issp security standard application security.doc.doc
TRANSCRIPT
TARGETED RMIS APPLICATION SECURITY(Covers user interface, middleware, business-rules and database as well as external services. For acquisition, development, maintenance and operations)
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
Risk Analysis4.1 ISO 17799
Risk AnalysisRisk Assessment of the security of application functions & data.
1. Threat analysis Determine threat agents and the likelihood of associated threats
Student, Hacker, Weather, Government, …
Requirements development
Man. Rec. Opt. IAS (Project Team [PT], Users)Assess the assets affected, their
value, and potential impact damage caused by the threat
Sensitive data, physical assets, revenues, reputation, …
2. Risk evaluation Compare the estimated risks against risk criteria to determine the impact of the risk
Dollar value, fines, compliance failure, loss of reputation, injury or death, …
4.2 ISO 17799 Risk Analysis
Risk Treatment to avoid risks in application functions & data.
1. Determine criteria for whether or not identified risk can be accepted
Knowingly and objectively accept the risk
Atomic bomb, low cost impact , …
Requirements development
Man. Rec. Opt. PT (Users, IAS)
Avoid the risk by preventing actions that would cause the risks to occur
Management – e.g. separation of duties, or Technical – e.g. firewalls, …
Transfer the associated risk to other parties
Insurers, services, suppliers, …
Apply appropriate controls to reduce the risk
(See 2 below)
2. Select appropriate controls to reduce the risks
Meet requirements and constraints of university, state, national and international legislation and regulations
FERPA, HIPAA, GLBA, CALEA, …
Design or selection and acquisition –
Evaluate application information security threats and impacts during systems and
Man. Rec. Opt. PT (IAS)
Achieve organizational objectives University regulations, … (meet or change)
Author: John L. Baines 1
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
projects requirements specification (above) -
Select and configure appropriate controls and actions at the design stage
Accommodate operational requirements and constraints
Reduce audience, secure data center, …
Adjust cost of implementation and operation of controls in relation to the impact of risks being reduced
Cost-effectiveness of controls referenced to Risk Evaluation above
Man. Rec. Opt. PT (IAS)
Balance the investment in implementation and operation of controls against the harm likely to result from security failures
Worst case assessment – Risk Evaluation above
Consider wide range of control alternatives
Management, manual, automated, developed, packaged, externally provided controls, …
Man. Man. Opt. IAS review
Chapter 7
OWASP Guide - Full Threat Modeling
Design and implement cost-effective counter-measures in coding Web applications
1. Identify Security Objectives
Identity protection, Financial, Reputation, Service-Levels, Privacy, and Legal/Standards Compliance
PCI compliance, contracts, FERPA, HIPAA, loss, image, availability…
Detailed design, pre-coding and testing
Man. Rec. Opt. PT
2. Identify operational threats
Spoofing Identity, Tampering with data, Repudiation, Information leaks, Denial of service, Elevation of privilege (STRIDE methodology)
Threat graph, structured list…
3. Rate risks Damage potential, Reproducibility, Exploitability, Affected Users, Discoverability (DREAD meth.)
Rate the 5 factors - 0 to 10 then average –> Risk_DREAD
4. Survey and decompose the application
Identify and analyze components, data flows, interfaces, modules, and trust boundaries
Compromise opportunities
Author: John L. Baines 2
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
5. Identify Vulnerabilities
Compare decomposition of the application to the rated risks and threats. Identify potential exposures.
Threat Agents include Accidental Discovery, Automated Malware, the Curious Attacker, Script Kiddies, the Motivated Attacker, Organized Crime
6. Remedy exposures
Develop and implement plans to address vulnerabilities at the design and coding level.
Design criteria, coding techniques, and modifications
Information systems acquisition, development & maintenance12.1 ISO 17799
Information systems acquisition, development & maintenance
To ensure that security is an integral part of information systems.
1. Documentation of application security requirements
Specify requirements for security controls in the statements of business requirements for new development of information systems, or enhancements to existing information systems.
