Module 2: Planning for Web Application Security Contents Overview Lesson: A Design Process for Building Secure Web Applications Review 22 Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2002 Microsoft Corporation All rights reserved Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Module 2: Planning for Web Application Security iii Instructor Notes Presentation: 60 minutes Lab: 00 minutes This module explains the steps that are typically involved in the Web application design process, what role security considerations play in each of these steps, and finally, how these steps interrelate with one another In this module, students will focus on the threat analysis step in the design process by identifying Web-accessible assets and the threats that are posed to those assets, and by calculating the exposure of those assets to those threats Finally, students will learn about developing an implementation and maintenance plan for securing Web applications In this module, students will learn how to apply the STRIDE threat model that was covered in Module 1, “Introduction to Web Security,” in Course 2300, Developing Secure Web Applications After completing this module, students will be able to describe the general approach to designing security into a Web application and categorize and identify the most common types of attacks, along with the potential threats that the attacks pose to systems, services, and data within their organizations Required materials To teach this module, you need the following materials: ! ! Preparation tasks Microsoft® PowerPoint® file 2300A_02.ppt A white board or flip chart To prepare for this module: ! Read all of the materials for this module ! Complete the practices ! Read about the application design process in the Microsoft Solutions Framework (MSF) ! Read Chapter 2, “A Process for Building Secure Web Applications,” in Designing Secure Web-Based Applications for Microsoft Windows 2000, by Michael Howard (Redmond: Microsoft Press®), 2000 ! Read the TechNet article, “Best Practices for Enterprise Security,” which is available at http://www.microsoft.com/technet/security/bestprac/ bpentsec.asp ! Review Microsoft’s security policies, which are available at http://www.microsoft.com/technet/security/policy/policies.asp ! Read about the STRIDE threat model in Module 1, “Introduction to Web Security,” in Course 2300, Developing Secure Web Applications, and in Chapter 2, “A Process for Building Secure Web Applications,” in Designing Secure Web-Based Applications for Microsoft Windows 2000, by Michael Howard (Redmond: Microsoft Press), 2000 ! Attend Course 2632, Designing a Secure Network ! Read the TechNet article, “Security Strategies,” which is available at http://www.microsoft.com/technet/security/bestprac/secstrat.asp iv Module 2: Planning for Web Application Security How to Teach This Module This section contains information that will help you to teach this module Lesson: A Design Process for Building Secure Web Applications This lesson covers only part of the design process, namely the threat analysis process This lesson does not cover how to determine business and information requirements It is assumed that students already know how to determine business and information requirements and create a functional specification for a Web application It is important to start this lesson with a discussion of why this information is important for Web developers to know Some Web developers are not involved in the Web application design process within their organizations and they might feel that knowing the complete process is irrelevant to their jobs Determining Threats The business and product requirements, along with the information requirement steps in the design process, have been intentionally minimized in this lesson Although it is important for students to understand the outcomes of these steps (the architectural diagram and the design specification), it is not necessary to discuss these steps in detail Define the term threat and briefly mention the three steps that are taken when determining threats These steps are discussed in more detail in the topics that follow within this module Suggest to students that they hire a security consultant to help identify threats and then try to hack into the system after the security services have been developed Identifying the Assets to Protect Review each category of assets, placing emphasis on the assets that are in a Web application: software, data, and communications Practice: Identifying the Assets to Protect In this practice, students will have an opportunity to identify the assets that require protection in the Tailspin Toys lab solution The result of this practice is to encourage students to think of the assets in their own Web applications that might be susceptible to attack Run this practice as a group brainstorming session, and write the results on a white board or flip chart This information will be referred to in the next practice Identifying the Threats to Assets The STRIDE model was introduced in Module 1, “Introduction to Web Security,” in Course 2300, Developing Secure Web Applications, so it is not necessary to review each category of threat in detail Instead, focus on how each threat category relates to the assets that require protection Note that multiple assets may be vulnerable to multiple threat categories Practice: Identifying the Threats to Assets In this practice, students will compare the assets that were identified in the previous practice against the threats in the STRIDE model Run this practice as a group brainstorming session Refer to the results of the first practice and write the results of this practice on the same white board or flip chart Module 2: Planning for Web Application Security Calculating Exposure and Prioritizing Threats v Explain to students that they can use this formula to prioritize risks After students have calculated the exposure for each identified security risk, they can rank the risks and create a management strategy that is based on the exposure value Tell the students that selecting a probability and impact amount is very subjective Note that the formula used to calculate exposure is based on content from MSF Practice: Calculating Exposure and Prioritizing Threats In this practice, students will assign a probability and impact value to each threat that was identified in the previous practice For this practice, students will use a numeric rating system for both the probability and impact Let the students know that this is a very subjective exercise Run this practice as a group brainstorming session Refer to the results of the second practice and write the results of this practice on the same white board or flip chart Using the Security Policy to Evaluate Threats Although threat prioritization is important, the security policy ultimately determines whether the threat will be defended against, assigned, or accepted An important point to make is that even though a threat may have a low exposure ranking, security policy may dictate that the threat be defended against at all costs Selecting Security Technology It is not necessary to discuss in great detail the security technologies that are listed in the table Explain to students that they will learn more about countermeasures and technologies throughout the rest of the course Mitigating Risks Through Security Services Security implementation from the developer standpoint is the focus of this course Review with students the general areas of security that will be discussed throughout the course Developing a Security Maintenance and Upgrade Program It is important that students understand that maintaining a secure Web application is an iterative process The security plan must be reviewed often so that new threats and security policies are considered and then addressed accordingly Module 2: Planning for Web Application Security Overview ! A Design Process for Building Secure Web Applications *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Security considerations must be integrated into all aspects of an organization’s Web application planning and design process If security is not addressed because it is perceived as being too costly or if it is applied in an unplanned manner at the end of the development cycle, organizations and their development teams will quickly learn how damaging their mistakes are, because Web attackers easily exploit vulnerabilities in an organization’s Web applications In this module, you will learn about the steps that are typically involved in the Web application design process, learn what role security considerations play in each of these steps, and finally, learn how these steps interrelate You will then focus on the threat analysis step in the design process by identifying Webaccessible assets and the threats that are posed to those assets, calculating the exposure of those assets, and developing an implementation and maintenance plan for securing your Web application Objective After completing this module, you will be able to describe the general approach to designing security into a Web application and categorize and identify the most common types of attacks, along with the potential threats that those attacks pose to systems, services, and data within your organization Module 2: Planning for Web Application Security Lesson: A Design Process for Building Secure Web Applications Business and Product Business and Product Requirements Requirements Defines Updates Information Information Requirements Requirements Defines Threats Threats References Selects Mitigates Security Services Security Services Security Policy Security Policy Implements Security Technology Security Technology *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction To achieve the most secure solution, security must be considered throughout the Web application design process Security as an afterthought often results in more costly development costs and a Web application that is prone to being attacked Also, trying to add security to a Web application after it is completed makes security solutions even more difficult to create and implement In this lesson, you will look at a structured design process for building secure Web applications Although some of the steps in the design process are not typically Web developer responsibilities, it is important for you to see how the process works, where the information used to make design decisions originates from, how security design decisions are made, and how these security design decisions guide the selection of security technologies and services to be added to the Web application You will also learn how to analyze Web applications to identify the Webaccessible assets that are most susceptible to security threats, the types of threats that are commonly imposed against those assets, and the general approaches that are used to safeguard against those threats Module 2: Planning for Web Application Security Lesson objectives After completing this lesson, you will be able to: ! Explain the process of identifying threats and evaluating the risks that those threats pose to your organization’s Web applications ! Identify the assets in a Web application that are vulnerable to security threats ! Identify the categories of attacks that typically affect each asset in a Web application ! Prioritize threats by determining the monetary cost to counter each threat and comparing that cost to the cost of the asset that the countermeasure will protect ! Explain how the identified threats are evaluated against an organization’s overall security policy ! Explain how security services are designed to use security technologies ! Explain the process of developing a security maintenance and upgrade plan Module 2: Planning for Web Application Security Determining Threats Business and Product Business and Product Requirements Requirements " " " " " " Defines Updates Information Information Requirements Requirements Identify the assets to protect Identify the assets to protect Identify the threats to assets Identify the threats to assets Calculate exposure and Calculate exposure and prioritize threats prioritize threats Defines Threats Threats References Selects Mitigates Security Services Security Services Security Policy Security Policy Implements Security Technology Security Technology *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction An architectural diagram and a design specification are the result of gathering business, product, and information requirements for a Web application After you gather business, product, and information requirements for a Web application, the next step in the design process is to determine the security threats to your Web application What is a threat? A threat is a possibility that poses danger to business assets All threats are determined in relation to a business risk The greater the business risk—that is, the greater the negative impact on the business if the threat is realized—the greater the threat Each organization faces its own unique set of threats For example: ! A bank wants to protect its money ! A hospital wants to protect patient records ! A software development company wants to protect its source code Adding a Web presence, such as a Web site, exposes these organizations to even more threats and risk For example, Web pages can be compromised and changed, the database that is accessed by the Web site can be altered or destroyed, unauthorized users could gain access to the file system, and any data that is exchanged with the Web site’s users can be intercepted and exploited Steps to determining threats Determining threats is a three-step process: Identify what assets you are trying to protect Determine what or whom you are trying to protect the assets from Calculate the exposure of the assets and prioritize the threats against them 10 Module 2: Planning for Web Application Security (continued) Attack Description Example Information disclosure Compromised private or business-critical information through the exposure of that information to individuals who are not supposed to have access to it Attacker gains access to encryption keys, business plans, credit card information, or payroll data Denial of service (DoS) Denying service to valid users Attacker invokes a denial of service attack that results in system failure, lost business, damage to business reputation, and employee idle time Elevation of privilege Unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system (user can be undetected and can become part of the trusted system) A buffer overrun attack causes injected code to run at an elevated privilege level, giving the malicious code access to unauthorized pieces of the system Module 2: Planning for Web Application Security 11 Practice: Identifying the Threats to Assets ! Students will: # ! Given a list of assets, list the threat to each asset Time: # minutes *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In this practice, you will review the list of Web application assets that was created in the previous practice, and identify what STRIDE threats these assets are vulnerable to ! Identify threats to assets Fill in the following table with the assets that were identified in the previous practice, and then add the corresponding STRIDE threat categories that the assets are vulnerable to Asset STRIDE threat category Product information Tampering with data Information disclosure Elevation of privileges User information Information disclosure Elevation of privileges Order information Tampering with data Information disclosure Communication of private data Tampering with data Information disclosure All of the Web pages on the site Tampering with data Denial of service Web server Denial of service Elevation of privileges SQL Server Denial of service Tampering with data Information disclosure Network connections Information disclosure Elevation of privileges 12 Module 2: Planning for Web Application Security Calculating Exposure and Prioritizing Threats Calculating Calculating Exposure Exposure and Prioritizing and Prioritizing Likelihood that that threat will threat will occur occur Potential loss Potential loss Probability of Probability of loss loss Probability x Impact = Exposure ! Use a numeric scale for ease of calculation # # ! High = 3, medium = 2, and low = High = 75 percent, medium = 50 percent, and low = 25 percent Rank risks to an organization based on exposure value *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction After you identify all of the threats to your Web application, you must prioritize those threats by determining how much it will cost to counter each threat and comparing that cost to the cost of the asset that the countermeasure will protect Determining the impact of a threat You can determine the impact of a threat to an organization by multiplying the probability that a threat will occur by the potential loss to the organization Use the following formula: Exposure = Probability x Impact, where: ! Exposure is the probability of loss To determine the exposure, multiply probability by impact ! Probability is the likelihood that the security threat will occur To assign a value to represent likelihood: • Use a numeric scale for ease of calculation • Choose the granularity that works best for your project, but use the same scale across the project • Represent a subjective scale numerically For example, high = 3, medium = 2, and low = 1, or high = 75 percent, medium = 50 percent, and low = 25 percent Module 2: Planning for Web Application Security ! 13 Impact is the potential loss The impact is closely related to the value of the resource that is threatened and the cost of restoring or rebuilding that resource For intellectual property, the value can be lost revenue or business opportunity When considering cost, not limit your estimate to actual dollars The possible loss of credibility with the public if the asset is successfully attacked can also be a very difficult loss to recover from If the cost of the potential loss is difficult to assign a value to, you can use a scale to describe the impact, similar to the scale that was described for use in assigning probability After you calculate the exposure of all of the risks that you identified, you can rank the risks based on the impact value Ranking the risks can help you to prioritize the threats 14 Module 2: Planning for Web Application Security Practice: Calculating Exposure and Prioritizing Threats ! Students will: # ! Given a list of assets and the threats that they are vulnerable to, calculate the exposure for each threat Time: # minutes *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In this practice, you will review the list of threats to the Web-accessible assets of the Tailspin Toys Web application and calculate the exposure rate if those assets are attacked In your calculations: ! Use a numeric ranking system for the probability: = high, = medium, = low ! Use a scale of to 10 for the impact, where 10 is the maximum value for the organization Module 2: Planning for Web Application Security ! Identify threats to assets Fill in the following table with the assets that were identified in the previous practice, and then fill in the corresponding threat categories that the assets are vulnerable to Asset Product information Threat Probability Impact 3 Information disclosure Elevation of privileges Order information Elevation of privileges User information Tampering with data Information