intrusion detection system (IDS)

https://www.barracuda.com/glossary/intrusion-detection-system

Home

Advertisements

Software Security Testing – OWASP

https://www.modsecurity.org/demo.html
ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.

Install this before web application. Access application through Mod Security and see the magic. Read above documentation. This is very useful in Dev/QA environments to test OWASP issues ahead of the time.
————

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

Software Architect Catalogue

IBM Cloud Catalog
https://console.bluemix.net/catalog/

Amazon Catalog
https://us-west-2.console.aws.amazon.com/console/home?region=us-west-2#
https://aws.amazon.com/documentation/

Architectural Patterns
https://en.wikipedia.org/wiki/Architectural_pattern

Software Security Patterns
https://en.wikipedia.org/wiki/Attack_patterns
https://en.wikipedia.org/wiki/Security_pattern
https://www.owasp.org/index.php/Security_by_Design_Principles
https://dzone.com/articles/9-software-security-design

Integration Patterns
http://www.enterpriseintegrationpatterns.com/patterns/messaging/
http://camel.apache.org/enterprise-integration-patterns.html

Software Architecture
SEI CMM
Oracle
TOGAF

-o-

Securing Passwords in Production Deployments

https://www.hashicorp.com/products/vault

https://www.craigdunn.org/2017/04/managing-puppet-secrets-with-jerakia-and-vault/

—————

There is no one solution for all problems.

Use Case 1:
We run three instances in production, each instance serve one version of API and having three different passwords with same variables. We store them on each instance.

Use Case 2:
We run 100+ UI instances with same user id/password

Use Case 3: Time bound
We want to schedule password changes.
Use Password 1 until December 31st,
Use Password 2 from Jan 1st onwards.

Use Case 4: Versioning
When you rollback changes, we want to roll back passwords too.

We need to agree on Use case and design solution accordingly.

——————–

Using security as service – Means getting passwords from rest calls with token id too is going to cause single point of failure. We need to make sure that Vault or similar software is having high availability by running in more than one instance.

———

Hardening Servers like Tomcat, Play, Spring, Apache, JBoss, Weblogic, …etc

Development community develops web applications and deploys to server.
Later they do the same in production.
This will lead to potential security issues.

Things to consider/do

1. Use Charles Web Proxy and check entire traffic of site through testing.
1. Make sure that there is not 404, 500 related issues.
2. Identify duplicate calls
3. Minimize / reduce service calls
4. Protect important data

2. Out of the box, many servers comes with many URLs to manage them.
Identify all through admin manual and protect them with strict passwords.
Never expose admin URLs outside network

3. Perform port scan and protect respective ports through firewall rules or by other ways.
https://nmap.org/
https://nmap.org/download.html#windows

4. Undeploy sample applications, examples, settings from production servers

At the end attackers will get access to your system through default passwords or
They can do denial-of-service (DoS) attack.
Reference: https://en.wikipedia.org/wiki/Denial-of-service_attack

Converting out of the box Tomcat to production ready is called “Hardening process” .
Reference:
https://www.owasp.org/index.php/Securing_tomcat
https://www.insinuator.net/2014/01/tomcat-7-hardening-guide/
https://geekflare.com/apache-tomcat-hardening-and-security-guide/
-o-

Software Threat Modeling

When security breach happens….it is loss to customer and company. We can handle this in two ways. Reactive: Wait until it happens and take care of it. Proactive: do software threat modeling, fix the issues before they surface, and cause trouble.

Many people think that threat is always outside firewall. Not true. It can happen from inside too in two ways. Attacker who penetrated firewall and access systems though compromised id/password. Frustrated employees or contractors who cause the trouble.

When it comes to security, prevention is better than cure. Many companies neglect security by looking at estimated budgets by security team. Please contact Software Architect / Security Architect who can help you to protect your customers and business.

Reference:
https://www.owasp.org/index.php/Application_Threat_Modeling
https://en.wikipedia.org/wiki/Threat_model

Attacks through XML Payloads

When XML Payloads are permitted, system can be attacked through XML Data.

http://www.informit.com/articles/article.aspx?p=601349&seqNum=5

The Over sized Payload Attack: Sending huge files and causing DOS (Denial of Service).
The DOM Parser Attacks: Sending too complex lengthy data and causing out of memory in system.
SQL Injections: If data is used directly to insert into database through statements.
Others….

Solution:
Development Side:
1. Define strict XSDs.
2. Avoid maxOccurs=”unbounded” and limit with max values
3. Don’t parse files/data if it exceeds configured size.

System Side:
Better to use XML Firewalls
Forum Sentry API Gateway: http://www.forumsys.com/products/forum-sentry-api-gateway/
Cisco ACE XML Gateways
http://www.cisco.com/c/en/us/products/application-networking-services/ace-xml-gateways/index.html

References:
https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet