Hardening Servers like Tomcat, Play, Spring, Apache, JBoss, Weblogic, …etc

Development community develops web applications and deploys to server.
Later they do the same in production.
This will lead to potential security issues.

Things to consider/do

1. Use Charles Web Proxy and check entire traffic of site through testing.
1. Make sure that there is not 404, 500 related issues.
2. Identify duplicate calls
3. Minimize / reduce service calls
4. Protect important data

2. Out of the box, many servers comes with many URLs to manage them.
Identify all through admin manual and protect them with strict passwords.
Never expose admin URLs outside network

3. Perform port scan and protect respective ports through firewall rules or by other ways.
https://nmap.org/
https://nmap.org/download.html#windows

4. Undeploy sample applications, examples, settings from production servers

At the end attackers will get access to your system through default passwords or
They can do denial-of-service (DoS) attack.
Reference: https://en.wikipedia.org/wiki/Denial-of-service_attack

Converting out of the box Tomcat to production ready is called “Hardening process” .
Reference:
https://www.owasp.org/index.php/Securing_tomcat
https://www.insinuator.net/2014/01/tomcat-7-hardening-guide/
https://geekflare.com/apache-tomcat-hardening-and-security-guide/
-o-

Advertisements

Software Threat Modeling

When security breach happens….it is loss to customer and company. We can handle this in two ways. Reactive: Wait until it happens and take care of it. Proactive: do software threat modeling, fix the issues before they surface, and cause trouble.

Many people think that threat is always outside firewall. Not true. It can happen from inside too in two ways. Attacker who penetrated firewall and access systems though compromised id/password. Frustrated employees or contractors who cause the trouble.

When it comes to security, prevention is better than cure. Many companies neglect security by looking at estimated budgets by security team. Please contact Software Architect / Security Architect who can help you to protect your customers and business.

Reference:
https://www.owasp.org/index.php/Application_Threat_Modeling
https://en.wikipedia.org/wiki/Threat_model

Attacks through XML Payloads

When XML Payloads are permitted, system can be attacked through XML Data.

http://www.informit.com/articles/article.aspx?p=601349&seqNum=5

The Over sized Payload Attack: Sending huge files and causing DOS (Denial of Service).
The DOM Parser Attacks: Sending too complex lengthy data and causing out of memory in system.
SQL Injections: If data is used directly to insert into database through statements.
Others….

Solution:
Development Side:
1. Define strict XSDs.
2. Avoid maxOccurs=”unbounded” and limit with max values
3. Don’t parse files/data if it exceeds configured size.

System Side:
Better to use XML Firewalls
Forum Sentry API Gateway: http://www.forumsys.com/products/forum-sentry-api-gateway/
Cisco ACE XML Gateways
http://www.cisco.com/c/en/us/products/application-networking-services/ace-xml-gateways/index.html

References:
https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet

Eight Privacy Principles – from OECD

All people/companies must know these eight privacy principles

PART TWO. BASIC PRINCIPLES OF NATIONAL APPLICATION

Collection Limitation Principle

7. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Data Quality Principle

8. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Purpose Specification Principle

9. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

Use Limitation Principle

10. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except:

  • a) with the consent of the data subject; or
  • b) by the authority of law.

Security Safeguards Principle

11. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

Openness Principle

12. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Individual Participation Principle

13. An individual should have the right:

  • a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
  • b) to have communicated to him, data relating to him within a reasonable time;
    at a charge, if any, that is not excessive;
    in a reasonable manner; and
    in a form that is readily intelligible to him;
  • c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
  • d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

Accountability Principle

14. A data controller should be accountable for complying with measures which give effect to the principles stated above.

—————————————————–

Above text was copy pasted from http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm#guidelines

http://oecdprivacy.org/

http://en.wikipedia.org/wiki/Organisation_for_Economic_Co-operation_and_Development

The Organisation for Economic Co-operation and Development (OECD)

What is Security Architecture?

Many people don’t know what it is. Many people think that putting login screen, installing HTTPS certificates is enough to protect application. That is not enough.

What is Security Architecture?

http://www.isss.ch/fileadmin/publ/agsa/Security_Architecture.pdf

https://www.sans.org/reading-room/whitepapers/auditing/information-systems-security-architecture-approach-layered-protection-1532

http://energy.gov/sites/prod/files/cioprod/documents/DOE_Security_Architecture.pdf

http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf

http://www.opensecurityarchitecture.org/cms/

***** This is very nice presentation
http://raleigh.issa.org/downloads/Building_a_Security_Architecture_Framework.pdf

My humble request: Google for “Security Architecture” and talk with Architect / Security Architect to protect your business / applications. Talk with companies like http://www.metricstream.com/ to get more information.

-o-

Security as Service

In enterprise world we are going to deploy applications in Cloud. Many people use Rack Space or Amazon AWS or Others. How to protect (Detection, Prevention, …etc) public facing web applications?
Check these links for deeper understanding.

http://www.alertlogic.com/ (*****)
http://en.wikipedia.org/wiki/Security_as_a_service
https://cloudsecurityalliance.org/
http://deepsecurity.trendmicro.com/
http://download.bitdefender.com/SMB/SVE/AWS/SaaS/Bitdefender_SVE_SaaS_QuickStartGuide_enUS.pdf
http://www.agnitum.com/products/av-service/
https://www.netiq.com/products/cloud-security-service/
http://www.cloudflare.com/features-security (*****)

This software provides statistics for PCI Compliance, HIPAA Compliance and other industry standards. Many provide OWASP checks as part of product.