Security Practices Map

- J.D. Meier, Prashant Bansode, Paul Enfield.

Practices represented here are advice on how to best mitigate threats against your application. They are categorized using the Frames established for each application type.

Contents

Web Application Practices
Web Service Practices (SOAP)
REST Service Practices
Rich Internet Application (RIA) Practices
Mobile Application Practices

Web Application Practices

Category Countermeasures
Auditing and Logging * Audit user management events.
* Audit business critical operations.
* Restrict access to log files, provide only write access to users.
* Strip-out sensitive information before logging.
* Handle log failures.
* Use application instrumentation to expose behavior that can be monitored
Authentication * Authenticate users whenever crossing trust-boundaries.
* Use a platform-supported authentication mechanism such as Windows Authentication.
* Use authentication mechanisms that do not require clear text credentials to be passed over the network
* Use strong password policies.
* Do not store plain credentials, store salted hash of the password.
* Use account lockouts.
* Encrypt communication channels to secure authentication tokens
* Use HTTPS only with forms authentication cookies
Authorization * Authorize users whenever crossing a trust boundary.
* Use proper role granularity to enforce separation of privileges.
* Use multiple gatekeepers.
* Secure system resources against system identities.
Configuration Management * Use least privileged service accounts
* Encrypt sensitive data stored in configuration files.
* Use strong authentication and authorization on administrative interfaces
* Avoid storing sensitive information in the Web space
* Use only local administration
Cryptography * Do not develop and use proprietary algorithms (XOR is not encryption. Use platform-provided cryptography).
* Use the RNGCryptoServiceProvider method to generate random numbers.
* Avoid key management. Use the Windows Data Protection API (DPAPI) where appropriate.
* Periodically change your keys.
Exception Management * Use structured exception handling (by using try/catch blocks).
* Handle all unhandled exception at the outermost boundary of your application.
* Fail your application securely.
* Do not reveal sensitive system or application information.
* Do not log PII data such as passwords.
Sensitive Data * Do not store sensitive data in software (code).
* Encrypt sensitive data stored in database.
* Encrypt sensitive data over the network
* Use Secure the channel for transmitting sensitive data.
Session Management * Partition site by anonymous, identified, and authenticated users.
* Reduce session timeouts.
* Avoid storing sensitive data in session stores.
* Protect your session state communication channel.
* Authenticate and authorize access to the session store.
Validation * Validate all the data crossing trust boundaries.
* Validate data both at client-side and server-side.
* Validate input for length, range, format, and type.
* Constrain, reject, and sanitize input.
* Encode output.


Web Service Practices

Category Countermeasures
Auditing and Logging * Audit business critical applications.
* Restrict access to log files, provide only write access to users.
* Handle log failures.
* Use application instrumentation to expose behavior that can be monitored.
* Throttle logging.
* Strip sensitive data before logging.
Authentication * Authenticate users when cross trust boundaries.
* Use authentication mechanisms that do not require clear text credentials to be passed over the network.
* Encrypt communication channels to secure authentication tokens.
* Use Secure HTTP (HTTPS) only with Username authentication cookies.
* Use secure mechanisms such as Web Services Security (WS-Security) with SOAP messages
Authorization * Use least-privileged accounts.
* Authorize users whenever crossing a trust boundaries.
* Restrict access to publicly accessible service methods.
* Tie authentication to authorization on the same tier.
* Use proper granularity of access.
* Enforce separation of privileges.
* Use multiple gatekeepers.
* Secure system resources against system identities.
Configuration Management * Encrypt sensitive sections of configuration files.
* Use secure settings for various operations of Web services using configuration files.
Exception Management * Use structured exception handling (by using try/catch blocks).
* Implement a global exception handler.
* Fail your application securely.
* Do not reveal sensitive system or application information.
* Do not log PII data such as passwords.
Impersonation / Delegation * When using impersonation, make sure to revert impersonation.
* Impersonate for shortest duration required and for only those operations that need it.
Message Protection * Encrypt your messages.
* Sign you messages.
* Use proven platform-provided cryptography for encrypting messages.
* Periodically change your keys.
* Use transport security for point-to-point security.
* Use message security for end-to-end security.
Message Replay * Detect message replays.
* Handle replay messages.
Message Validation * Validate data / messages that cross trust boundaries.
* Validate the messages using XML schema.
* Validate service method parameters input for length, range, format, and type.
* Constrain, reject, and sanitize input.
* Restrict the size, length, and depth of parsed XML messages.
Sensitive Data * Do not store sensitive data in software (code).
* Encrypt sensitive data over the network.
* Secure the channel.
* Encrypt sensitive data in configuration files.
Session Management * Authenticate and authorize access to the session store.
* Secure the channel to the session store.
* Reduce session timeouts.
* Avoid storing sensitive data in session stores.


