OPERATIONAL SECURITY OPERATIONAL SECURITY IMPACT ON DEVELOPING SECURE APPLICATIONS

OWASP Belgium 20/11/2007 – Patrick Debois

It works on my PC

A Common Enterprise Pattern

It works on my PC

Pattern Name & Known As

� Also know As

�Me developer, you operational

� You developer, me operational

Intent and Motivation

� Intent

� No communications means faster to production

� No communications means less dependency

� Motivation� Motivation

� Doing things faster gives us more time for other things

Applicability

� Applicability

� Separated groups between projects and operations

� Typically waterfall oriented project environments

�Operational environments without developers �Operational environments without developers knowledge

� Developers without operational environment knowledge

Participants

� People

� Developers

� Try to please their project manager

� Project Managers

� Try to push the new application to production� Try to push the new application to production

� Operational people

� Try to please their operations manager

� Operations Managers

� Try to control the situation, avoid problems

� Product

� New Application

� Existing Operational environment

Structure

� Project Test Phase: (Clash 1)

� Project has to delivered new functionality

� Test environment is different from operational.

� Production Phase: (Clash 2)� Production Phase: (Clash 2)

�Operations take over the application.

� Maintenance phase: (Clash 3)

� IT environment changes

�Operations can’t change and Project Team has left

Types of (None) Collaboration

�Operational Manager does not allow Operational People to interact with developers. Incidents first.

� Project Manager avoids the Operational People as they are not reliable as a project resource.

� Developer do not talk to Operational People because they do not understand the ‘operational domain’

�Operational People do not talk to the Developers because they do not understand the ‘development domain’

How it all got started ...

Creating awareness

And sorry no sample code, I’m not a developer ;-)

In the beginning there was ...

� A happy developer

� Working on his application

� No worried about the enterprise standards

� Driven to deliver functionality

Everybody loved his new application� Everybody loved his new application

� A super-duper Intranet Application

� Portal system based on

� His favourite database, application server, framework

� Fully featured, enduser configurable

� Spidering content for search engine

Moving the server behind a firewall

� “We need to move the system to the DMZ to get access from the internet”

� Identity ALL Ports

� mail , other websites for spideringmail , other websites for spidering

� TCP Session timeout

� long idle connections

� Think reporting services

� Long application session times / relogin

Moving to 3-tier Architecture

� “We need to split our one server into three layers: Web, App and database”

� Identity ALL Ports

� Also between the servers”Also between the servers”

� TCP Session timeout

� Impact on the database connection pooling.”

� Backup & Restore

� Sync of different backups

� Static published files, database meta data, Search Data

Moving to HTTP/S (Server)

� “We need to move to HTTP/S instead of HTTP because the data is confidential”

� Identify ALL Places for the URL

� Does the browser know the CA certificate

� Did you make a redirect for HTTP to HTTP/S for easy transition?

� Using secure cookies

� Content in HTML pages , do they refer to the HTTP/S?

� Bookmarks of endusers

Moving to HTTP/S (Client)

� “Our data supplier also switched to HTTP/S”

� HTTP/S is not only about the URL

� What happens if the certificate has expired from the supplier?

� Do we need to check the validity of the server certificate

� What is the CA server of the server certificate

� Do we need CRL’s or OCSP checking.

� Do we need a client certificate or a simple username/password?

Moving to SSL to hardware

� “Switching to SSL overloads the server”

� Typically a reverse proxy, loadbalancer”

� Request to application is HTTP and the enduser in HTTP/S . Not anymore relative to request.

� Proxies can rewrite some HTML

� Javascript generated URL’s are difficult

� Using HTTP/1.1 also will help to avoid the Nagle algorithm (short request/lot of negotation overload)

Connecting to a Directory System

� “Users are complaining that they have to remember all different passwords”

� Applications attributes not in main directory but still in the own database

� Profiles need to be synched between directory and local application profile

� Disable the change password module

� Be sure that you have a system to manage special users and users that are not in Directory.

� Directory groups vs. Application groups

Enabling Single-Sign-On

� “One password is fine , they want it automatically”

� Reverse Proxy system capable of doing Radius,LDAP, AD, whatever.

� Either Agent/API. Easier with passing HTTP_Header”.

