Module 2: Planning for Web Application Security

Chia sẻ: Mai Phuong | Ngày: | Loại File: PDF | Số trang:30

Thêm vào BST

Báo xấu

154
lượt xem 34
download

Module 2: Planning for Web Application Security

Mô tả tài liệu

Download Vui lòng tải xuống để xem tài liệu đầy đủ

This module explains the steps that are typically involved in the Web application design process, what role security considerations play in each of these steps, and finally, how these steps interrelate with one another. In this module, students will focus on the threat analysis step in the design process by identifying Web-accessible assets and the threats that are posed to those assets, and by calculating the exposure of those assets to those threats. Finally, students will learn about developing an implementation and maintenance plan for securing Web applications....

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Module 2: Planning for Web Application Security

Module 2: Planning for Web Application Security Contents Overview 1 Lesson: A Design Process for Building Secure Web Applications 2 Review 22
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property..  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Module 2: Planning for Web Application Security iii Instructor Notes Presentation: This module explains the steps that are typically involved in the Web 60 minutes application design process, what role security considerations play in each of these steps, and finally, how these steps interrelate with one another. In this Lab: module, students will focus on the threat analysis step in the design process by 00 minutes identifying Web-accessible assets and the threats that are posed to those assets, and by calculating the exposure of those assets to those threats. Finally, students will learn about developing an implementation and maintenance plan for securing Web applications. In this module, students will learn how to apply the STRIDE threat model that was covered in Module 1, “Introduction to Web Security,” in Course 2300, Developing Secure Web Applications. After completing this module, students will be able to describe the general approach to designing security into a Web application and categorize and identify the most common types of attacks, along with the potential threats that the attacks pose to systems, services, and data within their organizations. Required materials To teach this module, you need the following materials: ! Microsoft® PowerPoint® file 2300A_02.ppt ! A white board or flip chart Preparation tasks To prepare for this module: ! Read all of the materials for this module. ! Complete the practices. ! Read about the application design process in the Microsoft Solutions Framework (MSF). ! Read Chapter 2, “A Process for Building Secure Web Applications,” in Designing Secure Web-Based Applications for Microsoft Windows 2000, by Michael Howard (Redmond: Microsoft Press®), 2000. ! Read the TechNet article, “Best Practices for Enterprise Security,” which is available at http://www.microsoft.com/technet/security/bestprac/ bpentsec.asp. ! Review Microsoft’s security policies, which are available at http://www.microsoft.com/technet/security/policy/policies.asp. ! Read about the STRIDE threat model in Module 1, “Introduction to Web Security,” in Course 2300, Developing Secure Web Applications, and in Chapter 2, “A Process for Building Secure Web Applications,” in Designing Secure Web-Based Applications for Microsoft Windows 2000, by Michael Howard (Redmond: Microsoft Press), 2000. ! Attend Course 2632, Designing a Secure Network. ! Read the TechNet article, “Security Strategies,” which is available at http://www.microsoft.com/technet/security/bestprac/secstrat.asp.
iv Module 2: Planning for Web Application Security How to Teach This Module This section contains information that will help you to teach this module. Lesson: A Design Process for Building Secure Web Applications This lesson covers only part of the design process, namely the threat analysis process. This lesson does not cover how to determine business and information requirements. It is assumed that students already know how to determine business and information requirements and create a functional specification for a Web application. It is important to start this lesson with a discussion of why this information is important for Web developers to know. Some Web developers are not involved in the Web application design process within their organizations and they might feel that knowing the complete process is irrelevant to their jobs. Determining Threats The business and product requirements, along with the information requirement steps in the design process, have been intentionally minimized in this lesson. Although it is important for students to understand the outcomes of these steps (the architectural diagram and the design specification), it is not necessary to discuss these steps in detail. Define the term threat and briefly mention the three steps that are taken when determining threats. These steps are discussed in more detail in the topics that follow within this module. Suggest to students that they hire a security consultant to help identify threats and then try to hack into the system after the security services have been developed. Identifying the Assets to Review each category of assets, placing emphasis on the assets that are in a Protect Web application: software, data, and communications. Practice: Identifying the In this practice, students will have an opportunity to identify the assets that Assets to Protect require protection in the Tailspin Toys lab solution. The result of this practice is to encourage students to think of the assets in their own Web applications that might be susceptible to attack. Run this practice as a group brainstorming session, and write the results on a white board or flip chart. This information will be referred to in the next practice. Identifying the Threats The STRIDE model was introduced in Module 1, “Introduction to Web to Assets Security,” in Course 2300, Developing Secure Web Applications, so it is not necessary to review each category of threat in detail. Instead, focus on how each threat category relates to the assets that require protection. Note that multiple assets may be vulnerable to multiple threat categories. Practice: Identifying the In this practice, students will compare the assets that were identified in the Threats to Assets previous practice against the threats in the STRIDE model. Run this practice as a group brainstorming session. Refer to the results of the first practice and write the results of this practice on the same white board or flip chart.
Module 2: Planning for Web Application Security v Calculating Exposure Explain to students that they can use this formula to prioritize risks. After and Prioritizing Threats students have calculated the exposure for each identified security risk, they can rank the risks and create a management strategy that is based on the exposure value. Tell the students that selecting a probability and impact amount is very subjective. Note that the formula used to calculate exposure is based on content from MSF. Practice: Calculating In this practice, students will assign a probability and impact value to each Exposure and threat that was identified in the previous practice. For this practice, students will Prioritizing Threats use a numeric rating system for both the probability and impact. Let the students know that this is a very subjective exercise. Run this practice as a group brainstorming session. Refer to the results of the second practice and write the results of this practice on the same white board or flip chart. Using the Security Although threat prioritization is important, the security policy ultimately Policy to Evaluate determines whether the threat will be defended against, assigned, or accepted. Threats An important point to make is that even though a threat may have a low exposure ranking, security policy may dictate that the threat be defended against at all costs. Selecting Security It is not necessary to discuss in great detail the security technologies that are Technology listed in the table. Explain to students that they will learn more about countermeasures and technologies throughout the rest of the course. Mitigating Risks Security implementation from the developer standpoint is the focus of this Through Security course. Review with students the general areas of security that will be discussed Services throughout the course. Developing a Security It is important that students understand that maintaining a secure Web Maintenance and application is an iterative process. The security plan must be reviewed often so Upgrade Program that new threats and security policies are considered and then addressed accordingly.
Module 2: Planning for Web Application Security 1 Overview ! A Design Process for Building Secure Web Applications *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Security considerations must be integrated into all aspects of an organization’s Web application planning and design process. If security is not addressed because it is perceived as being too costly or if it is applied in an unplanned manner at the end of the development cycle, organizations and their development teams will quickly learn how damaging their mistakes are, because Web attackers easily exploit vulnerabilities in an organization’s Web applications. In this module, you will learn about the steps that are typically involved in the Web application design process, learn what role security considerations play in each of these steps, and finally, learn how these steps interrelate. You will then focus on the threat analysis step in the design process by identifying Web- accessible assets and the threats that are posed to those assets, calculating the exposure of those assets, and developing an implementation and maintenance plan for securing your Web application. Objective After completing this module, you will be able to describe the general approach to designing security into a Web application and categorize and identify the most common types of attacks, along with the potential threats that those attacks pose to systems, services, and data within your organization.
2 Module 2: Planning for Web Application Security Lesson: A Design Process for Building Secure Web Applications Business and Product Business and Product Requirements Requirements Defines Updates Information Information Requirements Requirements Defines References Threats Threats Security Policy Security Policy Mitigates Selects Security Services Security Services Security Technology Security Technology Implements *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction To achieve the most secure solution, security must be considered throughout the Web application design process. Security as an afterthought often results in more costly development costs and a Web application that is prone to being attacked. Also, trying to add security to a Web application after it is completed makes security solutions even more difficult to create and implement. In this lesson, you will look at a structured design process for building secure Web applications. Although some of the steps in the design process are not typically Web developer responsibilities, it is important for you to see how the process works, where the information used to make design decisions originates from, how security design decisions are made, and how these security design decisions guide the selection of security technologies and services to be added to the Web application. You will also learn how to analyze Web applications to identify the Web- accessible assets that are most susceptible to security threats, the types of threats that are commonly imposed against those assets, and the general approaches that are used to safeguard against those threats.
Module 2: Planning for Web Application Security 3 Lesson objectives After completing this lesson, you will be able to: ! Explain the process of identifying threats and evaluating the risks that those threats pose to your organization’s Web applications. ! Identify the assets in a Web application that are vulnerable to security threats. ! Identify the categories of attacks that typically affect each asset in a Web application. ! Prioritize threats by determining the monetary cost to counter each threat and comparing that cost to the cost of the asset that the countermeasure will protect. ! Explain how the identified threats are evaluated against an organization’s overall security policy. ! Explain how security services are designed to use security technologies. ! Explain the process of developing a security maintenance and upgrade plan.
4 Module 2: Planning for Web Application Security Determining Threats Business and Product Business and Product Requirements Requirements " " Identify the assets to protect Identify the assets to protect Defines " " Identify the threats to assets Identify the threats to assets " " Calculate exposure and Calculate exposure and Updates Information Information prioritize threats prioritize threats Requirements Requirements Defines References Threats Threats Security Policy Security Policy Mitigates Selects Security Services Security Services Security Technology Security Technology Implements *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction An architectural diagram and a design specification are the result of gathering business, product, and information requirements for a Web application. After you gather business, product, and information requirements for a Web application, the next step in the design process is to determine the security threats to your Web application. What is a threat? A threat is a possibility that poses danger to business assets. All threats are determined in relation to a business risk. The greater the business risk—that is, the greater the negative impact on the business if the threat is realized—the greater the threat. Each organization faces its own unique set of threats. For example: ! A bank wants to protect its money. ! A hospital wants to protect patient records. ! A software development company wants to protect its source code. Adding a Web presence, such as a Web site, exposes these organizations to even more threats and risk. For example, Web pages can be compromised and changed, the database that is accessed by the Web site can be altered or destroyed, unauthorized users could gain access to the file system, and any data that is exchanged with the Web site’s users can be intercepted and exploited. Steps to determining Determining threats is a three-step process: threats 1. Identify what assets you are trying to protect. 2. Determine what or whom you are trying to protect the assets from. 3. Calculate the exposure of the assets and prioritize the threats against them.
Module 2: Planning for Web Application Security 5 Identifying the Assets to Protect Identify Assets Identify Assets Software Software Data Data Hardware Hardware Communications Communications People People Documentation Documentation *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The first step in analyzing the threats to a Web application is to identify the assets in your design specification that are vulnerable to attack. Every organization has many assets that must be protected from potential attacks. These assets include: ! Hardware. Includes CPUs, keyboards, terminals, workstations, personal computers, printers, disk drives, communication lines, terminal servers, and routers. ! Software. Includes source programs (including COM+ objects, scripts, and assemblies), utilities, diagnostic programs, operating systems, and communication programs. ! Data. Includes data that is created during Web application execution, data that is stored online, and data that is archived offline, along with backup data, audit logs, databases, passwords, and Web application configuration data. ! Communications. Includes Web client connections, Microsoft® SQL Server™ connections, remote procedure calls (RPCs), Microsoft .NET service invocations, and data that is in transit over a communication medium. ! Documentation. Includes software documentation, hardware documentation, system documentation, and administrative documentation. ! People. Includes personnel, administrators, and hardware maintainers.
6 Module 2: Planning for Web Application Security An Internet site is susceptible to specific threats to assets because the Web site is, by default, accessible to everyone on the Internet. The assets that are at risk include: ! Data in database tables. ! Web site files, including Hypertext Markup Language (HTML) files, Active Server Pages (ASP) files, .aspx, Graphics Interchange Format (GIF) files, and Joint Photographic Experts Group (JPEG) files. ! Network files, including all files on the Web server or files that are on any network share that is connected to the Web server. ! Both COM and COM+ components that are registered on the Web server. ! Confidential data that is transmitted to or from users, such as the user name, password, credit card numbers, personal information, and order information.
Module 2: Planning for Web Application Security 7 Practice: Identifying the Assets to Protect ! Students will: # Given a scenario, list the assets that need to be protected ! Time: # 5 minutes *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In this practice, you will identify the assets of an organization’s Web application that are vulnerable to an attack. You will read about Tailspin Toys and the design specification for its Web application. You will then identify the assets that are security risks for that Web application. Scenario Tailspin Toys is a small toy manufacturing company that sells toys only to resellers. However, the company wants the public to know about its products. Tailspin Toys needs a Web application where users can get a list of the products that are created by Tailspin Toys, where resellers can see the status of their orders, and where employees of Tailspin Toys can update the status of reseller orders. Tailspin Toys has a design specification for the Web application. In this practice, you will conduct a threat analysis of the design specification for the Web application.
8 Module 2: Planning for Web Application Security Web application design Tailspin Toys has designed a simplified Web application that has the following specification features: ! An Internet site with an introductory home page, and a Web page that lists all of the toys that are manufactured by Tailspin Toys. ! An extranet site that is accessible only to resellers. This site has a logon page, a page to change the reseller’s password, an introductory page, and a page where resellers can check the status of their orders. ! An intranet site that is used by Tailspin Toys employees to create new reseller accounts and to update the status of reseller orders. ! A database that contains the following: • A product catalog that contains product information, such as the description and price of products, and the corresponding stored procedures to access the product information • User profiles that contain reseller information, such as shipping address, user name, and password, and the corresponding stored procedures to access the user profile • Order information that contains a list of products, discounts, and purchase prices for products that are ordered by each reseller, and the corresponding stored procedures to access the order information ! SQL Server and Internet Information Services (IIS) is installed on separate computers. ! SQL Server is behind a firewall. ! Identify the assets • List the assets that could be threatened by an attack. Product information in the database; user information in the database; order information in the database; communication of private information between user and server (such as user name and password, or order status); all Web pages in the Web application; the Web server; SQL Server; any other network connections to the Web server or SQL Server. ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ ____________________________________________________________
Module 2: Planning for Web Application Security 9 Identifying the Threats to Assets Identify Identify Threats Threats S Spoofing identity S T Tampering with data (integrity) T R Repudiability R II Information disclosure D Denial of service D E Elevation of privilege E *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction After you identify the Web-accessible assets, you can identify the threats against those assets by using the STRIDE model. As you learned in Module 1, “Introduction to Web Security,” of Course 2300, Developing Secure Web Applications, the STRIDE model categorizes and describes the threats to Web- accessible assets. The following table lists the categories of attacks, a description of each attack, and an example of each attack. Attack Description Example Spoofing identity Attacker impersonates a valid Attacker spoofs a server system user or resource to gain identity to gain access to access to the system. passwords and other system data. Tampering with Attacker maliciously modifies Attacker modifies Web data (integrity) system or user data with or application configuration without detection. information and other data by using SQL injection attacks. Repudiability Users—malicious or A user performs an illegal otherwise—who can deny operation in a system that lacks performing an action without the ability to trace such administrators having any way operations. to prove otherwise.
10 Module 2: Planning for Web Application Security (continued) Attack Description Example Information Compromised private or Attacker gains access to disclosure business-critical information encryption keys, business through the exposure of that plans, credit card information, information to individuals who or payroll data. are not supposed to have access to it. Denial of service Denying service to valid users. Attacker invokes a denial of (DoS) service attack that results in system failure, lost business, damage to business reputation, and employee idle time. Elevation of Unprivileged user gains A buffer overrun attack causes privilege privileged access and thereby injected code to run at an has sufficient access to elevated privilege level, giving compromise or destroy the the malicious code access to entire system (user can be unauthorized pieces of the undetected and can become system. part of the trusted system).
Module 2: Planning for Web Application Security 11 Practice: Identifying the Threats to Assets ! Students will: # Given a list of assets, list the threat to each asset ! Time: # 5 minutes *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In this practice, you will review the list of Web application assets that was created in the previous practice, and identify what STRIDE threats these assets are vulnerable to. ! Identify threats to assets Fill in the following table with the assets that were identified in the previous practice, and then add the corresponding STRIDE threat categories that the assets are vulnerable to. Asset STRIDE threat category Product information Tampering with data Information disclosure Elevation of privileges User information Information disclosure Elevation of privileges Order information Tampering with data Information disclosure Communication of private data Tampering with data Information disclosure All of the Web pages on the site Tampering with data Denial of service Web server Denial of service Elevation of privileges SQL Server Denial of service Tampering with data Information disclosure Network connections Information disclosure Elevation of privileges
12 Module 2: Planning for Web Application Security Calculating Exposure and Prioritizing Threats Calculating Calculating Exposure Exposure and Prioritizing and Prioritizing Likelihood that that Potential loss Potential loss Probability of Probability of threat will threat will loss loss occur occur Probability x Impact = Exposure ! Use a numeric scale for ease of calculation # High = 3, medium = 2, and low = 1 # High = 75 percent, medium = 50 percent, and low = 25 percent ! Rank risks to an organization based on exposure value *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction After you identify all of the threats to your Web application, you must prioritize those threats by determining how much it will cost to counter each threat and comparing that cost to the cost of the asset that the countermeasure will protect. Determining the impact You can determine the impact of a threat to an organization by multiplying the of a threat probability that a threat will occur by the potential loss to the organization. Use the following formula: Exposure = Probability x Impact, where: ! Exposure is the probability of loss. To determine the exposure, multiply probability by impact. ! Probability is the likelihood that the security threat will occur. To assign a value to represent likelihood: • Use a numeric scale for ease of calculation. • Choose the granularity that works best for your project, but use the same scale across the project. • Represent a subjective scale numerically. For example, high = 3, medium = 2, and low = 1, or high = 75 percent, medium = 50 percent, and low = 25 percent.
Module 2: Planning for Web Application Security 13 ! Impact is the potential loss. The impact is closely related to the value of the resource that is threatened and the cost of restoring or rebuilding that resource. For intellectual property, the value can be lost revenue or business opportunity. When considering cost, do not limit your estimate to actual dollars. The possible loss of credibility with the public if the asset is successfully attacked can also be a very difficult loss to recover from. If the cost of the potential loss is difficult to assign a value to, you can use a scale to describe the impact, similar to the scale that was described for use in assigning probability. After you calculate the exposure of all of the risks that you identified, you can rank the risks based on the impact value. Ranking the risks can help you to prioritize the threats.
14 Module 2: Planning for Web Application Security Practice: Calculating Exposure and Prioritizing Threats ! Students will: # Given a list of assets and the threats that they are vulnerable to, calculate the exposure for each threat ! Time: # 5 minutes *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In this practice, you will review the list of threats to the Web-accessible assets of the Tailspin Toys Web application and calculate the exposure rate if those assets are attacked. In your calculations: ! Use a numeric ranking system for the probability: 3 = high, 2 = medium, 1 = low. ! Use a scale of 1 to 10 for the impact, where 10 is the maximum value for the organization.