Tuesday 28 December 2010

Threats- Some Thoughts

During the analysis phase of the application development life cycle, it is worth looking at the security threats which your application may face.  OWASP defines the following general threats for online web applications:

Threat Name Description
Accidental Discovery An ordinary user stumbles across a functional mistake in your application, just using a web browser, and gains access to privileged information or functionality
Automated Malware Programs or scripts, which are searching for known vulnerabilities, and then report them back to a central collection site.
The Curious Attacker A security researcher or ordinary user, who notices something wrong with the application, and decides to pursue further.
Script Kiddies Common renegades, seeking to compromise or deface applications for collateral gain, notoriety, or a political agenda
The Motivated Attacker Potentially, a disgruntled staff member with inside knowledge or a paid professional attacker
Organized Crime Criminals seeking high stake payouts, such as cracking e-commerce or corporate banking applications, for financial gain.

Other general threat types are:
  • Denial of Service Attacks
  • Environmental/Infrastructure Threats

The threats that you should be concernd about normally reflect the classification of the data that your application processes. For example if you are developing an online bank, you will need to have particular measures in place to tackle the last two OWASP threat types, Motivated Attacker and Organized Crime. However if your application is processing publicly available information such as product data, then it is unlikely that Organized Crime will be interested. You will mainly  be concerned about the first four threat types.

The threats that you are worried about will also influence the level of assurance that you want to have in your development. For the first four threat types, you might decide that assurance to  OWASP ASVS level 1 is sufficient. For the other threat types, higher levels of ASVS assurance may be required.

Many breaches result from loss of unprotected portable devices (USB memory sticks, laptops etc.) . If your application contains functionality which depends on the use of these type of devices, then this could well be your biggest source of accidental threat. That is why it is well worth while drawing some Data Flow Diagrams  to find out where the data is going within the application - and outside.

Normal good secure development lifecycle practices should protect you against the first four  OWASP threat types. For example proper implementation of SQL injection mitigation controls (stored procedures etc.) will prevent mass SQL Injection type attacks from being successful.

Motivated Attacker - Insider Threat

It is difficult to protect against an "insider attack". It is not easy to stop your DBA walking away with the entire corporate database. Bruce Schneier outlines five basic techniques to help mitigate the insider attack:

  • Limit the number of trusted people.
  • Ensure that trusted people are also trustworthy -  Background checks
  • Limit the amount of trust each person has - Compartmentalization
  • Give people overlapping spheres of trust -Separation of duties
  • Detect breaches of trust after the fact and prosecute the guilty - Audit Trails
To combat the motivated attacker you will need to think about the higher levels of ASVS assurance.

    Organized Crime

    If you are worried about Organized Crime, then you probably already work for an organization (e.g. bank) who has appropriate measures in place.Use these.

    Denial Of Service Attacks (DOS)

    DOS attacks against organisations are becoming more popular especially against political type bodies. You will know whether you are likely to be a target for such attacks. Brian Honan has some general advice on his blog about what to do. An important point is to have a relationship with your ISP.

    Environmental/Infrastructure Threats

    Other threats which could cause a problem are hardware/infrastructure type issues which impact on availability. If a hard disk crashes, or there is a flood or a power outage, what measures are in place to get the application online again? Depending on the organization that you work for, you may already have procedures in place to handle these types of situations. Having a good backup/restore plan (which has been tested) is usually a good starting point.

    Summary

    When starting out on your development, think about the threats which you may face. Good secure development practices should prevent the most common types of application security threats.

    Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot