OPERATIONAL SECURITY
IMPACT ON DEVELOPING SECURE APPLICATIONS




        OWASP Belgium 20/11/2007 – Patrick Debois
A Common Enterprise Pattern
 It works on my PC
Pattern Name & Known As

 Also know As
   Me developer, you operational
   You developer, me operational
Intent and Motivation

 Intent
   No communications means faster to production
   No communications means less dependency
...
Applicability

 Applicability
   Separated groups between projects and operations
   Typically waterfall oriented project ...
Participants
   People
    Developers
        Try to please their project manager
    Project Managers
        Try to push...
Structure

 Project Test Phase: (Clash 1)
   Project has to delivered new functionality
   Test environment is different f...
Types of (None) Collaboration
  Operational Manager does not allow Operational
  People to interact with developers. Incid...
Creating awareness
 How it all got started ...


 And sorry no sample code, I’m not a developer ;-)
In the beginning there was ...
   A happy developer
     Working on his application
     No worried about the enterprise s...
Moving the server behind a firewall
 “We need to move the system to the DMZ to get access
 from the internet”
 Identity AL...
Moving to 3-tier Architecture
 “We need to split our one server into three layers: Web,
 App and database”
 Identity ALL P...
Moving to HTTP/S (Server)
 “We need to move to HTTP/S instead of HTTP because
 the data is confidential”
 Identify ALL Pla...
Moving to HTTP/S (Client)
 “Our data supplier also switched to HTTP/S”
 HTTP/S is not only about the URL
   What happens i...
Moving to SSL to hardware
 “Switching to SSL overloads the server”
   Typically a reverse proxy, loadbalancer”
   Request ...
Connecting to a Directory System
 “Users are complaining that they have to remember
 all different passwords”
   Applicati...
Enabling Single-Sign-On
 “One password is fine , they want it automatically”
   Reverse Proxy system capable of doing Radi...
Central Authorization
 “Now that everything passes through our reverse
 proxy we can decide who has access to what”
   Doe...
Moving to central Logging
 “Some people are trying our passwords, we need
 more logging”.
   Logging is not about debuggin...
Moving to Mail System
 “Endusers complain the application send no email
 anymore”
   SMTP can go down. By design.
     Con...
Using Proxies
 “All outgoing HTTP traffic now needs to go through
 our proxy so we can log better and see what’s
 happenin...
Moving to Hardened servers
 “We just got an audit and our servers are too open
 and we have to harden them.”
   Not all se...
Moving to Intrusion Detection
 “We have a process called abc123. Can you tell
 me if this is normal? It tries to connect t...
Moving to Host based firewalls
 “We want to avoid that if one webserver breaks in
 our DMZ that others are not protected”....
Desktop Security
 “Some users complain they can’t install the new
 application”
 Enterprise GPO’s, Enduser at Home
   Brow...
Security Patches
“We need to install some security patches and our
  firewall will not help”
  Server OS
  Loadbalancer, R...
Credential Changing
“A new policy requires to change credentials
  regulary”
  Think passwords, pins, certificates
  Also ...
And there is more ...
 Application Firewalls
       Filter Posts & Gets & Cookies
       Length of parameters (GET vs. POS...
Closing the GAP
 After the awareness it is time to act!
Solutions
 Process:
   Interact more often (Think Agile/Scrum, No Waterfall!)
     Scope of Done = not only deployed but a...
Any questions, suggestions?
 Thanks!
Upcoming SlideShare
Loading in …5
×

Operational Security: Impact on Developing Secure Applications

3,887 views

Published on

As an experienced programmer you are well experienced in applying the OWASP guidelines. At least we hope so ;-) Still we are ainly involved :within the creation of the application during a project phase. But good security management goes beyond that one phase, enter the operational security. Not having programming skills, these operationalunits over the years have created several security layers around the applications. Think firewalls, intrusion detection, prevention, antivirus systems... These server and network oriented security measures more and more influence application deployment and can also benefit from better application integration.
This presentation will show you the impact of f.i. central logmanagement, patch management, identity & access management, loadbalancing, antivirus .. can have on the application deployment and how with little modification of our application it can make a whole world of difference to the security in the trenches. They will be complementary to the OWASP set of guidelines. Also developers will get a better understanding of an additional set of non-functional requirements that are security related.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,887
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
62
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Operational Security: Impact on Developing Secure Applications

  1. 1. OPERATIONAL SECURITY IMPACT ON DEVELOPING SECURE APPLICATIONS OWASP Belgium 20/11/2007 – Patrick Debois
  2. 2. A Common Enterprise Pattern It works on my PC
  3. 3. Pattern Name & Known As Also know As Me developer, you operational You developer, me operational
  4. 4. Intent and Motivation Intent No communications means faster to production No communications means less dependency Motivation Doing things faster gives us more time for other things
  5. 5. Applicability Applicability Separated groups between projects and operations Typically waterfall oriented project environments Operational environments without developers knowledge Developers without operational environment knowledge
  6. 6. Participants People Developers Try to please their project manager Project Managers Try to push the new application to production Operational people Try to please their operations manager Operations Managers Try to control the situation, avoid problems Product New Application Existing Operational environment
  7. 7. Structure Project Test Phase: (Clash 1) Project has to delivered new functionality Test environment is different from operational. Production Phase: (Clash 2) Operations take over the application. Maintenance phase: (Clash 3) IT environment changes Operations can’t change and Project Team has left
  8. 8. Types of (None) Collaboration Operational Manager does not allow Operational People to interact with developers. Incidents first. Project Manager avoids the Operational People as they are not reliable as a project resource. Developer do not talk to Operational People because they do not understand the ‘operational domain’ Operational People do not talk to the Developers because they do not understand the ‘development domain’
  9. 9. Creating awareness How it all got started ... And sorry no sample code, I’m not a developer ;-)
  10. 10. In the beginning there was ... A happy developer Working on his application No worried about the enterprise standards Driven to deliver functionality Everybody loved his new application A super-duper Intranet Application Portal system based on His favourite database, application server, framework Fully featured, enduser configurable Spidering content for search engine
  11. 11. Moving the server behind a firewall “We need to move the system to the DMZ to get access from the internet” Identity ALL Ports mail , other websites for spidering TCP Session timeout long idle connections Think reporting services Long application session times / relogin
  12. 12. Moving to 3-tier Architecture “We need to split our one server into three layers: Web, App and database” Identity ALL Ports Also between the servers” TCP Session timeout Impact on the database connection pooling.” Backup & Restore Sync of different backups Static published files, database meta data, Search Data
  13. 13. Moving to HTTP/S (Server) “We need to move to HTTP/S instead of HTTP because the data is confidential” Identify ALL Places for the URL Does the browser know the CA certificate Did you make a redirect for HTTP to HTTP/S for easy transition? Using secure cookies Content in HTML pages , do they refer to the HTTP/S? Bookmarks of endusers
  14. 14. Moving to HTTP/S (Client) “Our data supplier also switched to HTTP/S” HTTP/S is not only about the URL What happens if the certificate has expired from the supplier? Do we need to check the validity of the server certificate What is the CA server of the server certificate Do we need CRL’s or OCSP checking. Do we need a client certificate or a simple username/password?
  15. 15. Moving to SSL to hardware “Switching to SSL overloads the server” Typically a reverse proxy, loadbalancer” Request to application is HTTP and the enduser in HTTP/S . Not anymore relative to request. Proxies can rewrite some HTML Javascript generated URL’s are difficult Using HTTP/1.1 also will help to avoid the Nagle algorithm (short request/lot of negotation overload)
  16. 16. Connecting to a Directory System “Users are complaining that they have to remember all different passwords” Applications attributes not in main directory but still in the own database Profiles need to be synched between directory and local application profile Disable the change password module Be sure that you have a system to manage special users and users that are not in Directory. Directory groups vs. Application groups
  17. 17. Enabling Single-Sign-On “One password is fine , they want it automatically” Reverse Proxy system capable of doing Radius,LDAP, AD, whatever. Either Agent/API. Easier with passing HTTP_Header”. No passwords passed to application mean it can be used for connecting as that user to a backend system Monitoring needs to bypass the login system Some people need to login as different users for different tasks.
  18. 18. Central Authorization “Now that everything passes through our reverse proxy we can decide who has access to what” Does limiting a funtion equals limiting the URL? Problem with parameter based URL’s Some Access control remains in the application (coarse grained) ACL’s group based Central logout vs. Local logout URL’s.
  19. 19. Moving to central Logging “Some people are trying our passwords, we need more logging”. Logging is not about debugging alone. Who did what, when, ... Make it parseable Central database for logging can slow you down. Local logging needs handling. Consider buffering writing these request Performance hit when signing logfiles to avoid tampering
  20. 20. Moving to Mail System “Endusers complain the application send no email anymore” SMTP can go down. By design. Consider queuing it SPAM: set the correct sender Authenticated SMTP for sending Attachments extensions rejected by Antivirus systems.
  21. 21. Using Proxies “All outgoing HTTP traffic now needs to go through our proxy so we can log better and see what’s happening with our bandwith”. JVM’s also have HTTP proxy settings Automatic proxy settings pose problems JVM enduser (applets) Server systems Proxy authentication is not always supported by the app. Consider transparent proxies (problem with auth-n)
  22. 22. Moving to Hardened servers “We just got an audit and our servers are too open and we have to harden them.” Not all services are needed (not default) Filesystem security (read/write) X-Server (older JVM image creations) JVM Hardening Security policies Database Hardening (SQL, Create)
  23. 23. Moving to Intrusion Detection “We have a process called abc123. Can you tell me if this is normal? It tries to connect to the internet all the time but we have the proxy so it fills up the logs.” DEV: “Here is my list of Host: Processes, owner, checksum of the binary Network: Ports listening, opened, closed, binding Processes: that should be running always and the periodic jobs
  24. 24. Moving to Host based firewalls “We want to avoid that if one webserver breaks in our DMZ that others are not protected”. Incoming connections Reverse Proxy only Outgoing connections Limit by using an outgoing proxy, mailserver , relay
  25. 25. Desktop Security “Some users complain they can’t install the new application” Enterprise GPO’s, Enduser at Home Browser settings No popups, noJavascript, plugins Strict SSL checking Local admin permissions Install java, JNLP Proxy settings Autoconfig settings browser vs. JVM
  26. 26. Security Patches “We need to install some security patches and our firewall will not help” Server OS Loadbalancer, Reverse Proxy, Proxy JVM (server , client) Client OS Browser, Plugins Web, App, Database server
  27. 27. Credential Changing “A new policy requires to change credentials regulary” Think passwords, pins, certificates Also check Start/Stop Scripts, Batch Jobs, Backup Web, Application server, Database server, Mail Password policy impact Pins for certificate stores, Keys Impact on monitoring user, admin users Application framework files (hibernate, jdbc, ...) How can we limit downtime for this?
  28. 28. And there is more ... Application Firewalls Filter Posts & Gets & Cookies Length of parameters (GET vs. POST) Secure computing BIOS protection , hardware integrity Application server integrated with OS (Weblogic) NAC systems virus check + patches before entering the network ...
  29. 29. Closing the GAP After the awareness it is time to act!
  30. 30. Solutions Process: Interact more often (Think Agile/Scrum, No Waterfall!) Scope of Done = not only deployed but also in operations OPS on the project team, DEV in operations Products: Virtualisation, Automated deployments, Server installs Different environments (Acceptance, Test, Integration ...) Increase the ‘Refactoring’ sysadmin toolkit People: Get together, Invite a friend ;-) Train them in the other knowledge domain (DEV/OPS)
  31. 31. Any questions, suggestions? Thanks!

×