Академический Документы
Профессиональный Документы
Культура Документы
Introduction
The IT industry is doing a good job in “patching” the security holes in our networks and host operating
systems. According to a recent Gartner study only 25% of the attacks seen today are aimed at the network
and host layers – that’s the good news – the bad news is that our business application is the attacker’s new
target of choice.
Are we as good at “securing” our applications?
Recently, the SANS Institute has made web application security the number one threat in their Top Twenty
Security Attack Targets (2006 Annual Update). The analyst community agrees, noting over 75% of
applications are vulnerable and 70% of attacks are now focused on these custom applications. Custom
applications and services are the hackers’ favorite target. The technology is evolving and connecting so
quickly that it has been very difficult for the security community to keep up. The attackers know this and
they’re taking full advantage.
Application security is challenging, and there are many tempting approaches out there. We’re here to tell
you that if you want to get value out of your application security efforts, put a plan in place that will drive
deep visibility into application security. Then you can manage with metrics.
In our experience, organizations that establish an application security team are the most likely to succeed.
The team should be responsible for both facilitating visibility and leading efforts to improve security.
Typically, those teams do training, verification, process, tools, architecture, etc…
Application Architecture Catalyst
Integrating application security with your application architecture functions provides reuse and a cost
effective approach to securing applications. The application security function should work closely with the
application architecture team to improve application security. Compare this with a reactive approach that
deals with application security late in the lifecycle. This “penetrate-and-patch” approach is significantly
more expensive and will never address the root causes that lead to applications security problems. Instead
of treating the symptoms, work with application architecture to eliminate application security issues before
they are a problem. Application architecture can be a catalyst to securing your portfolio of applications,
providing many of the fundamental people, process and technology capabilities required in improving your
application’s security posture.
Enterprise Security Architecture Whitepaper
Many organizations rely on the underlying infrastructure to protect their applications. These lead to what we
like to call the top 5 myths of application security. If these sound familiar in your organization, it’s time to
get serious about application security.
1. Perimeter security works ‐‐ my application is secure because it’s inside the firewall.
2. Security is an infrastructure problem.
3. Product “X” handles AAA (Authentication, Access Control, Accountability) for my application.
4. Developers don’t need to understand security.
5. Scanners achieve pretty good coverage.
Attackers can by-pass your infrastructure security by simply following the security rules of the
infrastructure. This may sound somewhat recursive or self-defeating, but if attackers follow the simple rules
of a web application’s primary protocol, HTTP, many infrastructures would accept these requests and pass
them along to the application. This places your application in the direct line of fire of an attacker. Is your
application vulnerable to these attacks? How about the OWASP Top Ten?
XSS flaws occur whenever an application takes user supplied data and sends it to a web browser
A1 - Cross Site Scripting
without first validating or encoding that content. XSS allows attackers to execute script in the victim's
(XSS)
browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when
A2 - Injection Flaws user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data
tricks the interpreter into executing unintended commands or changing data.
Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data,
A3 - Malicious File
resulting in devastating attacks, such as total server compromise. Malicious file execution attacks
Execution
affect PHP, XML and any framework which accepts filenames or files from users.
A direct object reference occurs when a developer exposes a reference to an internal implementation
A4 - Insecure Direct Object
object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can
Reference
manipulate those references to access other objects without authorization.
A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a
A5 - Cross Site Request
vulnerable web application, which then forces the victim's browser to perform a hostile action to the
Forgery (CSRF)
benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
A6 - Information Leakage Applications can unintentionally leak information about their configuration, internal workings, or violate
and Improper Error privacy through a variety of application problems. Attackers use this weakness to steal sensitive data,
Handling or conduct more serious attacks.
A7 - Broken Authentication Account credentials and session tokens are often not properly protected. Attackers compromise
and Session Management passwords, keys, or authentication tokens to assume other users' identities.
A8 - Insecure Cryptographic Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers
Storage use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
A9 - Insecure Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive
Communications communications.
Frequently, an application only protects sensitive functionality by preventing the display of links or
A10 - Failure to Restrict
URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized
URL Access
operations by accessing those URLs directly.
Enterprise Security Architecture Whitepaper
Securing applications becomes a daunting task for most organizations. The sheer number of applications,
lines of code and architecture variations combined with the specialized skills and knowledge required to
security assess these applications leave information security and IT management at a loss. The challenges
of application security include knowledge / understanding / skill-set, technical complexity, and scaling.
Technical Complexity
Determining or assessing whether an application is vulnerable to attack is complex and requires specialized
skills. Developers do not think like attackers, so augmenting their skill-set to do this type of analysis is
difficult with only a few being able to make the transition. This causes the basic economic problem of supply
& demand – low supply of security analysts with high demand.
Scaling
So, an organization needs to train the masses, hire specialists, and get their arms around the applications in
their portfolio, all within budgetary constraints. Typically, a mid-large size organization has hundreds of
applications, millions of lines of code and varying technologies and architectures. How do you get assurance
that the applications are secure while keeping costs in check?
In our experience we’ve seen many approaches organizations take in achieving security in their applications.
Many organizations, particularly in the financial industry have established teams that focus on various
aspects of application security. This trend started about 2002 and has continued to grow slowly for the past
five years. At this point, a majority of financial institutions have a specialized application security team of
some sort. There are many types of these teams, ranging from small 1-2 person teams to larger groups
with a core team and an extended team of field architects.
The Application Security Team role is to improve the security of the organization’s entire software
application inventory by discovering and managing application security risks. The team also encourages
security improvements to the people, process, and technology involved in acquiring, building, and
maintaining applications.
• Provide Application Security Awareness and Training Program
• Provide Application Security SMEs and Support Services
• Report on Application Security to Senior Management
• Manage Application Security
Process
The Application Security Team also plays a critical role in defining and implementing process improvements
designed to more reliably create secure software. The team will establish a set of application security
policies and standards, and then perform various reviews throughout the lifecycle to ensure they are being
followed.
• Integrate Security Activities into the Application Development Process
• Provide Application Security Assurance (Verification) Reviews
• Steward Application Security Policy and Standards Framework
• Measure and Improve Process Effectiveness
Enterprise Security Architecture Whitepaper
• Manage Application Portfolio
• Establish Application Security Knowledge Portal
• Establish Enterprise Controls and APIs
• Institutionalize Standard Application Security Tools
So where does application architecture come into play? There are many synergies between application
security and architecture functions. Application architectures need to understand the business plan,
inventory applications, and establish a consistent and repeatable approach in the design and implementation
of applications. The process they follow can be leveraged by application security to provide a quality based,
consistent and cost effective approach in fulfilling the application security plan.
Leverage people
Application security can virtually scale their staff by leveraging application architects as security analysts.
They offer the closest skill-set and usually look at problems from a macro-design viewpoint. The architects
are also in the development community and have established working relationships, providing the much
needed buy-in from developers.
6 Con
ntinuous Im
mproveme
ent Proce
ess
An applica
ation security plan should im
mprove the se
ecurity posture
e of an organization by insttituting a
continuous improvemen nt process. The
T following diagram
d depic ontinuous improvement plan:
cts a 4 step co
1. Define
e what’s Imp
portant to Prrotect
You have to establish some priorities s, and that me
eans understa anding what’s important to protect. You’’re
trying to achieve
a a “line
e of sight” from
m your enterpprise level sec
curity concerns s all the way through
t the la
ayers
to the impplementation details.
d That’s the only wayy to know tha at you’ve effecctively addressed all the risks.
Application
n architecturee artifacts can be leveragedd to define crittical assets & functions
f oss the portfolio of
acro
application
ns.
Enterprise Security
S Architecture White
epaper
2. Establlish Security
y Controls
Applicationn security use
es a number ofo different conntrols. Many are
a technical, but don’t forgget about the
people and process con ntrols. Applica
ation architectture can directly address th
he technical co
ontrols by
integratingg them into architecture deesigns. Appliccation architec
cture teams an nd process im
mprovement
capabilitie
es can also be leveraged by y application se
ecurity.
3. Verify Security an
nd Diagnose Risks
Thinking like an attackeer is a difficultt skill-set to ac
cquire. Definiing security analysis processses including
threat mo odeling, vulnerrability assesssment and risk k analysis into
o the developmment lifecycle will help esta
ablish
a consisteent and repeattable security function. Utilizing applicattion architects s as security subject matterr
experts ca an provide suppport services s to the application teams in n performing these tasks. Architects can n
facilitate code
c reviews, security testin ng and archite ecture/design reviews. Hav ving the architects involvedd in
these key security activvities will prov
vide insight on n the applicatio
on’s risk postu
ure leading to
o securer
implementations. Auto omated tools provide
p a valu
uable capability in data colle
ection and cov
verage.
Enterprise Security Architecture Whitepaper
An organization’s application architecture function can provide critical benefits to the application security
plan. Leveraging the existing people, process and technology activities provided by many application
architecture functions gives the application security team a jumpstart. Benefits include cost effectiveness,
higher quality, scaling and flexibility in staffing, and an overall better security process.