Tài liệu Module 2: Planning for Web Application Security ppt
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (951.31 KB, 30 trang )
Module 2: Planning for
Web Application
Security
Contents
Overview
Lesson: A Design Process for Building
Secure Web Applications
Review
1
2
22
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property..
2002 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail,
JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and
Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 2: Planning for Web Application Security
iii
Instructor Notes
Presentation:
60 minutes
Lab:
00 minutes
This module explains the steps that are typically involved in the Web
application design process, what role security considerations play in each of
these steps, and finally, how these steps interrelate with one another. In this
module, students will focus on the threat analysis step in the design process by
identifying Web-accessible assets and the threats that are posed to those assets,
and by calculating the exposure of those assets to those threats. Finally, students
will learn about developing an implementation and maintenance plan for
securing Web applications.
In this module, students will learn how to apply the STRIDE threat model that
was covered in Module 1, “Introduction to Web Security,” in Course 2300,
Developing Secure Web Applications.
After completing this module, students will be able to describe the general
approach to designing security into a Web application and categorize and
identify the most common types of attacks, along with the potential threats that
the attacks pose to systems, services, and data within their organizations.
Required materials
To teach this module, you need the following materials:
!
!
Preparation tasks
Microsoft® PowerPoint® file 2300A_02.ppt
A white board or flip chart
To prepare for this module:
!
Read all of the materials for this module.
!
Complete the practices.
!
Read about the application design process in the Microsoft Solutions
Framework (MSF).
!
Read Chapter 2, “A Process for Building Secure Web Applications,” in
Designing Secure Web-Based Applications for Microsoft Windows 2000, by
Michael Howard (Redmond: Microsoft Press®), 2000.
!
Read the TechNet article, “Best Practices for Enterprise Security,” which is
available at />bpentsec.asp.
!
Review Microsoft’s security policies, which are available at
/>
!
Read about the STRIDE threat model in Module 1, “Introduction to Web
Security,” in Course 2300, Developing Secure Web Applications, and in
Chapter 2, “A Process for Building Secure Web Applications,” in Designing
Secure Web-Based Applications for Microsoft Windows 2000, by Michael
Howard (Redmond: Microsoft Press), 2000.
!
Attend Course 2632, Designing a Secure Network.
!
Read the TechNet article, “Security Strategies,” which is available at
/>
iv
Module 2: Planning for Web Application Security
How to Teach This Module
This section contains information that will help you to teach this module.
Lesson: A Design Process for Building Secure Web Applications
This lesson covers only part of the design process, namely the threat analysis
process. This lesson does not cover how to determine business and information
requirements. It is assumed that students already know how to determine
business and information requirements and create a functional specification for
a Web application.
It is important to start this lesson with a discussion of why this information is
important for Web developers to know. Some Web developers are not involved
in the Web application design process within their organizations and they might
feel that knowing the complete process is irrelevant to their jobs.
Determining Threats
The business and product requirements, along with the information requirement
steps in the design process, have been intentionally minimized in this lesson.
Although it is important for students to understand the outcomes of these steps
(the architectural diagram and the design specification), it is not necessary to
discuss these steps in detail.
Define the term threat and briefly mention the three steps that are taken when
determining threats. These steps are discussed in more detail in the topics that
follow within this module.
Suggest to students that they hire a security consultant to help identify threats
and then try to hack into the system after the security services have been
developed.
Identifying the Assets to
Protect
Review each category of assets, placing emphasis on the assets that are in a
Web application: software, data, and communications.
Practice: Identifying the
Assets to Protect
In this practice, students will have an opportunity to identify the assets that
require protection in the Tailspin Toys lab solution. The result of this practice is
to encourage students to think of the assets in their own Web applications that
might be susceptible to attack.
Run this practice as a group brainstorming session, and write the results on a
white board or flip chart. This information will be referred to in the next
practice.
Identifying the Threats
to Assets
The STRIDE model was introduced in Module 1, “Introduction to Web
Security,” in Course 2300, Developing Secure Web Applications, so it is not
necessary to review each category of threat in detail. Instead, focus on how each
threat category relates to the assets that require protection. Note that multiple
assets may be vulnerable to multiple threat categories.
Practice: Identifying the
Threats to Assets
In this practice, students will compare the assets that were identified in the
previous practice against the threats in the STRIDE model.
