Application Security Fundamentals - Slidepack on "Defense in Depth" by Secure Code Warrior Limited and licensed under CC BY-ND 4.0

1. Defense in Depth
Application Security Fundamentals
by Secure Code Warrior Limited is licensed under CC BY-ND 4.0

2. What’s the concept
about?
Defense in depth aims to increase the
system’s security by using a layered
approach. By increasing the number
of layers, the size of high-risk layers
is reduced and an attacker’s chance of
success is decreased.
What could happen?
In case the system only has a limited
amount of security layers, a compromise
of one layer could result in a full system
compromise. A compromised host in a
flat network for example allows the
attacker access to the entire network.
How to implement it?
Divide the system in multiple layers and
apply security principles to all of them.
Typical layers include: data, application,
host, internal network, perimeter and
physical security. Add compliance
procedures to verify the security for all
layers separately.

3. 1. Sensitive data
is stored
encrypted in the
database
1
Defense in Depth
Understanding the concept
3. Hosts are
patched with the
latest security
updates
3
6. Servers located
in a badge-reader
protected room
6
5. A firewall separates the
internal perimeter from the
internet.
5
7. Security assessments
performed to check
adherence
7
4. The internal network is
segregated into different
zones protected by
firewall rules4
2. The application has extensive
input validation
2
Defense in depth:
layered defense example

4. Defense in Depth
Understanding the concept
An application has implemented
controls against attacks on
multiple levels. On the server,
input is validated to protect
against injection attacks.
The attacker is able to
bypass the validation
check, however, other
controls are in place.
The attacker is able to get root access
on the application server. Because of
the segmented network, his attack is
limited to that system and zone.
The attacker is able to steal
data from the DB but can’t do
anything with them since the
content is encrypted.
Defense in depth:
layered defense
Web application
Network segment
Encrypted
Network segment
Validate

5. Defense in Depth
What could happen with the concept?
A certain application does
not have any security
controls in place. The
web application servers
are part of the main
network of the company.
The attacker injects malicious
code through a vulnerable input
field. He discovers an SQL
injection vulnerability.
The attacker is able to
get root access on the
application server which
he uses to penetrate the
rest of the network.
The attacker is able to steal
contents from the DB which is
easily readable since it is not
encrypted.
Defense in depth:
layered defense
Web application
Network segment
No encryption

6. Defense in Depth
Understanding the concept
An application that is
protecting against injection
attacks handles input at
various levels. Client side
validation protects against
obvious attacks.
At the server side, input is
filtered using framework
validation functions.
The database is
queried using
parameterized queries.
The DB connection user connects
using the least amount of permissions
needed to perform its operations.
Defense in depth
against SQL injection
connection := connect_db(readonly_user)
query := "SELECT balance FROM data WHERE
name = ? ";
pstmt := connection.prepareStatement(query);
pstmt.setParameter(1, validatedCustname);
results := pstmt.executeQuery( );
validatedCustname :=
ESAPI.validateForDB(custname);
Search:
customer
<form … onsubmit="return
validateForm()">
…
</form>
Web application

7. Defense in Depth
What could happen with the concept?
An attacker attacks an
application the only uses
client side validation. No
other protection layers
against code injection are
implemented.
The attacker easily
bypasses weak client
side validation.
The attacker is able to
retrieve user information
from the database.
Since no other controls exist,
the attacker can submit any
malicious code he wants.
query := "SELECT balance FROM data
WHERE name = “ +
validatedCustname;
results := connection.executeQuery( );
Search: customer’;
select info from
user_table; validateCustname; select info from user_table ;
Web application
Defense in depth
against SQL injection
<form … onsubmit="return
validateForm()">
…
</form>

8. Typical controls
Defense in Depth
Data
Application
Host
Internal Network
Perimeter
Physical Security
Policies, Procedures, and
Awareness
Access controls, Encryption,
Backup/restore procedures
Hardening; Authentication, Authorization,
Auditing (AAA); Secure coding (OWASP top
10)
Hardening; Authentication; Patch
management; Antivirus
Network segmentation; IPsec; TLS; NAT
Firewalls, TLS, Denial of service prevention
Guards; Locks; Tracking devices; Badging
system
Password policy; Data classification; Code
review; Usage policy; User awareness

9. Defense in Depth
Typical controls
Data.
Access controls, Encryption, Backup/restore procedures.
Application.
Hardening; Authentication, Authorization, Auditing (AAA); Secure coding.
Host
Hardening; Authentication; Patch management; Antivirus
Internal network
Network segmentation; IPsec; TLS; NAT
Perimeter
Firewalls, TLS, Denial of service prevention
Physical Security
Guards; Locks; Tracking devices; Badging system
Apply security
principles to all layers.

10. Defense in Depth
Typical controls
Security also applies to policies, procedures, and awareness.
Password policy; Data classification; Code review;
Usage policy; User awareness