From 4.2.1 (above) Requirements definition
Man. Rec. Opt. PT
Apply similar control considerations when evaluating purchase of software packages, components and services for business applications.
2. Security control test plan
Describe test data needed and plan its creation
From 4.2.2 (above) Design or selection and acquisition
Man. Rec. Opt. PT
Describe events to be tested From Requirements Document
Establish pass/fail criteria for each application security control / event
From 4.2.2 (above)
Develop contingency plan for action if a control is unavailable or fails testing
From 4.2.2 (above)
Author: John L. Baines 3
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
12.2.1 ISO 17799 Information systems acquisition, development & maintenance
Input data validation
Check the input of standing data (e.g. names and addresses, courses registered, reference numbers), and parameter tables (e.g. courses available, teachers, etc.)
Dual input of critical data Password change, …
Design, development, maintenance, testing, and documentation.
Rec. Rec. Opt. PT
Boundary checking Length of input, … Out-of-range values Data types, valid
values, … Invalid characters in data fields Special Chars
allowed?Missing or incomplete data Required / Optional
fieldsExceeding upper and lower data volume limits
, …
Control data (batch numbers, transaction sequence numbers, etc.)
From 4.2.2
Periodic review of the content of key fields or data files
Data scrubber utility, …
Inspect hard-copy input documents for any unauthorized changes
Operational Procedures, …
Create a log of the input activities Operational Procedures, …
12.2.2 ISO 17799 Information systems acquisition, development & maintenance
Control of internal processing
Incorporate integrity validation checks into applications to detect any corruption of information through processing errors or deliberate acts.
Balancing controls, to check opening balances against previous closing balances, namely:1) Run-to-run controls;2) File update totals;3) Program-to-program controls;
From 4.2.2 Rec. Rec. Opt. PT
Validation of system-generated input data
Date and time, …
Management of the integrity, authenticity or any other security feature of data or software downloaded, or uploaded, between central and remote computers
Exchange rates, software updates, …
Man. Rec. Opt. IAS
Hash data totals of records and files LRC, … Rec. Rec. Opt. PT
Author: John L. Baines 4
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
Checks to ensure that application programs are run at the correct time
Operational procedures, Tivoli, …
Checks to ensure that programs are run in the correct order and terminate in case of a failure, and that further processing is halted until the problem is resolved
Operational procedures, …
Rec. Rec. Opt. PT
Logging the activities involved in the processing
Operational procedures, …
Use of appropriate programs to recover from failures to ensure the correct processing of data
Operational procedures, …
Protect against attacks using buffer overruns/overflows
Virus Protection code…
12.2.4 ISO 17799 Information systems acquisition, development & maintenance
Output Validation Checks
Data output from an application should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances.
Check plausibility to test whether the output data is reasonable;
Operational procedures, …
Rec. Rec. Opt. PT
Reconcile control counts to ensure processing of all data
Operational procedures, …
Provide sufficient output information and procedures for a human reader or subsequent processing system to determine the accuracy, completeness, precision, and classification of the information output
Operational procedures
Create a log of activities in the data output validation process
Operational procedures, …
Author: John L. Baines 5
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
12.3 ISO 17799 Information systems acquisition, development & maintenance
Protect the confidentiality, authenticity or integrity of information by cryptographic means
Application and data cryptographic controls
Protect sensitive information transported by mobile or removable media, portable devices or across communication lines using encryption techniques (as determined by 4. Risk Treatment decisions above)
PGP, AES, ... Design, development, testing and documentation.
Man. Man. Opt. IAS (Project Team)
Assess key management system (or other methods of key generation and exchange) for security of creation, management and disposition of private, public and other types of encryption keys.
PKI, RSA key management, …
Rec. Rec. Opt. PT
Protecting data and message confidentiality
Using encryption of information to protect sensitive or critical information, stored or transmitted
SSL, VPN, …
Protecting integrity & authenticity of messages and data
Using digital signatures or message authentication codes to protect the authenticity and integrity of stored or transmitted sensitive or critical information
Signed email, …
Non-repudiation of actions and data content
Using cryptographic techniques to obtain proof of the occurrence or non-occurrence of an event or action.
Encrypted financial transaction, …
Chapter 9
OWASP Guide - Phishing
Avoid Web coding problems
Fix all Cross-site scripting problems (XSS)
Interpreter Injection attacks
Development, testing and documentation
Man Man Man PT
Avoid using pop-ups Phishers use pop-ups to redirect users to criminal sites
Pop-ups are often browser disabled,
Rec Rec Rec
Author: John L. Baines 6
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
Avoid problems with browser frames
Phishers can use your application iframes and frames to host their malicious content
* Use the TARGET directive to create a new window* Check the DOM model regularly
Rec Rec Rec
Move your application one link away from your front page
* Make application authenticator a separate page. * Implement a simple referrer check. * Encourage your users to type your URL
Rec Rec Rec
Enforce local referrers for images and other resources
Force hackers to use their own copies of your images. Change your images
Anti-leeching, Request Based Blocking, watermarked images
Rec Rec Rec
Do not unnecessarily modify the browser interface
Standardize and simplify user interface
Keep the address bar, use SSL, do not use IP addresses or obscure URLs
Rec Rec Rec
Reduce data exposure Minimize amount of data displayed or even held by the application
E.g. physical/email addresses, credit card numbers, password or PIN
Man Rec Rec
Verify registration info Do not allow transaction/change to userid
E.g. not ZIP code - California, phone number - New York
Man Rec Rec
Institute transaction limits
Amounts, numbers of trans, annually, monthly, daily, within seconds…
Daily totals, denial of service attacks…
Man Rec Rec
Verify changes in key contact details
Send notification to new and old addresses
Names, email addresses, physical addresses, passwords
Man Rec Rec
Author: John L. Baines 7
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
Do not send existing or permanent passwords via e-mails or physical mail.
Use one time, time limited verifiers instead
Man Man Man
Implement SMS or email notification of account activities,.
Transfers and change of address or phone details
Man Rec Rec
Prevent pharming – DNS poisoning
Consider staggering transaction delays using resource monitors or add a delay to the same transactions being performed quickly from one IP address
By 10th transaction should take 3 minutes or more
Rec Rec Rec
10.1 Operational procedures and responsibilities10.1.4 ISO 17799
Separation of development, test, & operational facilities
To ensure the correct and secure operation of information processing facilities.
Development, test, and operational facilities should be separated to reduce the risks of unauthorized access or changes to the operational system.
a) Document procedures for transferring software from development to production
Change Management Procedures
Testing and operations Man. Rec. Opt. ETSS???
b) Run development and production software on separate systems; run development and production software in separate domains where possible
Operational procedures
c) Remove access to compilers, editors, and other development tools from production systems when not required
Maintenance procedures
d) Make the test system environment emulate the operational system environment as closely as possible
Volumes, Hardware, operating system software levels
Author: John L. Baines 8
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
e) Create separate user profiles (including user id/passwords) for production and development/test environments OR ensure that profiles are managed outside of test/development environments
System Administration Procedures
f) Remove High Security Data elements before copying data sets to development/testing environments
See also 12.4 below
12.4 ISO 17799 Information systems acquisition, development & maintenance
Security of system files
Control of operational software
Updating of the operational software, applications, and program libraries should only be performed by trained administrators upon appropriate management authorization
Change Management Procedures
Design, development, testing, maintenance and operations
Man. Rec. Opt. PT
Operational systems should only hold approved executable code, and not developmentcode or compilers or other toolsOnly implement applications and operating system software after extensive and successful testing; the tests should include tests on usability, security, effects on other systems and user-friendliness, and should be carried out on separate systems from operationalUse a configuration control system to keep control of all implemented test and operational software as well as the system documentation
Change Management Procedures
Maintenance and Operational
Man. Rec. Opt. PT and Operations
Prepare a rollback strategy before changes are implemented
Author: John L. Baines 9
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
Maintain an audit log of all updates to operational program librariesRetain previous versions of application software as a contingency and audit measure
Disaster Recovery Procedures
Archive and hold old versions of software, together with all required information and parameters, procedures, configuration details, and supporting software for as long as the data is retained in archive
Disaster Recovery Procedures
Maintain vendor supplied software used in operational systems at a level supported by the supplier
Operational SLA
Take into account the business requirements during the decision to upgrade to a new release for the need for the changes in the release, and the security of the release
Operational SLA
Apply software patches when they help to remove or reduce security weaknesses
Operational SLA
Chapter 9
OWASP Guide - Phishing
Avoid social engineering to appear as a trusted identity within a Web application – - e.g. Phishing
User Education Create a security policy on your web site in easy to understand terms detailing how you will communicate with your users. Include Phishing topic. Communicate the policy.
Types of email used, valid contents of app. email, never click on Web links in email…
Design, development, testing, maintenance and operations
Man Rec Rec Maintenance and Operations
Make it easy for your users to report security incidents
Create and monitor an email address such as [email protected] , or provide a Web page for reporting incidents
Phishing, Malware, unusual application behavior…
Man Rec Rec
Author: John L. Baines 10
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
Never ask your users for their secrets
In Web pages, on the phone or especially in emails
Such as credit card number, password or PIN
Man Man Man
Monitor unusual account activity
Use heuristics and other business logic to investigate user activity
* Clearing/closing out accounts/userids* Conducting many small transactions* Transactions from multiple userids affecting same accounts
Rec Rec Opt
Get the phishing target servers offline quickly
Work with law enforcement agencies, banking regulators, ISPs
Let phishers know you take it seriously
Rec Rec Opt
Take control of the fraudulent phishing domain name
Use the dispute resolution process of the domain registrar, register misspellings of your own domain
May not always work…
Rec Rec Opt
12.4 ISO 17799 Information systems acquisition, development & maintenance
Security of system files
Protection of test data Avoid use of operational databases containing personal information or any other sensitive information for testing purposes
Testing procedures Development, testing, maintenance and operations
Man. Man. Man. PT
Remove all sensitive data from candidate test data or modify sensitive details and content beyond recognition before use
Testing procedures Development, testing, maintenance and operations
Man. Man. Man. PT
Apply access control procedures, as close to operational application systems as possible, while testing application systemsErase operational information from a test application system immediately after testing is completed
Author: John L. Baines 11
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
Authorize afresh each time operational information is copied to a test application systemErase operational information from a test application system immediately after the testing is completeLog copying and use of operational information to provide an audit trail.Perform system and acceptance testing with volumes of test data that are as close as possible to operational levels
12.4 ISO 17799 Information systems acquisition, development & maintenance
Security of system files
Control access to program source code during development
Do not hold (or substantially protect) program source libraries in operational systems
Development Procedures / Change Management Procedures
Development, testing, maintenance and operations
Man. Rec. Opt. PT
Manage program source code and the program source libraries according to established procedures in order to prevent the introduction of unauthorized functionality and to avoid unintentional changes.Do not allow support personnel unrestricted access to program source librariesSubject maintenance and copying of program source libraries to strict change control procedures
12.5.4 ISO 17799 Information systems
Security in development and support processes
Information leakage avoidance and detection
Scan outbound media and communications for hidden information and covert channels
SNORT, IPS, … Testing and Operational
Rec. Opt. Opt. IAS
Author: John L. Baines 12
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
acquisition, development & maintenance
Mask and modulate system and communications behavior to reduce the likelihood of a third party being able to deduce information
SSL, VPN
Make use of systems and software that are considered to be of high integrity
Acquisition and development
Rec. Rec. Rec. IAS review
Regularly monitor personnel and system activities, where permitted under existing legislation or regulation
Testing and Operational
Rec. Opt. Opt. Operations?
Monitor resource usage in applications and associated computer systems
Rec. Rec. Rec. Operations?
Take measures to protect against Trojan code in order to reduce covert channel exploitation.
Rec. Rec. Rec. Operations?
Access Control11.6.1 ISO 17799
Application & information access control
Information access restriction
Limit access to functions
Menus with individual user or role rights by menu line item
Detailed design & development
Rec. Rec. Rec. PT (Users)Operations, (users)Role based access by user business
functionMan. (People-soft)
Rec. Opt.
Department table Man. (People-soft)
Rec. Opt.
Security tree Man. (People-soft)
Rec. Opt.
Control access to data (user access rights)
Permission lists by User/Role E.g. Security matrix Operational Man. Man. Rec. IAS (Users)Restrict OUC university-wide access
Man. (People-soft)
Rec. Opt.
Author: John L. Baines 13
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
Process authorization approval for users to application function & data
ASAP Man. Rec. Rec.
Ensure that outputs containing sensitive information show only the information relevant to the use of the output and are sent only to authorized devices and locations
Man. Rec. Rec.
Conduct periodic reviews of such outputs to ensure that redundant information is removed.
Man. Rec. Rec.
Limit access rights of other applications
EDI, OLE, COM/DCOM, shared data access, …
Development Man. Rec. Rec. PT
Database row-level security to restrict access by range of values
Man. (People-soft)
Rec. Opt.
Database views limited to functional needs only
Man. (People-soft)
Rec. Opt.
Database triggers (e.g. integrity control)
Rec. Rec. Rec.
Chapter 13
OWASP Guide - Authorization
Principle of least privilege – Web applications authorization control
Allow running code only the permissions needed to complete the required tasks
Spans the configuration of the web and application servers through the business capabilities of business logic components
Limit Application role privileges, Database privileges, root, Administrator, AllPermission(Java), FullTrust(.NET)…
Development Man. Rec. Opt. PT
Create user accounts as unprivileged and give permissions incrementally
During unit testing
Accounts should not have both business and administrator privileges
Separate business and administrator functions
Author: John L. Baines 14
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
§ # Standard Security Category
Standard Control
Objective
Baseline RMIS Security Controls
Security Control Details Examples and Explanation
Development Life Cycle Phase
RED Zone
YEL-
LOW
Zone
GREEN Zone
Responsible Department /
Unit
Access the database through one or more limited accounts
Limit schema-modification privileges
Access the database through user role parameterized stored procedures
Allow all table access to be revoked
Implement code access security privileges if possible
E.g. DNS query vs. Database access vs. Network connection
Rec. Rec. Opt.
Use centralized authorization routines
Minimize custom authorization code at multiple entry points
Man. Rec. Opt. PT
Use built-in platform or framework authorization facilities
Rec. Rec. Opt.
Verify Authorization Matrix codeControl access to protected resourcesProtect access to static resourcesGenerate sensitive content dynamically rather than save to tempReauthorization for sensitive activities or after idle outNever implement client-side authorization tokens
Man. Rec. Opt.
References International Standards Organization, ISO 17799: Code of Practice for Information Security Management National Institute of Standards and Technology, Special Publication 800-53: Recommended Security Controls for Federal Systems ISC2: Common Book of Knowledge: Open Web Application Security Project (OWASP) Guide to Building Secure Web Applications v2 http://www.owasp.org/index.php/Guide_Table_of_Contents
Author: John L. Baines 15
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM
Sections not incorporated from ISO 17799 § 12 Information systems acquisition, development & maintenance: 12.3.1 Policy on the use of cryptographic controls (Policy issues - most not included here) 12.3.2 Key management (most not included here - infrastructure) 12.5.1 Change control procedures (for development & maintenance – very management) 12.5.2 Technical review of applications after operating system changes (maybe this should be in table above?) 12.5.3 Restrictions on changes to software packages (maybe this should be in table above?) 12.5.5 Outsourced software development (maybe this should be in table above?) 12.6 Technical Vulnerability Management (This may be more infrastructure? Though they relate it to operating systems and applications, and change control) 11.2 User access management – should this be in this section – or access control section?
Authentication and most Authorization issues that are not controlling access to application function or specific data belong in the Access Control standard?
Author: John L. Baines 16
RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM