Web Application Security Frame

- J.D. Meier, Paul Enfield.

Frames are a lens for looking at Cloud Security. The frame is simply a collection of Hot Spots. Each Hot Spot represents an actionable category for information. Using Hot Spots, you can quickly find pain and opportunities, or key decision points. It helps us organize principles, patterns, and practices by relevancy. For example, in this case, we use the Web Application Security Frame to organize threats, attacks, vulnerabilities and countermeasures.

Hot Spot Description
Auditing and Logging Auditing and logging refers to how security-related events are recorded, monitored, and audited.
Authentication Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
Authorization Authorization is how your application provides access controls for resources and operations.
Code Access Security What level of privileges does your application run under? Can you lower the trust levels of the application context?
Communication Communication encompasses how data is transmitted over the wire. Transport security versus message encryption is covered here.
Cross-Domain Cross-domain covers threats to RIA sites from Cross-site scripting and CSRF (Cross-site Request Forgery) type attacks.
Data Access Data access covers how an application handles data including secure data stores and protecting your data provider connection information.
Deployment Considerations Deployment security addresses securing your application or code when deploying it to the cloud. Protecting confidential information and intellectual property (IP) in the application deployment package is of concern here.
Exception Management Exception management refers to how you handle exceptions within your application, including fault contracts.
Sensitive Data Sensitive data includes data integrity and confidentiality of your user and application data that you need to protect. This includes how you protect sensitive data from being stolen from memory, from configuration files or when transmitted over the network.
Session Mgmt A session refers to a series of related interactions between a client and your service.
Validation Message validation refers to how you verify the message payload against schema, as well as message size, content and character sets. This includes how your service filters, scrubs and rejects input and output before additional processing. Input and output includes input from clients consuming the service as well as file-system input, as well as input from network resources, such as databases. Output typically includes the return values from your service or disk / database writes among others.

Last edited Apr 30, 2010 at 10:29 PM by paulenfield, version 3


No comments yet.