servers “We just got an audit and our servers are too open and we have to harden them.” Not all services are needed (not default) Filesystem security (read/write) X-Server (older JVM image creations) JVM Hardening Security policies Database Hardening (SQL, Create)

Moving to Intrusion Detection “We have a process called abc123. Can you tell me if this is normal? It tries to connect to the internet all the time but we have the proxy so it fills up the logs.” DEV: “Here is my list of Host: Processes, owner, checksum of the binary Network: Ports listening, opened, closed, binding Processes: that should be running always and the periodic jobs

Moving to Host based firewalls “We want to avoid that if one webserver breaks in our DMZ that others are not protected”. Incoming connections Reverse Proxy only Outgoing connections Limit by using an outgoing proxy, mailserver , relay

Desktop Security “Some users complain they can’t install the new application” Enterprise GPO’s, Enduser at Home Browser settings No popups, noJavascript, plugins Strict SSL checking Local admin permissions Install java, JNLP Proxy settings Autoconfig settings browser vs. JVM

Security Patches “We need to install some security patches and our firewall will not help” Server OS Loadbalancer, Reverse Proxy, Proxy JVM (server , client) Client OS Browser, Plugins Web, App, Database server

Credential Changing “A new policy requires to change credentials regulary” Think passwords, pins, certificates Also check Start/Stop Scripts, Batch Jobs, Backup Web, Application server, Database server, Mail Password policy impact Pins for certificate stores, Keys Impact on monitoring user, admin users Application framework files (hibernate, jdbc, ...) How can we limit downtime for this?

And there is more ... Application Firewalls Filter Posts & Gets & Cookies Length of parameters (GET vs. POST) Secure computing BIOS protection , hardware integrity Application server integrated with OS (Weblogic) NAC systems virus check + patches before entering the network ...

Closing the GAP After the awareness it is time to act!

Solutions Process: Interact more often (Think Agile/Scrum, No Waterfall!) Scope of Done = not only deployed but also in operations OPS on the project team, DEV in operations Products: Virtualisation, Automated deployments, Server installs Different environments (Acceptance, Test, Integration ...) Increase the ‘Refactoring’ sysadmin toolkit People: Get together, Invite a friend ;-) Train them in the other knowledge domain (DEV/OPS)

Any questions, suggestions? Thanks!

Operational Security: Impact on Developing Secure Applications

by Patrick Debois on Dec 08, 2007

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 4

Statistics

Operational Security: Impact on Developing Secure Applications — Presentation Transcript

http://www.slideshare.net	3
http://a0.twimg.com	1