disclosure Tampering with data Information disclosure Communication of private data Tampering with data Information disclosure All of the pages on the Web site Tampering with data Denial of service Web server Denial of service Elevation of privileges Denial of service Tampering with data Information disclosure Information disclosure Elevation of privileges SQL Server Network connections 15 16 Module 2: Planning for Web Application Security Using the Security Policy to Evaluate Threats Threats Threats References Security Policy Security Policy ! The security policy defines an organization’s requirements for secure computer and network usage ! Determine how to respond to prioritized threats by comparing them to the security policy # Accept the threat # Assign the threat # Defend against the threat *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction After you prioritize the threats to the assets, the next step in the Web application design process is to reference the organization’s overall security policy to help refine the list of prioritized threats, determine which threats to address, and determine what to in response to each individual threat What is a security policy? The security policy defines an organization’s requirements for secure computer and network usage, and it protects the availability, integrity, and confidentiality of information The security policy includes procedures to detect, prevent, and respond to security incidents, and it provides a framework for implementing security plans and procedures for Web applications The security policy also defines the organization’s security goals by answering the following questions: ! What are the organization’s security concerns? For example, is the organization concerned about the availability, integrity, and confidentiality of data, vandalized Web sites, or computer viruses? ! How does the organization value data? ! What resources does the organization value most, and how does the organization secure those resources? The environment under which most organizations operate changes often Accordingly, it is important to not only have a security policy document, but to also make sure that the document is frequently updated to reflect an organization’s current conditions Some of the benefits of having a security policy are: ! It determines what is permitted and not permitted in the system Having a clear understanding of what is permitted in the system helps in identifying whether any violation has occurred ! It serves as a requirements document against which technical solutions can be developed and evaluated Module 2: Planning for Web Application Security 17 Some examples of security policy goals include: ! All interactions with customers over the Internet, involving money or customer information, will be protected ! Customer information will be kept confidential for the sole use of the customer and the organization Customers will not be allowed access to each other’s personal information ! Databases cannot be accessed directly through the Internet All data update interactions with Web applications will be performed through a secure middle tier ! All communication with databases will be private Note To see an example of Microsoft’s security policies, go to http://www.microsoft.com/technet/security/policy/policies.asp Evaluating threats against security policy As a Web developer in your organization, you may not necessarily be the person responsible for developing the security policy However, as you develop a Web application, you will refer to the security policy as you evaluate threats to determine which threats are tolerable and which are not The priority that you assign to a threat from a risk standpoint may be much higher or lower than the priority that is assigned to the threat in the security policy As such, despite a threat’s low-risk rating, the security policy might dictate that the threat must be addressed, regardless of the cost For example, a medical institution will probably determine that the threat of an attacker maliciously changing patient medical data (a data-tampering threat and possibly an information disclosure threat) must be remedied, despite its risk rating or cost Taking into account your threat prioritization list and the organization’s security policy, you can choose to one of the following: ! Accept the threat You can accept the threat if the cost of protecting the asset is too high or if the risk to the asset is too low ! Assign the threat You can assign the threat to another organization, such as an insurance company ! Defend against the threat You can defend against the threat by implementing countermeasures, such as educating and informing users of the threat in the documentation, and by using relevant security technology 18 Module 2: Planning for Web Application Security Selecting Security Technology References Threats Threats ! Security Policy Security Policy Assign countermeasures to the threats you are defending against ! Selects Security Security Technology Technology Assign specific technologies to countermeasures Information Information disclosure disclosure Encrypt personal Encrypt personal information information Use SSL Use SSL Threat Threat Countermeasure Countermeasure Technology Technology *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction After you decide to accept, assign, or defend against each potential threat, you are ready to evaluate the technologies that you will use to counter those threats that you have chosen to defend against Sometimes, a technology might have a security weakness, which leads to other threats, so the selection and the appropriate usage of a technology is very important There are often multiple technologies that are available to address a specific threat To help you choose between these available technologies, you must first assign the general countermeasures that will be taken to address the threats, and then you must assign the specific technologies to the general countermeasures Module 2: Planning for Web Application Security 19 The following table shows examples of how threats are assigned to general countermeasures and how countermeasures are then assigned to specific technologies Threat Countermeasure Technology Spoofing identity Require authentication Set Access Control Lists (ACLs) on files Tampering with data (integrity) Perform input validation on all user entries Use script to perform clientside and server-side input validation Repudiability Digital signatures and time stamping Use CryptoAPI version 2.0 functions, such as CryptHashData and CryptSignHash Information disclosure Perform correct file canonicalization checks Use Microsoft Windows® 2000 security features to open files Encrypt personal information Use Secure Sockets Layer (SSL) Denial of service Bandwidth throttling Use IIS bandwidth throttling Elevation of privilege Run process in low privileged account Run the Web application under a non-administrator account and a non-local-system account 20 Module 2: Planning for Web Application Security Mitigating Risks Through Security Services Migrates Threats Threats ! Security Security Services Services Implements Security Security Technology Technology Security services: # Mitigate all risks to a tolerable level # Should be implemented as loosely coupled components that are written to have minimal dependence on each other # Include prevention, detection, and response *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction After you select the security technology, you can design security services The purpose of security services is to mitigate all of the risks to a level deemed tolerable by the security policy Any security service that does not mitigate one or more risks should not be built; if the service does not counter a threat, there is no reason to build it Developing loosely coupled security services In a well-designed Web application, security services are constructed by using security technologies as discrete components, rather than as tightly interwoven tools This technique is a classic software engineering principle called loose coupling, which consists of components being written to have minimal dependence on each other Characteristics of security services Security services must include the following characteristics: ! Prevention To prevent your data from being damaged, altered, or stolen, you can implement a variety of security services, which range from physically locking the server room door to establishing high-level security policies ! Detection To detect changes in data, you can use tools that are designed to detect intrusions, damage or alterations, and viruses For example, antivirus software detects viral signatures, and then either removes the virus or blocks infected e-mail from entering the network In addition, by regularly reviewing audit logs, you can detect attacks against your network, such as a series of failed account logon events, and respond appropriately ! Response To respond to changes in data, take measures that enable you to recover data, even if the data is lost or damaged These response measures can include testing your disaster recovery plan to ensure that a server can be rebuilt, by using the latest backups, on a new computer Module 2: Planning for Web Application Security 21 Developing a Security Maintenance and Update Program Business and Product Business and Product Requirements Requirements ! Review the security plan # # Threats Threats Modify when changes in personnel, organization, hardware, or software occur # Updates Include new risks in the analysis process Adjust security standards to accommodate changes ! Research security problems ! Identify, test, and deploy security updates *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Security is not a one-time activity; it is an integral part of the system lifecycle You can research security issues by reading Web-based and paper-based security bulletins, security newsgroups, e-mail list servers, and subscription e-mail services However, because not all of the sources of security information are reliable, you must verify the authenticity of your sources Identify, test, and deploy security upgrades As part of your security maintenance program, you will need to identify, test, and deploy security upgrades to the products that are being used within your organization For example: ! You can download security upgrades for computers that are running Windows operating systems from the Microsoft Windows Update Web site at http://windowsupdate.microsoft.com ! You can receive notification of security upgrades by subscribing to the Microsoft Security Notification Service at http://www.microsoft.com/ security Caution Test any security upgrades to software before deploying the security upgrades within your organization The security upgrade may inadvertently introduce a security weakness or cause a Web application to malfunction 22 Module 2: Planning for Web Application Security Review ! A Design Process for Building Secure Web Applications *****************************ILLEGAL FOR NON-TRAINER USE****************************** At what point in the design cycle you analyze a Web application for threats? Analyzing your Web application for threats is an iterative process and it should occur throughout the lifecycle of your Web application What is the difference between a security technology and a security service? A security technology is an existing technology (such as SSL) that can be used to defend against a threat A security service is actual code in your Web application that uses a security technology (such as protecting a logon page with SSL) When evaluating threats to your Web application, what are the three options available for handling threats? Accept the threat, assign the threat, or defend against the threat Module 2: Planning for Web Application Security 23 How you determine which threats you will develop countermeasures for? Calculate an exposure value for the threat by multiplying the probability of the threat occurring by the impact on the company if an attack does occur Then, rank all of the exposure values and compare them against the security policy What are some security technologies that can defend against an information disclosure threat? Using Windows 2000 security features to open files and using SSL THIS PAGE INTENTIONALLY LEFT BLANK ... specification for the Web application In this practice, you will conduct a threat analysis of the design specification for the Web application 8 Module 2: Planning for Web Application Security Web application. .. new threats and security policies are considered and then addressed accordingly Module 2: Planning for Web Application Security Overview ! A Design Process for Building Secure Web Applications... http://www.microsoft.com/technet /security/ bestprac/secstrat.asp iv Module 2: Planning for Web Application Security How to Teach This Module This section contains information that will help you to teach this module Lesson: