issp security standard application security.doc.doc

TARGETED RMIS APPLICATION SECURITY(Covers user interface, middleware, business-rules and database as well as external services. For acquisition, development, maintenance and operations)

§ # Standard Security Category

Standard Control

Objective

Baseline RMIS Security Controls

Security Control Details Examples and Explanation

Development Life Cycle Phase

RED Zone

YEL-

LOW

Zone

GREEN Zone

Responsible Department /

Unit

Risk Analysis4.1 ISO 17799

Risk AnalysisRisk Assessment of the security of application functions & data.

1. Threat analysis Determine threat agents and the likelihood of associated threats

Student, Hacker, Weather, Government, …

Requirements development

Man. Rec. Opt. IAS (Project Team [PT], Users)Assess the assets affected, their

value, and potential impact damage caused by the threat

Sensitive data, physical assets, revenues, reputation, …

2. Risk evaluation Compare the estimated risks against risk criteria to determine the impact of the risk

Dollar value, fines, compliance failure, loss of reputation, injury or death, …

4.2 ISO 17799 Risk Analysis

Risk Treatment to avoid risks in application functions & data.

1. Determine criteria for whether or not identified risk can be accepted

Knowingly and objectively accept the risk

Atomic bomb, low cost impact , …

Requirements development

Man. Rec. Opt. PT (Users, IAS)

Avoid the risk by preventing actions that would cause the risks to occur

Management – e.g. separation of duties, or Technical – e.g. firewalls, …

Transfer the associated risk to other parties

Insurers, services, suppliers, …

Apply appropriate controls to reduce the risk

(See 2 below)

2. Select appropriate controls to reduce the risks

Meet requirements and constraints of university, state, national and international legislation and regulations

FERPA, HIPAA, GLBA, CALEA, …

Design or selection and acquisition –

Evaluate application information security threats and impacts during systems and

Man. Rec. Opt. PT (IAS)

Achieve organizational objectives University regulations, … (meet or change)

Author: John L. Baines 1

RISSP Applications Security Standard DRAFT 5/1/2023 10:35 AM


Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

projects requirements specification (above) -

Select and configure appropriate controls and actions at the design stage

Accommodate operational requirements and constraints

Reduce audience, secure data center, …

Adjust cost of implementation and operation of controls in relation to the impact of risks being reduced

Cost-effectiveness of controls referenced to Risk Evaluation above

Man. Rec. Opt. PT (IAS)

Balance the investment in implementation and operation of controls against the harm likely to result from security failures

Worst case assessment – Risk Evaluation above

Consider wide range of control alternatives

Management, manual, automated, developed, packaged, externally provided controls, …

Man. Man. Opt. IAS review

Chapter 7

OWASP Guide - Full Threat Modeling

Design and implement cost-effective counter-measures in coding Web applications

1. Identify Security Objectives

Identity protection, Financial, Reputation, Service-Levels, Privacy, and Legal/Standards Compliance

PCI compliance, contracts, FERPA, HIPAA, loss, image, availability…

Detailed design, pre-coding and testing

Man. Rec. Opt. PT

2. Identify operational threats

Spoofing Identity, Tampering with data, Repudiation, Information leaks, Denial of service, Elevation of privilege (STRIDE methodology)

Threat graph, structured list…

3. Rate risks Damage potential, Reproducibility, Exploitability, Affected Users, Discoverability (DREAD meth.)

Rate the 5 factors - 0 to 10 then average –> Risk_DREAD

4. Survey and decompose the application

Identify and analyze components, data flows, interfaces, modules, and trust boundaries

Compromise opportunities




Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

5. Identify Vulnerabilities

Compare decomposition of the application to the rated risks and threats. Identify potential exposures.

Threat Agents include Accidental Discovery, Automated Malware, the Curious Attacker, Script Kiddies, the Motivated Attacker, Organized Crime

6. Remedy exposures

Develop and implement plans to address vulnerabilities at the design and coding level.

Design criteria, coding techniques, and modifications

Information systems acquisition, development & maintenance12.1 ISO 17799

Information systems acquisition, development & maintenance

To ensure that security is an integral part of information systems.