REST Service Practices

Category Countermeasures
Auditing and Logging * Use application instrumentation to expose behavior that can be monitored.
* Throttle logging.
* Strip sensitive data before logging.
Authentication * Use authentication mechanisms that do not require clear text credentials to be passed over the network.
* Encrypt communication channels to secure authentication tokens.
* Use Secure HTTP (HTTPS) only with Forms authentication cookies.
* Separate anonymous from authenticated pages.
* Use cryptographic random number generators to generate session IDs.
Authorization * Use least-privileged accounts.
* Tie authentication to authorization on the same tier.
* Consider granularity of access.
* Enforce separation of privileges.
* Use multiple gatekeepers.
* Secure system resources against system identities.
Configuration Management * Encrypt sensitive sections of configuration files.
* Use secure settings for various operations of Web services using configuration files
Exception Management * Use structured exception handling (by using try/catch blocks).
* Catch and wrap exceptions only if the operation adds value/information.
* Do not reveal sensitive system or application information.
* Implement a global exception handler.
* Do not log private data such as passwords.
Impersonation / Delegation * Use a Using statement to automatically revert impersonation.
* Granularly impersonate only those operations that need it
Message Encryption * Use message security or transport security to encrypt your messages.
* Use proven platform-provided cryptography.
* Periodically change your keys
Message Replay Detection * Use a mechanism to detect message replays
Message Signing * Turn on message or transport security.
Message Validation * Validate input: length, range, format, and type.
* Validate XML streams.
* Constrain, reject, and sanitize input.
* Encode output.
* Restrict the size, length, and depth of parsed XML messages.
Sensitive Data * Do not store secrets in software.
* Encrypt sensitive data over the network.
* Secure the channel.
* Encrypt sensitive data in configuration files.
Session Management * Partition the site by anonymous, identified, and authenticated users.
* Authenticate and authorize access to the session store.

Rich Internet Application (RIA) Practices

Category Countermeasures
Auditing and Logging * Audit business critical operations and errors.
* Segregate logs by machine.
* Archive and retrieve logs.
* Handle log failures.
* Use application instrumentation to expose behavior that can be monitored
Authentication * Authenticate users whenever crossing trust-boundaries.
* Use a platform-supported authentication mechanism such as Windows Authentication.
* Use authentication mechanisms that do not require clear text credentials to be passed over the network
* Use strong password policies
* Do not store plain credentials, store salted hash of the password.
* Use account lockouts.
*
* Encrypt communication channels to secure authentication tokens
* Use HTTPS only with forms authentication cookies
Authorization * Authorize users whenever crossing a trust boundary.
* Use proper role granularity to enforce separation of privileges.
* Use multiple gatekeepers.
* Secure system resources against system identities.
Configuration Management * Use least privileged service accounts
* Encrypt sensitive data stored in configuration files.
* Use strong authentication and authorization on administrative interfaces.
* Avoid storing sensitive information in the Web space.
* Use only local administration.
Cryptography * Do not develop and use proprietary algorithms (XOR is not encryption. Use platform-provided cryptography)
* Use the RNGCryptoServiceProvider method to generate random numbers.
* Avoid key management. Use the Windows Data Protection API (DPAPI) where appropriate.
* Periodically change your keys.
Exception Management * Use structured exception handling (by using try/catch blocks)
* Implement a global exception handler.
* Fail your application securely.
* Do not reveal sensitive system or application information
* Do not log PII data such as passwords
Sensitive Data * Do not store sensitive data in software (code).
* Encrypt sensitive data stored in database.
* Encrypt sensitive data over the network
* Use Secure the channel for transmitting sensitive data.
Session Management * Partition site by anonymous, identified, and authenticated users
* Reduce session timeouts
* Avoid storing sensitive data in session stores
* Protect your session state communication channel
* Authenticate and authorize access to the session store
Validation * Validate all the data crossing trust boundaries.
* Validate data both at client-side and server-side.
* Validate input for length, range, format, and type
* Constrain, reject, and sanitize input
* Encode output

Mobile Application Practices

Category Countermeasures
Auditing and Logging * Audit and log business critical operations.
* Audit and log suspicious activities on mobile devices.
* Consider using abbreviated or compressed format for logging.
* Strip-out sensitive information before logging.
* Use application instrumentation to expose behavior that can be monitored
Authentication * Authenticate users when crossing trust boundaries.
* Authenticate users for all scenarios such as over-the-air, cradled synchronization, Bluetooth discovery, and local SD card scenarios.
* Do not store credentials
* Use authentication mechanisms that do not require clear text credentials to be passed over the network
* Encrypt communication channels to secure authentication tokens
*
Authorization * Authorize users when crossing trust boundaries.
* Use mobile platform features for restricting resource access.
* Enforce separation of privileges.
* Use multiple gatekeepers.
* Secure system resources against system identities.
Configuration Management * Restore configuration after device reset.
* Protect sensitive data in device configuration file.
* Use compression library routines to reduce the memory requirements for configuration and state information.
* Choose binary format over Extensible Markup Language (XML) for configuration files
*
Cryptography * Do not develop and use proprietary algorithms (XOR is not encryption. Use platform-provided cryptography).
* Avoid key management. Use the Windows Data Protection API (DPAPI) where appropriate.
* Periodically change your keys.
Exception Management * Use structured exception handling (by using try/catch blocks).
* Implement a global exception handler.
* Fail your application securely.
* Catch and wrap exceptions only if the operation adds value/information.
* Do not reveal sensitive system or application information.
* Do not log PII data such as passwords.
Sensitive Data * Do not store sensitive data in software (code).
* Encrypt sensitive data over the network.
* Secure the channel
* Encrypt sensitive data in configuration.
Session Management * Partition site by anonymous, identified, and authenticated users
* Reduce session timeouts
* Avoid storing sensitive data in session stores
* Secure the channel to the session store
* Authenticate and authorize access to the session store
Validation * Validate all the data crossing trust boundaries.
* Validate input for length, range, format, and type
* Constrain, reject, and sanitize input
* .



Last edited Sep 8, 2009 at 9:48 PM by paulenfield, version 1

Comments

No comments yet.