� No passwords passed to application mean it can be used for connecting as that user to a backend system

�Monitoring needs to bypass the login system

� Some people need to login as different users for different tasks.

Central Authorization

� “Now that everything passes through our reverse proxy we can decide who has access to what”

� Does limiting a funtion equals limiting the URL?

� Problem with parameter based URL’s� Problem with parameter based URL’s

� Some Access control remains in the application (coarse grained)

� ACL’s group based

� Central logout vs. Local logout URL’s.

Moving to central Logging

� “Some people are trying our passwords, we need more logging”.

� Logging is not about debugging alone.

� Who did what, when, ...

�Make it parseable

� Central database for logging can slow you down. Local logging needs handling.

� Consider buffering writing these request

� Performance hit when signing logfiles to avoid tampering

Moving to Mail System

� “Endusers complain the application send no email anymore”

� SMTP can go down. By design.

� Consider queuing it

� SPAM: set the correct sender

� Authenticated SMTP for sending

� Attachments extensions rejected by Antivirus systems.

Using Proxies

� “All outgoing HTTP traffic now needs to go through our proxy so we can log better and see what’s happening with our bandwith”.

� JVM’s also have HTTP proxy settings� JVM’s also have HTTP proxy settings

� Automatic proxy settings pose problems

� JVM enduser (applets)

� Server systems

� Proxy authentication is not always supported by the app.

� Consider transparent proxies (problem with auth-n)

Moving to Hardened servers

� “We just got an audit and our servers are too open and we have to harden them.”

� Not all services are needed (not default)

� Filesystem security (read/write)� Filesystem security (read/write)

� X-Server (older JVM image creations)

� JVM Hardening

� Security policies

� Database Hardening (SQL, Create)

Moving to Intrusion Detection

� “We have a process called abc123. Can you tell me if this is normal? It tries to connect to the internet all the time but we have the proxy so it fills up the logs.”

� DEV: “Here is my list of

� Host: Processes, owner, checksum of the binary

� Network: Ports listening, opened, closed, binding

� Processes: that should be running always and the periodic jobs

Moving to Host based firewalls

� “We want to avoid that if one webserver breaks in our DMZ that others are not protected”.

� Incoming connections

� Reverse Proxy only

�Outgoing connections

� Limit by using an outgoing proxy, mailserver , relay

Desktop Security

� “Some users complain they can’t install the new application”

� Enterprise GPO’s, Enduser at Home

� Browser settings� Browser settings

� No popups, noJavascript, plugins

� Strict SSL checking

� Local admin permissions

� Install java, JNLP

� Proxy settings

� Autoconfig settings browser vs. JVM

Security Patches

“We need to install some security patches and our firewall will not help”

� Server OS

� Loadbalancer, Reverse Proxy, Proxy� Loadbalancer, Reverse Proxy, Proxy

� JVM (server , client)

� Client OS

� Browser, Plugins

� Web, App, Database server

Credential Changing

“A new policy requires to change credentials regulary”

� Think passwords, pins, certificates

� Also check Start/Stop Scripts, Batch Jobs, Backup� Also check Start/Stop Scripts, Batch Jobs, Backup

� Web, Application server, Database server, Mail

� Password policy impact

� Pins for certificate stores, Keys

� Impact on monitoring user, admin users

� Application framework files (hibernate, jdbc, ...)

� How can we limit downtime for this?

And there is more ...

� Application Firewalls

� Filter Posts & Gets & Cookies

� Length of parameters (GET vs. POST)

� Secure computing� Secure computing

� BIOS protection , hardware integrity

� Application server integrated with OS (Weblogic)

� NAC systems

� virus check + patches before entering the network

� ...

After the awareness it is time to act!

Closing the GAP

Solutions

� Process:

� Interact more often (Think Agile/Scrum, No Waterfall!)

� Scope of Done = not only deployed but also in operations

�OPS on the project team, DEV in operationsOPS on the project team, DEV in operations

� Products:

� Virtualisation, Automated deployments, Server installs

� Different environments (Acceptance, Test, Integration ...)

� Increase the ‘Refactoring’ sysadmin toolkit

� People:

�Get together, Invite a friend ;-)

� Train them in the other knowledge domain (DEV/OPS)

Thanks!

Any questions, suggestions?