Tim Ellison, profile picture
Uploaded byTim Ellison
517 views

Securing Java in the Server Room

The document discusses the importance of securing Java applications on server platforms, addressing client-side versus server-side computing, and detailing various security measures such as firewalls, intrusion detection systems, and secure coding practices. It emphasizes a lifecycle approach to application security, including risk assessment, secure engineering practices, and ongoing monitoring for vulnerabilities. Additionally, it outlines common vulnerabilities and resources for improving server-side Java security, such as the Common Vulnerabilities and Exposures (CVE) and the Open Web Application Security Project (OWASP).

Embed presentation

Download to read offline
© 2013 IBM Corporation JavaOne 2013 Securing Java in the Server Room CON 3636 Tim Ellison, IBM United Kingdom Ltd.
© 2013 IBM Corporation Important Disclaimers THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILST EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. ALL PERFORMANCE DATA INCLUDED IN THIS PRESENTATION HAVE BEEN GATHERED IN A CONTROLLED ENVIRONMENT. YOUR OWN TEST RESULTS MAY VARY BASED ON HARDWARE, SOFTWARE OR INFRASTRUCTURE DIFFERENCES. ALL DATA INCLUDED IN THIS PRESENTATION ARE MEANT TO BE USED ONLY AS A GUIDE. IN ADDITION, THE INFORMATION CONTAINED IN THIS PRESENTATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM, WITHOUT NOTICE. IBM AND ITS AFFILIATED COMPANIES SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF: - CREATING ANY WARRANT OR REPRESENTATION FROM IBM, ITS AFFILIATED COMPANIES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS 2
© 2013 IBM Corporation About me  Based in the Java Technology Centre, Hursley UK  Working on various runtime technologies for >20 years  Experience of open source communities  Currently focused on class library design and delivery  Overall technical lead for IBM Java 8 SE tim_ellison@uk.ibm.com @tpellison 3
© 2013 IBM Corporation The nature of server-side security
© 2013 IBM Corporation Client-side computing  Clients perform multiple tasks for a single user  Variety of devices, operating systems, and applications  Typically connect over untrusted networks  Under control of individuals disassociated with the services it uses  May be compromised, or deliberately used to challenge the security of the server flickr: NielsBD
© 2013 IBM Corporation Server-side computing  Servers typically perform a single task for multiple users  Usually more powerful computing capacity than clients  Running controlled applications  Connecting to a wide variety of clients and back end systems  Servers are considered a higher value target to attackers because: – more valuable to the owning organization's business – they provide a service to multiple users – have access to data regarding multiple clients / services
© 2013 IBM Corporation “The only secure computer is one that is unplugged, locked in a safe, and buried 20 feet under ground in a secret location ... and I am not even too sure about that one.” attributed to Dennis Huges, F.B.I. Flickr: buster19761976
© 2013 IBM Corporation Server security  Server side security is distributed across a number of systems and zones  Requests must pass through multiple checks before reaching the server platform  Specialized filters and applications run at each level to scrub the requests and check for abnormal behaviors that indicate a security breach Outer DMZClient Inner DMZ Server platform filter filter filter
© 2013 IBM Corporation Securing the computing platform  Host intrusion detection and prevention system – Monitor the system activity to identify and block malicious activities – Identify the suspicious activity by comparing to known good signatures of activity – Block suspicious activities and raises operator alerts – Maintain the integrity of the server  Firewall – Interface between trusted and untrusted networks – Ensure server's network connections are within policy – Limited level of application knowledge security  Antivirus software – Identify and prevent spread of malware in the trusted network – Often black-list or heuristics based – Servers can have more restrictive white-list detection
© 2013 IBM Corporation Securing the cloud computing platform  Cloud service platforms – Service provider must be trusted – Outsourcing some security considerations (can be a good thing!) – Ability to control details of server infrastructure is limited – Sensitive data must leave the organization  Virtualized servers – Resources are shared, potentially with untrusted tenants – Applications may be migrated dynamically between hosts – Protection appliances and software should be virtualization-aware
© 2013 IBM Corporation Securing Java in the server room  While Java may be used to implement the filters and zone software, we will focus on the application service provider running on the server platform Outer DMZ Client Inner DMZ Server platform – Data-loss / exposure – Denial of service – Data and process integrity – Bad actors – Suppliers (code and services) Risks
© 2013 IBM Corporation Writing secure applications in Java  Secure applications require a whole life-cycle approach – Secure requirements, threat modelling, risk analysis, secure coding, security testing, security documentation, incident response policy – Management of third-party dependencies – Source code management – Coding guidelines – Compiler settings and analysis tools – Explicit security testing  Use Java's strengths appropriately – Java has strong typing, array bounds checking, bytecode verification, JAR signing, ... – Java also has a number of legacy/unsafe APIs and defaults that are inappropriate for secure coding – No strong model for data security – May have to call out to other languages – ...this is where there are lessons to be learnt
© 2013 IBM Corporation Sources of server-side Java security information
© 2013 IBM Corporation Common Vulnerabilities and Exposures  Standardized naming authority for known vulnerabilities and exposures  A common name helps identify the same issue across multiple vendors, tools, releases, etc  Contains brief information, such as status indicator, short description, and related issues  No description of impact, fix information, or detailed technical information  Contains approx. 57,000 CVEs  US Government repository for vulnerability management data  Indexed by CVE, gives assessment of impact, complexity of exploit, technical details, and links to vendor information, etc  Utilizes the “Common Vulnerability Scoring System (CVSS)” to assess vulnerabilities National Vulnerability Database
© 2013 IBM Corporation Common Weakness Enumeration  List of software weaknesses across various languages – Sponsored by Office of Cybersecurity and Communications, U.S. Department of Homeland Security – Contributions by a broad community including a wide variety of organizations – Shared resource for software developers, tools vendors, security researchers, educators, etc. – CWE Compatibility and Effectiveness Program for certifying products and services  CWE version 2.5 – 940 vulnerabilities described, categorized into 187 different categories – Complete with taxonomy, examples, consequences, relationships, etc. – 73 are classified as weaknesses specific to software written in Java  The “Top 25 CWEs” represent the most significant exploitable software constructs  Utilizes the Common Weakness Scoring System, and Common Weakness Risk Analysis Framework – Gives a quantitative measurement of the unfixed weaknesses in an application – Rates weaknesses in terms of impact to business
© 2013 IBM Corporation Open Web Application Security Project  Community driven open source materials related to software security – Raising awareness about risks and specific coding vulnerabilitites – Advocate risk management approach rather than find and patch  Publish a Top 10 list of most critical web app security risks  Vulnerabilities are classified to enable the likely impact to the business
© 2013 IBM Corporation Vendor Security Bulletins  Specific information about security vulnerabilities that may affect vendor products are published on-line  e.g. IBM Product Security Incident Response – https://www.ibm.com/blogs/PSIRT  e.g. Oracle Critical Patch Updates, Security Alerts and Third Party Bulletin – http://www.oracle.com/technetwork/topics/security/ alerts-086861.html Java Specific Notices
© 2013 IBM Corporation A closer look at server-side security
© 2013 IBM Corporation Simplified Server Application Architecture  Useful to consider the various weaknesses in the context of a simplified server architecture OS Platform Java Middleware Application User Sessions & Data Client Interface Database datadata filter
Computing Platform Potential issues attributed to the application's computing platform  Risks from mis-configuration or manipulation of the computer system hosting the application.  Vulnerabilities affecting the safe and secure operation of the application and its data by deliberate or inadvertent unauthorized manipulation of the system. OS Platform Java Middleware Application User Sessions Client Interface Database CWE-842: Placement of User into Incorrect Group The software or the administrator places a user into an incorrect group. CWE-605: Multiple Binds to the Same Port When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. CWE-405: Asymmetric Resource Consumption (Amplification) Software that does not appropriately monitor or control resource consumption can lead to adverse system performance. Sometimes this is a factor in "flood" attacks, but other types of amplification exist. Examples
Java Platform Potential issues attributed to Java-specific weaknesses  Using APIs as they are intended to be used, and adopting mitigating actions for those with known high risk.  Designing the application and using coding patterns that promote secure practices, while avoiding those shown to be at risk of introducing vulnerabilities. CWE-227: Improper Fulfillment of API Contract ('API Abuse') The software uses an API in a manner contrary to its intended use, or makes assumptions that are not assured by the API documentation. CWE-487: Reliance on Package Level Scope Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. Examples OS Platform Java Middleware Application User Sessions Client Interface Database