Run this practice as a group brainstorming session. Refer to the results of the
first practice and write the results of this practice on the same white board or
flip chart.
Module 2: Planning for Web Application Security
Calculating Exposure
and Prioritizing Threats
v
Explain to students that they can use this formula to prioritize risks. After
students have calculated the exposure for each identified security risk, they can
rank the risks and create a management strategy that is based on the exposure
value. Tell the students that selecting a probability and impact amount is very
subjective.
Note that the formula used to calculate exposure is based on content from MSF.
Practice: Calculating
Exposure and
Prioritizing Threats
In this practice, students will assign a probability and impact value to each
threat that was identified in the previous practice. For this practice, students will
use a numeric rating system for both the probability and impact. Let the
students know that this is a very subjective exercise.
Run this practice as a group brainstorming session. Refer to the results of the
second practice and write the results of this practice on the same white board or
flip chart.
Using the Security
Policy to Evaluate
Threats
Although threat prioritization is important, the security policy ultimately
determines whether the threat will be defended against, assigned, or accepted.
An important point to make is that even though a threat may have a low
exposure ranking, security policy may dictate that the threat be defended
against at all costs.
Selecting Security
Technology
It is not necessary to discuss in great detail the security technologies that are
listed in the table. Explain to students that they will learn more about
countermeasures and technologies throughout the rest of the course.
Mitigating Risks
Through Security
Services
Security implementation from the developer standpoint is the focus of this
course. Review with students the general areas of security that will be discussed
throughout the course.
Developing a Security
Maintenance and
Upgrade Program
It is important that students understand that maintaining a secure Web
application is an iterative process. The security plan must be reviewed often so
that new threats and security policies are considered and then addressed
accordingly.
Module 2: Planning for Web Application Security
1
Overview
!
A Design Process for Building Secure Web
Applications
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
Security considerations must be integrated into all aspects of an organization’s
Web application planning and design process. If security is not addressed
because it is perceived as being too costly or if it is applied in an unplanned
manner at the end of the development cycle, organizations and their
development teams will quickly learn how damaging their mistakes are,
because Web attackers easily exploit vulnerabilities in an organization’s Web
applications.
In this module, you will learn about the steps that are typically involved in the
Web application design process, learn what role security considerations play in
each of these steps, and finally, learn how these steps interrelate. You will then
focus on the threat analysis step in the design process by identifying Webaccessible assets and the threats that are posed to those assets, calculating the
exposure of those assets, and developing an implementation and maintenance
plan for securing your Web application.
Objective
After completing this module, you will be able to describe the general approach
to designing security into a Web application and categorize and identify the
most common types of attacks, along with the potential threats that those
attacks pose to systems, services, and data within your organization.
2
Module 2: Planning for Web Application Security
Lesson: A Design Process for Building Secure Web
Applications
Business and Product
Business and Product
Requirements
Requirements
Defines
Updates
Information
Information
Requirements
Requirements
Defines
Threats
Threats
References
Selects
Mitigates
Security Services
Security Services
Security Policy
Security Policy
Implements
Security Technology
Security Technology
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
To achieve the most secure solution, security must be considered throughout the
Web application design process. Security as an afterthought often results in
more costly development costs and a Web application that is prone to being
attacked. Also, trying to add security to a Web application after it is completed
makes security solutions even more difficult to create and implement.
In this lesson, you will look at a structured design process for building secure
Web applications. Although some of the steps in the design process are not
typically Web developer responsibilities, it is important for you to see how the
process works, where the information used to make design decisions originates
from, how security design decisions are made, and how these security design
decisions guide the selection of security technologies and services to be added
to the Web application.
You will also learn how to analyze Web applications to identify the Webaccessible assets that are most susceptible to security threats, the types of
threats that are commonly imposed against those assets, and the general
approaches that are used to safeguard against those threats.
Module 2: Planning for Web Application Security
Lesson objectives
After completing this lesson, you will be able to:
!
Explain the process of identifying threats and evaluating the risks that those
threats pose to your organization’s Web applications.
!
Identify the assets in a Web application that are vulnerable to security
threats.
!
Identify the categories of attacks that typically affect each asset in a Web
application.
!
Prioritize threats by determining the monetary cost to counter each threat
and comparing that cost to the cost of the asset that the countermeasure will
protect.
!
Explain how the identified threats are evaluated against an organization’s
overall security policy.
!
Explain how security services are designed to use security technologies.
!
Explain the process of developing a security maintenance and upgrade plan.
3
4
Module 2: Planning for Web Application Security
Determining Threats
Business and Product
Business and Product
Requirements
Requirements
"
"
"
"
"
"
Defines
Updates
Information
Information
Requirements
Requirements
Identify the assets to protect
Identify the assets to protect
Identify the threats to assets
Identify the threats to assets
Calculate exposure and
Calculate exposure and
prioritize threats
prioritize threats
Defines
Threats
Threats
References
Selects
Mitigates
Security Services
Security Services
Security Policy
Security Policy
Implements
Security Technology
Security Technology
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
An architectural diagram and a design specification are the result of gathering
business, product, and information requirements for a Web application. After
you gather business, product, and information requirements for a Web
application, the next step in the design process is to determine the security
threats to your Web application.
What is a threat?
A threat is a possibility that poses danger to business assets. All threats are
determined in relation to a business risk. The greater the business risk—that is,
the greater the negative impact on the business if the threat is realized—the
greater the threat.
Each organization faces its own unique set of threats. For example:
!
A bank wants to protect its money.
!
A hospital wants to protect patient records.
!
A software development company wants to protect its source code.
Adding a Web presence, such as a Web site, exposes these organizations to
even more threats and risk. For example, Web pages can be compromised and
changed, the database that is accessed by the Web site can be altered or
destroyed, unauthorized users could gain access to the file system, and any data
that is exchanged with the Web site’s users can be intercepted and exploited.
Steps to determining
threats
Determining threats is a three-step process:
1. Identify what assets you are trying to protect.
2. Determine what or whom you are trying to protect the assets from.
3. Calculate the exposure of the assets and prioritize the threats against them.
Module 2: Planning for Web Application Security
5
Identifying the Assets to Protect
Identify Assets
Identify Assets
Software
Software
Hardware
Hardware
Data
Data
Communications
Communications
People
People
Documentation
Documentation
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
The first step in analyzing the threats to a Web application is to identify the
assets in your design specification that are vulnerable to attack. Every
organization has many assets that must be protected from potential attacks.
These assets include:
!
Hardware. Includes CPUs, keyboards, terminals, workstations, personal
computers, printers, disk drives, communication lines, terminal servers, and
routers.
!
Software. Includes source programs (including COM+ objects, scripts, and
assemblies), utilities, diagnostic programs, operating systems, and
communication programs.
!
Data. Includes data that is created during Web application execution, data
that is stored online, and data that is archived offline, along with backup
data, audit logs, databases, passwords, and Web application configuration
data.
!
Communications. Includes Web client connections, Microsoft®
SQL Server™ connections, remote procedure calls (RPCs), Microsoft .NET
service invocations, and data that is in transit over a communication
medium.
!
Documentation. Includes software documentation, hardware documentation,
system documentation, and administrative documentation.
!
People. Includes personnel, administrators, and hardware maintainers.
6
Module 2: Planning for Web Application Security
An Internet site is susceptible to specific threats to assets because the Web site
is, by default, accessible to everyone on the Internet. The assets that are at risk
include:
!
Data in database tables.
!
Web site files, including Hypertext Markup Language (HTML) files, Active
Server Pages (ASP) files, .aspx, Graphics Interchange Format (GIF) files,
and Joint Photographic Experts Group (JPEG) files.
!
Network files, including all files on the Web server or files that are on any
network share that is connected to the Web server.
!
Both COM and COM+ components that are registered on the Web server.
!
Confidential data that is transmitted to or from users, such as the user name,
password, credit card numbers, personal information, and order information.
Module 2: Planning for Web Application Security
7
Practice: Identifying the Assets to Protect
!
Students will:
#
!
Given a scenario, list the assets that need
to be protected
Time:
#
5 minutes
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
In this practice, you will identify the assets of an organization’s Web
application that are vulnerable to an attack. You will read about Tailspin Toys
and the design specification for its Web application. You will then identify the
assets that are security risks for that Web application.
Scenario
Tailspin Toys is a small toy manufacturing company that sells toys only to
resellers. However, the company wants the public to know about its products.
Tailspin Toys needs a Web application where users can get a list of the products
that are created by Tailspin Toys, where resellers can see the status of their
orders, and where employees of Tailspin Toys can update the status of reseller
orders.
Tailspin Toys has a design specification for the Web application. In this
practice, you will conduct a threat analysis of the design specification for the
Web application.
8
Module 2: Planning for Web Application Security
Web application design
specification
Tailspin Toys has designed a simplified Web application that has the following
features:
!
An Internet site with an introductory home page, and a Web page that lists
all of the toys that are manufactured by Tailspin Toys.
!
An extranet site that is accessible only to resellers. This site has a logon
page, a page to change the reseller’s password, an introductory page, and a
page where resellers can check the status of their orders.
!
An intranet site that is used by Tailspin Toys employees to create new
reseller accounts and to update the status of reseller orders.
!
A database that contains the following:
• A product catalog that contains product information, such as the
description and price of products, and the corresponding stored
procedures to access the product information
• User profiles that contain reseller information, such as shipping address,
user name, and password, and the corresponding stored procedures to
access the user profile
• Order information that contains a list of products, discounts, and
purchase prices for products that are ordered by each reseller, and the
corresponding stored procedures to access the order information
!
SQL Server and Internet Information Services (IIS) is installed on separate
computers.
!
SQL Server is behind a firewall.
! Identify the assets
• List the assets that could be threatened by an attack.
Product information in the database; user information in the database;
order information in the database; communication of private
information between user and server (such as user name and password,
or order status); all Web pages in the Web application; the Web server;
SQL Server; any other network connections to the Web server or
SQL Server.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
Module 2: Planning for Web Application Security
9
Identifying the Threats to Assets
Identify
Identify
Threats
Threats
S Spoofing identity
S
T Tampering with data (integrity)
T
R Repudiability
R
II Information disclosure
D Denial of service
D
E Elevation of privilege
E
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
After you identify the Web-accessible assets, you can identify the threats
against those assets by using the STRIDE model. As you learned in Module 1,
“Introduction to Web Security,” of Course 2300, Developing Secure Web
Applications, the STRIDE model categorizes and describes the threats to Webaccessible assets.
The following table lists the categories of attacks, a description of each attack,
and an example of each attack.
Attack
Description
Example
Spoofing identity
Attacker impersonates a valid
system user or resource to gain
access to the system.
Attacker spoofs a server
identity to gain access to
passwords and other system
data.
Tampering with
data (integrity)
Attacker maliciously modifies
system or user data with or
without detection.
Attacker modifies Web
application configuration
information and other data by
using SQL injection attacks.
Repudiability
Users—malicious or
otherwise—who can deny
performing an action without
administrators having any way
to prove otherwise.
A user performs an illegal
operation in a system that lacks
the ability to trace such
operations.
10
Module 2: Planning for Web Application Security
(continued)
Attack
Description
Example
Information
disclosure
Compromised private or
business-critical information
through the exposure of that
information to individuals who
are not supposed to have
access to it.
Attacker gains access to
encryption keys, business
plans, credit card information,
or payroll data.
Denial of service
(DoS)
Denying service to valid users.
Attacker invokes a denial of
service attack that results in
system failure, lost business,
damage to business reputation,
and employee idle time.
Elevation of
privilege
Unprivileged user gains
privileged access and thereby
has sufficient access to
compromise or destroy the
entire system (user can be
undetected and can become
part of the trusted system).
A buffer overrun attack causes
injected code to run at an
elevated privilege level, giving
the malicious code access to
unauthorized pieces of the
system.
Module 2: Planning for Web Application Security
11
Practice: Identifying the Threats to Assets
!
Students will:
#
!
Given a list of assets, list the threat to
each asset
Time:
#
5 minutes
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
In this practice, you will review the list of Web application assets that was
created in the previous practice, and identify what STRIDE threats these assets
are vulnerable to.
! Identify threats to assets
Fill in the following table with the assets that were identified in the previous
practice, and then add the corresponding STRIDE threat categories that the
assets are vulnerable to.
Asset
STRIDE threat category
Product information
Tampering with data
Information disclosure
Elevation of privileges
User information
Information disclosure
Elevation of privileges
Order information
Tampering with data
Information disclosure
Communication of private data
Tampering with data
Information disclosure
All of the Web pages on the site
Tampering with data
Denial of service
Web server
Denial of service
Elevation of privileges
SQL Server
Denial of service
Tampering with data
Information disclosure
Network connections
Information disclosure
Elevation of privileges
12
Module 2: Planning for Web Application Security
Calculating Exposure and Prioritizing Threats
Calculating
Calculating
Exposure
Exposure
and Prioritizing
and Prioritizing
Likelihood that
that
threat will
threat will
occur
occur
Potential loss
Potential loss
Probability of
Probability of
loss
loss
Probability x Impact = Exposure
!
Use a numeric scale for ease of calculation
#
#
!
High = 3, medium = 2, and low = 1
High = 75 percent, medium = 50 percent, and low = 25
percent
Rank risks to an organization based on exposure value
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
After you identify all of the threats to your Web application, you must prioritize
those threats by determining how much it will cost to counter each threat and
comparing that cost to the cost of the asset that the countermeasure will protect.
Determining the impact
of a threat
You can determine the impact of a threat to an organization by multiplying the
probability that a threat will occur by the potential loss to the organization. Use
the following formula: Exposure = Probability x Impact, where:
!
Exposure is the probability of loss. To determine the exposure, multiply
probability by impact.
!
Probability is the likelihood that the security threat will occur. To assign a
value to represent likelihood:
• Use a numeric scale for ease of calculation.
• Choose the granularity that works best for your project, but use the same
scale across the project.
• Represent a subjective scale numerically. For example, high = 3,
medium = 2, and low = 1, or high = 75 percent, medium = 50 percent,
and low = 25 percent.
Module 2: Planning for Web Application Security
!
13
Impact is the potential loss. The impact is closely related to the value of the
resource that is threatened and the cost of restoring or rebuilding that
resource. For intellectual property, the value can be lost revenue or business
opportunity.
When considering cost, do not limit your estimate to actual dollars. The
possible loss of credibility with the public if the asset is successfully
attacked can also be a very difficult loss to recover from.
If the cost of the potential loss is difficult to assign a value to, you can use a
scale to describe the impact, similar to the scale that was described for use
in assigning probability.
After you calculate the exposure of all of the risks that you identified, you can
rank the risks based on the impact value. Ranking the risks can help you to
prioritize the threats.
14
Module 2: Planning for Web Application Security
Practice: Calculating Exposure and Prioritizing Threats
!
Students will:
#
!
Given a list of assets and the threats that
they are vulnerable to, calculate the
exposure for each threat
Time:
#
5 minutes
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
In this practice, you will review the list of threats to the Web-accessible assets
of the Tailspin Toys Web application and calculate the exposure rate if those
assets are attacked. In your calculations:
!
Use a numeric ranking system for the probability: 3 = high, 2 = medium,
1 = low.
!
Use a scale of 1 to 10 for the impact, where 10 is the maximum value for the
organization.
Module 2: Planning for Web Application Security
! Identify threats to assets
Fill in the following table with the assets that were identified in the previous
practice, and then fill in the corresponding threat categories that the assets are
vulnerable to.
Asset
Product information
Threat
Probability
Impact
7
3
3
1
8
Information disclosure
3
8
Elevation of privileges
Order information
3
Elevation of privileges
User information
Tampering with data
Information disclosure
1
8
Tampering with data
3
8
Information disclosure
1
8
Communication of
private data
Tampering with data
1
8
Information disclosure
3
8
All of the pages on the
Web site
Tampering with data
1
2
Denial of service
3
5
Web server
Denial of service
3
5
Elevation of privileges
1
8
Denial of service
2
5
Tampering with data
1
8
Information disclosure
2
8
Information disclosure
1
8
Elevation of privileges
1
9
SQL Server
Network connections
15
16
Module 2: Planning for Web Application Security
Using the Security Policy to Evaluate Threats
Threats
Threats
References
Security Policy
Security Policy
!
The security policy defines an organization’s
requirements for secure computer and network usage
!
Determine how to respond to prioritized threats by
comparing them to the security policy
#
Accept the threat
#
Assign the threat
#
Defend against the threat
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
After you prioritize the threats to the assets, the next step in the Web
application design process is to reference the organization’s overall security
policy to help refine the list of prioritized threats, determine which threats to
address, and determine what to do in response to each individual threat.
What is a security
policy?
The security policy defines an organization’s requirements for secure computer
and network usage, and it protects the availability, integrity, and confidentiality
of information. The security policy includes procedures to detect, prevent, and
respond to security incidents, and it provides a framework for implementing
security plans and procedures for Web applications.
The security policy also defines the organization’s security goals by answering
the following questions:
!
What are the organization’s security concerns? For example, is the
organization concerned about the availability, integrity, and confidentiality
of data, vandalized Web sites, or computer viruses?
!
How does the organization value data?
!
What resources does the organization value most, and how does the
organization secure those resources?
The environment under which most organizations operate changes often.
Accordingly, it is important to not only have a security policy document, but to
also make sure that the document is frequently updated to reflect an
organization’s current conditions.
Some of the benefits of having a security policy are:
!
It determines what is permitted and not permitted in the system. Having a
clear understanding of what is permitted in the system helps in identifying
whether any violation has occurred.
!
It serves as a requirements document against which technical solutions can
be developed and evaluated.
Module 2: Planning for Web Application Security
17
Some examples of security policy goals include:
!
All interactions with customers over the Internet, involving money or
customer information, will be protected.
!
Customer information will be kept confidential for the sole use of the
customer and the organization. Customers will not be allowed access to
each other’s personal information.
!
Databases cannot be accessed directly through the Internet. All data update
interactions with Web applications will be performed through a secure
middle tier.
!
All communication with databases will be private.
Note To see an example of Microsoft’s security policies, go to
/>Evaluating threats
against security policy
As a Web developer in your organization, you may not necessarily be the
person responsible for developing the security policy. However, as you develop
a Web application, you will refer to the security policy as you evaluate threats
to determine which threats are tolerable and which are not.
The priority that you assign to a threat from a risk standpoint may be much
higher or lower than the priority that is assigned to the threat in the security
policy. As such, despite a threat’s low-risk rating, the security policy might
dictate that the threat must be addressed, regardless of the cost. For example, a
medical institution will probably determine that the threat of an attacker
maliciously changing patient medical data (a data-tampering threat and possibly
an information disclosure threat) must be remedied, despite its risk rating or
cost.
Taking into account your threat prioritization list and the organization’s security
policy, you can choose to do one of the following:
!
Accept the threat. You can accept the threat if the cost of protecting the
asset is too high or if the risk to the asset is too low.
!
Assign the threat. You can assign the threat to another organization, such as
an insurance company.
!
Defend against the threat. You can defend against the threat by
implementing countermeasures, such as educating and informing users of
the threat in the documentation, and by using relevant security technology.
18
Module 2: Planning for Web Application Security
Selecting Security Technology
References
Threats
Threats
!
Security Policy
Security Policy
Assign
countermeasures
to the threats you are
defending against
!
Selects
Security
Security
Technology
Technology
Assign specific
technologies to
countermeasures
Information
Information
disclosure
disclosure
Encrypt personal
Encrypt personal
information
information
Use SSL
Use SSL
Threat
Threat
Countermeasure
Countermeasure
Technology
Technology
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
After you decide to accept, assign, or defend against each potential threat, you
are ready to evaluate the technologies that you will use to counter those threats
that you have chosen to defend against. Sometimes, a technology might have a
security weakness, which leads to other threats, so the selection and the
appropriate usage of a technology is very important.
There are often multiple technologies that are available to address a specific
threat. To help you choose between these available technologies, you must first
assign the general countermeasures that will be taken to address the threats, and
then you must assign the specific technologies to the general countermeasures.
Module 2: Planning for Web Application Security
19
The following table shows examples of how threats are assigned to general
countermeasures and how countermeasures are then assigned to specific
technologies.
Threat
Countermeasure
Technology
Spoofing identity
Require authentication.
Set Access Control Lists
(ACLs) on files.
Tampering with
data (integrity)
Perform input validation on all
user entries.
Use script to perform clientside and server-side input
validation.
Repudiability
Digital signatures and time
stamping.
Use CryptoAPI version 2.0
functions, such as
CryptHashData and
CryptSignHash.
Information
disclosure
Perform correct file
canonicalization checks.
Use Microsoft Windows® 2000
security features to open files.
Encrypt personal information.
Use Secure Sockets Layer
(SSL).
Denial of service
Bandwidth throttling.
Use IIS bandwidth throttling.
Elevation of
privilege
Run process in low privileged
account.
Run the Web application under
a non-administrator account
and a non-local-system
account.
