Security overdone?

Introduction

While planning and developing web sites we always should keep in mind that someone always will be paranoid with it. So being paranoid with security will keep us away from security issues we can meet after production. As more popular will be our web site, then more paranoid should be security. With internet technologies explosion and content enhancing, migrating to dynamic pages, payment systems integration web sites became more vulnerable [1].

Who is who?

A threat is a potential problem and bad thing which can occur with your system and data.
Vulnerability is a weak area where threat can occur. It can be after bad design, weak data encryption or sensitive information storing on client side without encryption [4].

Vulnerable areas

So where we can potentially have a breach? Well-designed application will be built on layers like database, business, communication, user interface. So each layer as communication between layers is a potential security problem. Authentication implemented in internal network is not enough, internal network also should be encrypted since it can be sniffed from internal affected system, or internal Wi-Fi does not mean which none will listen for traffic, even if not able to connect to network. BestBuy which is US number 1 consumer electronics retailer transmitted information cash information and closed its wireless after security problem was publically reported [5]. First three layers are located on server side and the user interface is rendered using browser and plugins like Flash or Silverlight on client side. The most common security vulnerabilities are SQL injection and cross site scripting, then security in transit comes but it has lower percentage than first two. And the list of possible categories is long: input validation, authentication, authorization, configuration management, sensitive data, session management, cryptography, parameter manipulation, exception management, auditing and logging [2]. Mostly data loss and damage also comes with SQL injection and cross site scripting. With SQL injection attacker can execute additional commands which can lead to data deletion or extra filtering as a result showing confidential information. Cross site scripting also known as XSS and commonly used for phishing to steal credentials. While transferring data between layers it can be read in transit. Requested information also passed between many servers and as a result can be stored there for caching and logging purposes. Since data commonly is not encrypted it can be easily read and used [3].

Risk mitigation

Test and communicate! Administrators always should work close with developers to discuss technologies and design. Developers always should work close with testers to reveal black boxes and test functionality in all layers and during all stages. And some common advises for developers about categories mentioned latter. Input always should validate on client side and server side, client side validation never can be trusted since it is always easy to break. Always use passwords with expiration periods and store hashed and never in plain format. Use least privileged accounts and assign right based on groups. Never store sensitive data in cookies and to not pass it with HTTP-Get requests. Do not develop own cryptography algorithms, use standard algorithms from frameworks. Validate all parameters sent from client. Use exception handling patterns and never show unexpected error details, user friendly message should be displayed. Keep logs for investigation and monitoring [2].

Conclusion

Security never can be overdone. Security should be discussed and implemented in every stage of product, in layers and layer communication. Do not forget about internal network and intranet, trusted is not always means secured, if your web site secured for SQL injection and blocked with firewall for external world it is still accessible from local network.

References:

1. Matt Pogue, 2003, Securing Microsoft Web Applications - A Guide for Systems Administrators, SANS Institute, available online: http://www.sans.org/reading_room/whitepapers/webservers/securing-microsoft-web-applications-guide-systems-administrators_299 (last accessed 12 April 2012)

2. J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan, 2003, Design Guidelines for Secure Web Applications, Microsoft Corporation, available online: http://msdn.microsoft.com/en-us/library/ff648647.aspx (last accessed 12 April 2012)
3. Monica S. Lam, Michael Martin (Stanford University), Benjamin Livshits (Microsoft), John Whaley (Moka 5), 2008, Securing Web Applications with Static and Dynamic Information Flow Tracking, Standford University, available online: http://suif.stanford.edu/papers/pepm08.pdf (last accessed 12 April 2012)
4. J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan 2003, Improving Web Application Security: Threats and Countermeasures, Microsoft Corporation, available online: http://msdn.microsoft.com/en-us/library/ff648636.aspx (last accessed 12 April 2012)
5. Bob Sullivan, 2002, Best Buy closes wireless registers, MSNBC, available online: http://www.msnbc.msn.com/id/3078572 (last accessed 16 April 2012)

Comments

Popular posts from this blog

How to poll database using WCF-SQL adapter

SQL query timeout from application but works fast from SSMS