Application and Middleware Potential issues attributed to concepts in the application middleware stack  Ensuring correct usage of high-level concepts and their semantics by developers.  Potential risks by defining behavior and manipulating data at different levels of application-defined authority. CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). CWE-579: J2EE Bad Practices: Non-serializable Object Stored in Session The application stores a non-serializable object as an HttpSession attribute, which means the session cannot be replicated across JVMs. CWE-613: Insufficient Session Expiration Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. Examples OS Platform Java Middleware Application User Sessions Client Interface Database
User Sessions Potential issues attributed to concepts in management of user level controls  Ensuring that the logical unit of work encapsulated as application sessions are secure, robust, and do not lead to data exposure.  Protecting the integrity of shared secrets and methods for establishing identity of users, systems, applications, etc CWE-268: Privilege Chaining Privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination. CWE-272: Least Privilege Violation Elevated privilege levels required to perform operations should be dropped immediately after the operation is performed. CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision Attackers can easily modify cookies and can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value. CWE-732: Incorrect Permission Assignment for Critical Resource Giving permissions to a wider range of actors than required, could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. Examples OS Platform Java Middleware Application User Sessions Client Interface Database
Client Interface Risks for systems that depend upon secure communications  Avoiding numerous risks that may diminish the assurances of secrecy through the use of cryptographic techniques.  Protecting the integrity of secure data exchange and methods for establishing identity of the participants. CWE-327: Use of a Broken or Risky Cryptographic Algorithm The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. CWE-337: Predictable Seed in PRNG A PRNG is initialized from a predictable seed, e.g. using process ID or system time. CWE-299: Improper Check for Certificate Revocation The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. CWE-297: Improper Validation of Certificate with Host Mismatch The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host. Examples OS Platform Java Middleware Application User Sessions Client Interface Database
Database Risks in managing the data you use to achieve a business objective  Risks associated with application data being modified by, or exposed to, those with no business need for such access.  Increasing the security assurances around application data that is exposed to external storage, either temporarily or permanently. CWE-313: Cleartext Storage in a File or on Disk The application stores sensitive information in cleartext in a file, or on disk that could be read by attackers with access to the file, or with physical or administrator access to the raw disk. CWE-499: Serializable Class Containing Sensitive Data The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. CWE-359: Privacy Violation Mishandling private information, such as customer passwords or social security numbers, can compromise user privacy and is often illegal.. Examples OS Platform Java Middleware Application User Sessions Client Interface Database
System Data Consideration of risks handling data associated with the computing platform itself  Risks associated with storing descriptive system history in shared log locations.  Risks of inadvertently disclosing through system tools and behavior information that is protected by the application. CWE-532: Information Exposure Through Log Files While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. CWE-208: Information Exposure Through Timing Discrepancy Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. CWE-530: Exposure of Backup File to an Unauthorized Control Sphere A backup file is stored in a directory that is accessible to actors outside of the intended control sphere. Examples OS Platform Java Middleware Application User Sessions Client Interface Database
Summary – securing Java in the server room  Planning  risk assessment for type of application  define integrity and confidentiality goals  identify applicable policies  assurances about the computing platform  Development  secure engineering practices  mitigation and avoidance of known risks  security testing and review  user and administrator guidance  Operations  configuration management control and auditing  intrusion detection and monitoring  action plan for dealing with security incidents  contingency planning
IBM AppScan  Scans  ability to regularly scan deployed systems to identify vulnerabilities  proactive pre-deployment scans & scheduled scans  Detection  collects and analyses events to identify priorities  analytics identifies application vulnerabilities  map events back to code level issues  Protection  integrated with network intrusion detection software  issues a “virtual patch”to protect specific vulnerabilities http://www.ibm.com/security/
Securing Java in the Server Room

More Related Content

PDF
NIST Definition of Cloud Computing
byScientia Groups
 
PDF
University Management System - UMS-X1 Technical Data
byNasser Hassan
 
PDF
NIC2012 - System Center Endpoint Protection 2012
byNicolai Henriksen
 
PPTX
System Center Endpoint Protection
byScientia Groups
 
PDF
Privileged Access Manager POC Guidelines
byHitachi ID Systems, Inc.
 
PDF
Injection techniques conversys
byKrishnendu Paul
 
DOCX
Earl Brown Resume Jan 2015
byEarl Brown
 
PDF
Visibility & Security for the Virtualized Enterprise
byEMC
 
NIST Definition of Cloud Computing
byScientia Groups
 
University Management System - UMS-X1 Technical Data
byNasser Hassan
 
NIC2012 - System Center Endpoint Protection 2012
byNicolai Henriksen
 
System Center Endpoint Protection
byScientia Groups
 
Privileged Access Manager POC Guidelines
byHitachi ID Systems, Inc.
 
Injection techniques conversys
byKrishnendu Paul
 
Earl Brown Resume Jan 2015
byEarl Brown
 
Visibility & Security for the Virtualized Enterprise
byEMC
 

What's hot

PPTX
SCEP 2012 inside SCCM 2012
byMicrosoft TechNet - Belgium and Luxembourg
 
PDF
Is it an internal affair
byGeorge Delikouras
 
PPTX
Introduction to Symantec Endpoint Management75.pptx
byArrow ECS UK
 
DOC
Amarjeet_Updated_Resume
byAmarjeet Kumar
 
PDF
Sba web sec_dg
byWilmer Gomez Reyes
 
PDF
Enhancing your mobile enterprise security with ibm worklight tips
bybupbechanhgmail
 
PDF
Solvay secure application layer v2015 seba
bySebastien Deleersnyder
 
PDF
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
byIRJET Journal
 
DOC
Harsha CV
byHarsha Siddartha Sarjapura
 
DOCX
Kailash Kapal Resume v5
byKailash Kapal
 
DOCX
Liberatore_Resume
byKevin Liberatore
 
PDF
Consistent Regions in Specialized Toolkits for IBM InfoSphere Streams V4.0
bylisanl
 
DOCX
Devasis Kumar Mahato - Resume
byDevasis Kumar
 
PDF
TECHNICAL BRIEF: Using Symantec Endpoint Protection 12.1 to Protect Against A...
bySymantec
 
PDF
IBM Infosphere Guardium - Database Security
byebuc
 
PDF
Hitachi ID Suite 9.0 Features and Technology
byHitachi ID Systems, Inc.
 
PDF
Altiris IT Management Suite 7
bySymantec
 
PDF
Cybercom Enhanced Security Platform
byabelsonp
 
PDF
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
bylisanl
 
DOCX
ConklinResume2
byTelisha Conklin
 
SCEP 2012 inside SCCM 2012
byMicrosoft TechNet - Belgium and Luxembourg
 
Is it an internal affair
byGeorge Delikouras
 
Introduction to Symantec Endpoint Management75.pptx
byArrow ECS UK
 
Amarjeet_Updated_Resume
byAmarjeet Kumar
 
Sba web sec_dg
byWilmer Gomez Reyes
 
Enhancing your mobile enterprise security with ibm worklight tips
bybupbechanhgmail
 
Solvay secure application layer v2015 seba
bySebastien Deleersnyder
 
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
byIRJET Journal
 
Harsha CV
byHarsha Siddartha Sarjapura
 
Kailash Kapal Resume v5
byKailash Kapal
 
Liberatore_Resume
byKevin Liberatore
 
Consistent Regions in Specialized Toolkits for IBM InfoSphere Streams V4.0
bylisanl
 
Devasis Kumar Mahato - Resume
byDevasis Kumar
 
TECHNICAL BRIEF: Using Symantec Endpoint Protection 12.1 to Protect Against A...
bySymantec
 
IBM Infosphere Guardium - Database Security
byebuc
 
Hitachi ID Suite 9.0 Features and Technology
byHitachi ID Systems, Inc.
 
Altiris IT Management Suite 7
bySymantec
 
Cybercom Enhanced Security Platform
byabelsonp
 
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
bylisanl
 
ConklinResume2
byTelisha Conklin
 

Similar to Securing Java in the Server Room

PDF
JavaOne2013: Securing Java in the Server Room - Tim Ellison
byChris Bailey
 
PPT
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
bySteve Poole
 
PDF
Secure Engineering Practices for Java
byTim Ellison
 
PPTX
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
byIBM Security
 
PDF
Application Security Guide for Beginners
byCheckmarx
 
PPTX
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
byTunde Ogunkoya
 
PDF
Secure JEE Architecture and Programming 101
byMario-Leander Reimer
 
PPT
2.Public Vulnerability Databases
byphanleson
 
PPT
software-security-intro-220901084730-8ed673b9.ppt
byAssadLeo1
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PPT
software-security-intro Secure software Design and Development
bysahar62648
 
PDF
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
PPT
software-security.ppt
byPRALHAD MAGADUM
 
PPTX
Geecon 2017 Anatomy of Java Vulnerabilities
bySteve Poole
 
PPT
SoftwareSecurity.ppt
byssuserfb92ae
 
PPTX
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
PPTX
7 Ways to Stay 7 Years Ahead of the Threat
byIBM Security
 
PDF
SAP security made easy
byERPScan
 
PDF
JavaOne2013: Secure Engineering Practices for Java
byChris Bailey
 
PPTX
java2days 2014: Attacking JavaEE Application Servers
byMartin Toshev
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
byChris Bailey
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
bySteve Poole
 
Secure Engineering Practices for Java
byTim Ellison
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
byIBM Security
 
Application Security Guide for Beginners
byCheckmarx
 
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
byTunde Ogunkoya
 
Secure JEE Architecture and Programming 101
byMario-Leander Reimer
 
2.Public Vulnerability Databases
byphanleson
 
software-security-intro-220901084730-8ed673b9.ppt
byAssadLeo1
 
software-security-intro in information security.ppt
byismaeelsahib032
 
software-security-intro Secure software Design and Development
bysahar62648
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
software-security.ppt
byPRALHAD MAGADUM
 
Geecon 2017 Anatomy of Java Vulnerabilities
bySteve Poole
 
SoftwareSecurity.ppt
byssuserfb92ae
 
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
7 Ways to Stay 7 Years Ahead of the Threat
byIBM Security
 
SAP security made easy
byERPScan
 
JavaOne2013: Secure Engineering Practices for Java
byChris Bailey
 
java2days 2014: Attacking JavaEE Application Servers
byMartin Toshev
 

More from Tim Ellison

PDF
The Extraordinary World of Quantum Computing
byTim Ellison
 
PDF
Apache Big Data Europe 2016
byTim Ellison
 
PDF
A Java Implementer's Guide to Better Apache Spark Performance
byTim Ellison
 
PPT
Apache Harmony: An Open Innovation
byTim Ellison
 
PDF
Java on zSystems zOS
byTim Ellison
 
PDF
Inside IBM Java 7
byTim Ellison
 
PDF
Real World Java Compatibility
byTim Ellison
 
PDF
Modules all the way down: OSGi and the Java Platform Module System
byTim Ellison
 
PDF
Five cool ways the JVM can run Apache Spark faster
byTim Ellison
 
PDF
Virtualization aware Java VM
byTim Ellison
 
PDF
What's New in IBM Java 8 SE?
byTim Ellison
 
PDF
Using GPUs to Handle Big Data with Java
byTim Ellison
 
The Extraordinary World of Quantum Computing
byTim Ellison
 
Apache Big Data Europe 2016
byTim Ellison
 
A Java Implementer's Guide to Better Apache Spark Performance
byTim Ellison
 
Apache Harmony: An Open Innovation
byTim Ellison
 
Java on zSystems zOS
byTim Ellison
 
Inside IBM Java 7
byTim Ellison
 
Real World Java Compatibility
byTim Ellison
 
Modules all the way down: OSGi and the Java Platform Module System
byTim Ellison
 
Five cool ways the JVM can run Apache Spark faster
byTim Ellison
 
Virtualization aware Java VM
byTim Ellison
 
What's New in IBM Java 8 SE?
byTim Ellison
 
Using GPUs to Handle Big Data with Java
byTim Ellison
 

Recently uploaded

PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 

Securing Java in the Server Room

  • 1.
    © 2013 IBMCorporation JavaOne 2013 Securing Java in the Server Room CON 3636 Tim Ellison, IBM United Kingdom Ltd.
  • 2.
    © 2013 IBMCorporation Important Disclaimers THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILST EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. ALL PERFORMANCE DATA INCLUDED IN THIS PRESENTATION HAVE BEEN GATHERED IN A CONTROLLED ENVIRONMENT. YOUR OWN TEST RESULTS MAY VARY BASED ON HARDWARE, SOFTWARE OR INFRASTRUCTURE DIFFERENCES. ALL DATA INCLUDED IN THIS PRESENTATION ARE MEANT TO BE USED ONLY AS A GUIDE. IN ADDITION, THE INFORMATION CONTAINED IN THIS PRESENTATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM, WITHOUT NOTICE. IBM AND ITS AFFILIATED COMPANIES SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF: - CREATING ANY WARRANT OR REPRESENTATION FROM IBM, ITS AFFILIATED COMPANIES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS 2
  • 3.
    © 2013 IBMCorporation About me  Based in the Java Technology Centre, Hursley UK  Working on various runtime technologies for >20 years  Experience of open source communities  Currently focused on class library design and delivery  Overall technical lead for IBM Java 8 SE tim_ellison@uk.ibm.com @tpellison 3
  • 4.
    © 2013 IBMCorporation The nature of server-side security
  • 5.
    © 2013 IBMCorporation Client-side computing  Clients perform multiple tasks for a single user  Variety of devices, operating systems, and applications  Typically connect over untrusted networks  Under control of individuals disassociated with the services it uses  May be compromised, or deliberately used to challenge the security of the server flickr: NielsBD
  • 6.
    © 2013 IBMCorporation Server-side computing  Servers typically perform a single task for multiple users  Usually more powerful computing capacity than clients  Running controlled applications  Connecting to a wide variety of clients and back end systems  Servers are considered a higher value target to attackers because: – more valuable to the owning organization's business – they provide a service to multiple users – have access to data regarding multiple clients / services
  • 7.
    © 2013 IBMCorporation “The only secure computer is one that is unplugged, locked in a safe, and buried 20 feet under ground in a secret location ... and I am not even too sure about that one.” attributed to Dennis Huges, F.B.I. Flickr: buster19761976
  • 8.
    © 2013 IBMCorporation Server security  Server side security is distributed across a number of systems and zones  Requests must pass through multiple checks before reaching the server platform  Specialized filters and applications run at each level to scrub the requests and check for abnormal behaviors that indicate a security breach Outer DMZClient Inner DMZ Server platform filter filter filter
  • 9.
    © 2013 IBMCorporation Securing the computing platform  Host intrusion detection and prevention system – Monitor the system activity to identify and block malicious activities – Identify the suspicious activity by comparing to known good signatures of activity – Block suspicious activities and raises operator alerts – Maintain the integrity of the server  Firewall – Interface between trusted and untrusted networks – Ensure server's network connections are within policy – Limited level of application knowledge security  Antivirus software – Identify and prevent spread of malware in the trusted network – Often black-list or heuristics based – Servers can have more restrictive white-list detection
  • 10.
    © 2013 IBMCorporation Securing the cloud computing platform  Cloud service platforms – Service provider must be trusted – Outsourcing some security considerations (can be a good thing!) – Ability to control details of server infrastructure is limited – Sensitive data must leave the organization  Virtualized servers – Resources are shared, potentially with untrusted tenants – Applications may be migrated dynamically between hosts – Protection appliances and software should be virtualization-aware
  • 11.
    © 2013 IBMCorporation Securing Java in the server room  While Java may be used to implement the filters and zone software, we will focus on the application service provider running on the server platform Outer DMZ Client Inner DMZ Server platform – Data-loss / exposure – Denial of service – Data and process integrity – Bad actors – Suppliers (code and services) Risks
  • 12.
    © 2013 IBMCorporation Writing secure applications in Java  Secure applications require a whole life-cycle approach – Secure requirements, threat modelling, risk analysis, secure coding, security testing, security documentation, incident response policy – Management of third-party dependencies – Source code management – Coding guidelines – Compiler settings and analysis tools – Explicit security testing  Use Java's strengths appropriately – Java has strong typing, array bounds checking, bytecode verification, JAR signing, ... – Java also has a number of legacy/unsafe APIs and defaults that are inappropriate for secure coding – No strong model for data security – May have to call out to other languages – ...this is where there are lessons to be learnt
  • 13.
    © 2013 IBMCorporation Sources of server-side Java security information
  • 14.
    © 2013 IBMCorporation Common Vulnerabilities and Exposures  Standardized naming authority for known vulnerabilities and exposures  A common name helps identify the same issue across multiple vendors, tools, releases, etc  Contains brief information, such as status indicator, short description, and related issues  No description of impact, fix information, or detailed technical information  Contains approx. 57,000 CVEs  US Government repository for vulnerability management data  Indexed by CVE, gives assessment of impact, complexity of exploit, technical details, and links to vendor information, etc  Utilizes the “Common Vulnerability Scoring System (CVSS)” to assess vulnerabilities National Vulnerability Database
  • 15.
    © 2013 IBMCorporation Common Weakness Enumeration  List of software weaknesses across various languages – Sponsored by Office of Cybersecurity and Communications, U.S. Department of Homeland Security – Contributions by a broad community including a wide variety of organizations – Shared resource for software developers, tools vendors, security researchers, educators, etc. – CWE Compatibility and Effectiveness Program for certifying products and services  CWE version 2.5 – 940 vulnerabilities described, categorized into 187 different categories – Complete with taxonomy, examples, consequences, relationships, etc. – 73 are classified as weaknesses specific to software written in Java  The “Top 25 CWEs” represent the most significant exploitable software constructs  Utilizes the Common Weakness Scoring System, and Common Weakness Risk Analysis Framework – Gives a quantitative measurement of the unfixed weaknesses in an application – Rates weaknesses in terms of impact to business
  • 16.
    © 2013 IBMCorporation Open Web Application Security Project  Community driven open source materials related to software security – Raising awareness about risks and specific coding vulnerabilitites – Advocate risk management approach rather than find and patch  Publish a Top 10 list of most critical web app security risks  Vulnerabilities are classified to enable the likely impact to the business
  • 17.
    © 2013 IBMCorporation Vendor Security Bulletins  Specific information about security vulnerabilities that may affect vendor products are published on-line  e.g. IBM Product Security Incident Response – https://www.ibm.com/blogs/PSIRT  e.g. Oracle Critical Patch Updates, Security Alerts and Third Party Bulletin – http://www.oracle.com/technetwork/topics/security/ alerts-086861.html Java Specific Notices
  • 18.
    © 2013 IBMCorporation A closer look at server-side security
  • 19.
    © 2013 IBMCorporation Simplified Server Application Architecture  Useful to consider the various weaknesses in the context of a simplified server architecture OS Platform Java Middleware Application User Sessions & Data Client Interface Database datadata filter
  • 20.
    Computing Platform Potential issuesattributed to the application's computing platform  Risks from mis-configuration or manipulation of the computer system hosting the application.  Vulnerabilities affecting the safe and secure operation of the application and its data by deliberate or inadvertent unauthorized manipulation of the system. OS Platform Java Middleware Application User Sessions Client Interface Database CWE-842: Placement of User into Incorrect Group The software or the administrator places a user into an incorrect group. CWE-605: Multiple Binds to the Same Port When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. CWE-405: Asymmetric Resource Consumption (Amplification) Software that does not appropriately monitor or control resource consumption can lead to adverse system performance. Sometimes this is a factor in "flood" attacks, but other types of amplification exist. Examples
  • 21.
    Java Platform Potential issuesattributed to Java-specific weaknesses  Using APIs as they are intended to be used, and adopting mitigating actions for those with known high risk.  Designing the application and using coding patterns that promote secure practices, while avoiding those shown to be at risk of introducing vulnerabilities. CWE-227: Improper Fulfillment of API Contract ('API Abuse') The software uses an API in a manner contrary to its intended use, or makes assumptions that are not assured by the API documentation. CWE-487: Reliance on Package Level Scope Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. Examples OS Platform Java Middleware Application User Sessions Client Interface Database
  • 22.
    Application and Middleware Potentialissues attributed to concepts in the application middleware stack  Ensuring correct usage of high-level concepts and their semantics by developers.  Potential risks by defining behavior and manipulating data at different levels of application-defined authority. CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). CWE-579: J2EE Bad Practices: Non-serializable Object Stored in Session The application stores a non-serializable object as an HttpSession attribute, which means the session cannot be replicated across JVMs. CWE-613: Insufficient Session Expiration Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. Examples OS Platform Java Middleware Application User Sessions Client Interface Database
  • 23.
    User Sessions Potential issuesattributed to concepts in management of user level controls  Ensuring that the logical unit of work encapsulated as application sessions are secure, robust, and do not lead to data exposure.  Protecting the integrity of shared secrets and methods for establishing identity of users, systems, applications, etc CWE-268: Privilege Chaining Privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination. CWE-272: Least Privilege Violation Elevated privilege levels required to perform operations should be dropped immediately after the operation is performed. CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision Attackers can easily modify cookies and can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value. CWE-732: Incorrect Permission Assignment for Critical Resource Giving permissions to a wider range of actors than required, could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. Examples OS Platform Java Middleware Application User Sessions Client Interface Database
  • 24.
    Client Interface Risks forsystems that depend upon secure communications  Avoiding numerous risks that may diminish the assurances of secrecy through the use of cryptographic techniques.  Protecting the integrity of secure data exchange and methods for establishing identity of the participants. CWE-327: Use of a Broken or Risky Cryptographic Algorithm The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. CWE-337: Predictable Seed in PRNG A PRNG is initialized from a predictable seed, e.g. using process ID or system time. CWE-299: Improper Check for Certificate Revocation The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. CWE-297: Improper Validation of Certificate with Host Mismatch The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host. Examples OS Platform Java Middleware Application User Sessions Client Interface Database
  • 25.
    Database Risks in managingthe data you use to achieve a business objective  Risks associated with application data being modified by, or exposed to, those with no business need for such access.  Increasing the security assurances around application data that is exposed to external storage, either temporarily or permanently. CWE-313: Cleartext Storage in a File or on Disk The application stores sensitive information in cleartext in a file, or on disk that could be read by attackers with access to the file, or with physical or administrator access to the raw disk. CWE-499: Serializable Class Containing Sensitive Data The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. CWE-359: Privacy Violation Mishandling private information, such as customer passwords or social security numbers, can compromise user privacy and is often illegal.. Examples OS Platform Java Middleware Application User Sessions Client Interface Database
  • 26.
    System Data Consideration ofrisks handling data associated with the computing platform itself  Risks associated with storing descriptive system history in shared log locations.  Risks of inadvertently disclosing through system tools and behavior information that is protected by the application. CWE-532: Information Exposure Through Log Files While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. CWE-208: Information Exposure Through Timing Discrepancy Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. CWE-530: Exposure of Backup File to an Unauthorized Control Sphere A backup file is stored in a directory that is accessible to actors outside of the intended control sphere. Examples OS Platform Java Middleware Application User Sessions Client Interface Database
  • 27.
    Summary – securingJava in the server room  Planning  risk assessment for type of application  define integrity and confidentiality goals  identify applicable policies  assurances about the computing platform  Development  secure engineering practices  mitigation and avoidance of known risks  security testing and review  user and administrator guidance  Operations  configuration management control and auditing  intrusion detection and monitoring  action plan for dealing with security incidents  contingency planning
  • 28.
    IBM AppScan  Scans ability to regularly scan deployed systems to identify vulnerabilities  proactive pre-deployment scans & scheduled scans  Detection  collects and analyses events to identify priorities  analytics identifies application vulnerabilities  map events back to code level issues  Protection  integrated with network intrusion detection software  issues a “virtual patch”to protect specific vulnerabilities http://www.ibm.com/security/