Security is fundamentally about protecting assets, such as a Web page or your customer data in database. As you analyze your infrastructure and applications, you identify potential threats and understand that each threat presents a degree of risk. Security is about risk management and implementing effective counter measures.

The Foundations of Security

Security relies on the following elements:


  • Authentication: "Who are you?"

Authentication is the process of identifying the clients of your applications. These might be end users, services, processes, or computers. Authenticated clients are referred to as principals.


  • Authorization: "What can you do?"

Authorization is the process that governs the resources and operations that the authenticated client is permitted to access. Resources include files, databases, tables, rows and system resources such as registry keys and configuration data. Operations include performing transactions such as CRUD operation.


  • Auditing

Effective auditing and logging is the key to non-repudiation, guarantees that a user cannot deny performing an operation.


  • Confidentiality

Confidentiality is the process of making sure that data remains private and confidential, and that it cannot be viewed by unauthorized users or who monitor the traffic across a network. Encryption is frequently used to enforce confidentiality. Access control lists (ACLs) are another means of enforcing confidentiality.


  • Integrity

Integrity is the guarantee that data is protected from accidental or malicious modification. Like privacy, integrity is a key concern, particularly for data passed across networks. Integrity for data in transit is typically provided by using hashing techniques and message authentication codes.


  • Availability

Availability means that systems remain available for service users. The goal for many attackers is denial of service and they attack to make sure that there is less than sufficient resources so that other users cannot access the application.

How to Build a Secure Web Application?

It is not possible to design and build a secure Web application until you know your threats. An increasingly important discipline and one that is recommended to form part of your application's design phase is threat modeling. The purpose of threat modeling is to analyze your application's architecture and design and identify potentially vulnerable areas that may allow a user, perhaps mistakenly, or an attacker with malicious intent, to compromise your system's security.


After that, design with security by applying proven security principles. As developers, you must follow secure coding techniques to develop secure and robust solutions. The design and development of application layer software must be supported by a secure network, host, and application configuration on the servers where the application software is to be deployed.


A design approach to security


Figure: A design approach to security


Securing Your Network

The network infrastructure consists of routers, firewalls, and switches. The role of the secure network is not only to protect itself from TCP/IP-based attacks, but also to implement counter measures such as secure administrative interfaces and strong passwords. The secure network is also responsible for ensuring the integrity of the traffic that it is forwarding. If you know at the network layer about ports, protocols, or communication that may be harmful, counter those potential threats at that layer.


Table: Network Component Categories [1]

Category

Description

Router

Routers are your outermost network ring. They channel packets to ports and protocols that your application needs. Common TCP/IP vulnerabilities are blocked at this ring.

Firewall

The firewall blocks those protocols and ports that the application does not use. Additionally, firewalls enforce secure network traffic by providing application-specific filtering to block malicious communications.

Switch

Switches are used to separate network segments. They are frequently overlooked or over-trusted.


Securing Your Host

Secure a host, whether it is your Web server, application server, or database server, this guide breaks down the various secure configuration settings into separate categories. With this approach, you can focus on a specific category and review security, or apply security settings that relate to that specific category. When you install new software on your servers with this approach, you can evaluate the impact on your security settings. For example, you may address the following questions: Does the software create new accounts? Does the software add any default services? Who are the services running as? Are any new script mappings created?


Figure: Host security categories


Table: Host Configuration Categories [2]

Category

Description

Patches and Updates

Many top security risks exist because of vulnerabilities that are widely published and well known. When new vulnerabilities are discovered, exploit code is frequently posted on Internet bulletin boards within hours of the first successful attack. Patching and updating your server's software is the first step toward securing the server. If you do not patch and update your server, you are providing more potential opportunities for attackers and malicious code.

Services

The service set is determined by the server role and the applications it hosts. By disabling unnecessary and unused services, you quickly and easily reduce the attack surface area.

Protocols

To reduce the attack surface area and the avenues open to attackers, disable any unnecessary or unused network protocols.

Accounts

The number of accounts accessible from a server should be restricted to the necessary set of service and user accounts. Additionally, you should enforce appropriate account policies, such as mandating strong passwords.

Files and Directories

Files and directories should be secured with restricted NTFS permissions that allow access only to the necessary Microsoft Windows service and user accounts.

Shares

All unnecessary file shares, including the default administration shares if they are not required, should be removed. Secure the remaining shares with restricted NTFS permissions.

Ports

Services running on a server listen on specific ports to serve incoming requests. Open ports on a server must be known and audited regularly to make sure that an insecure service is not listening and available for communication. In the worst-case scenario, a listening port is detected that was not opened by an administrator.

Auditing and Logging

Auditing is a vital aid in identifying intruders or attacks in progress. Logging proves particularly useful as forensic information when determining how an intrusion or attack was performed.

Registry

Much of the security related settings are maintained in the registry. Secure the registry itself by applying restricted Windows ACLs and blocking remote registry administration.


Securing Your Application

The top security issues across many Web applications, you would see a pattern of problems. By organizing these problems into categories, you can systematically tackle them. These problem areas are your application's vulnerability categories.


Table: Application Vulnerability Categories [3]


Category

Description

Input Validation

How do you know that the input that your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing.

Authentication

"Who are you?" Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.

Authorization

"What can you do?" Authorization is how your application provides access controls for resources and operations.

Configuration Management

Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues.

Sensitive Data

Sensitive data refers to how your application handles any data that must be protected either in memory, over the wire, or in persistent stores.

Session Management

A session refers to a series of related interactions between a user and your Web application. Session management refers to how your application handles and protects these interactions.

Cryptography

How are you keeping secrets, secret (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity.

Parameter Manipulation

Form fields, query string arguments, and cookie values are frequently used as parameters for your application. Parameter manipulation refers to both how your application safeguards tampering of these values and how your application processes input parameters.

Exception Management

When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?

Auditing and Logging

Who did what and when? Auditing and logging refer to how your application records security-related events.

Summary

An ever-increasing number of attacks target your application. They pass straight through your environment's front door using HTTP. The conventional fortress model and the reliance on firewall and host defenses are not sufficient when used in isolation. Securing your application involves applying security at three layers: the network layer, host layer, and the application layer. A secure network and host platform infrastructure is a must. Additionally, your applications must be designed and built using secure design and development guidelines following timeworn security principles.


References

[1] Microsoft, "Microsoft Pattern & Practices proven practices for predictable results", Web Application Security Fundamentals, Chapter 1, Network Component Categories, Table 1.1:  Avaliable: https://msdn.microsoft.com/en-us/library/ff648636.aspx#c01618429_008. [Accessed Nov 14, 2017].

[2] Microsoft, "Microsoft Pattern & Practices proven practices for predictable results", Web Application Security Fundamentals, Chapter 1, Rationale for Host Configuration Categories, Table 1.2:  Avaliable: https://msdn.microsoft.com/en-us/library/ff648636.aspx#c01618429_008. [Accessed Nov 14, 2017].

[3] Microsoft, "Microsoft Pattern & Practices proven practices for predictable results", Web Application Security Fundamentals, Chapter 1, Application Vulnerability Categories, Table 1.3:  Avaliable: https://msdn.microsoft.com/en-us/library/ff648636.aspx#c01618429_008. [Accessed Nov 14, 2017].