1. Documentation of application security requirements

Specify requirements for security controls in the statements of business requirements for new development of information systems, or enhancements to existing information systems.

From 4.2.1 (above) Requirements definition

Man. Rec. Opt. PT

Apply similar control considerations when evaluating purchase of software packages, components and services for business applications.

2. Security control test plan

Describe test data needed and plan its creation

From 4.2.2 (above) Design or selection and acquisition

Man. Rec. Opt. PT

Describe events to be tested From Requirements Document

Establish pass/fail criteria for each application security control / event

From 4.2.2 (above)

Develop contingency plan for action if a control is unavailable or fails testing

From 4.2.2 (above)




Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

12.2.1 ISO 17799 Information systems acquisition, development & maintenance

Input data validation

Check the input of standing data (e.g. names and addresses, courses registered, reference numbers), and parameter tables (e.g. courses available, teachers, etc.)

Dual input of critical data Password change, …

Design, development, maintenance, testing, and documentation.

Rec. Rec. Opt. PT

Boundary checking Length of input, … Out-of-range values Data types, valid

values, … Invalid characters in data fields Special Chars

allowed?Missing or incomplete data Required / Optional

fieldsExceeding upper and lower data volume limits

, …

Control data (batch numbers, transaction sequence numbers, etc.)

From 4.2.2

Periodic review of the content of key fields or data files

Data scrubber utility, …

Inspect hard-copy input documents for any unauthorized changes

Operational Procedures, …

Create a log of the input activities Operational Procedures, …


Control of internal processing

Incorporate integrity validation checks into applications to detect any corruption of information through processing errors or deliberate acts.

Balancing controls, to check opening balances against previous closing balances, namely:1) Run-to-run controls;2) File update totals;3) Program-to-program controls;

From 4.2.2 Rec. Rec. Opt. PT

Validation of system-generated input data

Date and time, …

Management of the integrity, authenticity or any other security feature of data or software downloaded, or uploaded, between central and remote computers

Exchange rates, software updates, …

Man. Rec. Opt. IAS

Hash data totals of records and files LRC, … Rec. Rec. Opt. PT




Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

Checks to ensure that application programs are run at the correct time

Operational procedures, Tivoli, …

Checks to ensure that programs are run in the correct order and terminate in case of a failure, and that further processing is halted until the problem is resolved

Operational procedures, …

Rec. Rec. Opt. PT

Logging the activities involved in the processing


Use of appropriate programs to recover from failures to ensure the correct processing of data


Protect against attacks using buffer overruns/overflows

Virus Protection code…


Output Validation Checks

Data output from an application should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances.

Check plausibility to test whether the output data is reasonable;


Rec. Rec. Opt. PT

Reconcile control counts to ensure processing of all data


Provide sufficient output information and procedures for a human reader or subsequent processing system to determine the accuracy, completeness, precision, and classification of the information output

Operational procedures

Create a log of activities in the data output validation process





Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

12.3 ISO 17799 Information systems acquisition, development & maintenance

Protect the confidentiality, authenticity or integrity of information by cryptographic means

Application and data cryptographic controls

Protect sensitive information transported by mobile or removable media, portable devices or across communication lines using encryption techniques (as determined by 4. Risk Treatment decisions above)

PGP, AES, ... Design, development, testing and documentation.

Man. Man. Opt. IAS (Project Team)

Assess key management system (or other methods of key generation and exchange) for security of creation, management and disposition of private, public and other types of encryption keys.

PKI, RSA key management, …

Rec. Rec. Opt. PT

Protecting data and message confidentiality

Using encryption of information to protect sensitive or critical information, stored or transmitted

SSL, VPN, …

Protecting integrity & authenticity of messages and data

Using digital signatures or message authentication codes to protect the authenticity and integrity of stored or transmitted sensitive or critical information

Signed email, …

Non-repudiation of actions and data content

Using cryptographic techniques to obtain proof of the occurrence or non-occurrence of an event or action.

Encrypted financial transaction, …

Chapter 9

OWASP Guide - Phishing

Avoid Web coding problems

Fix all Cross-site scripting problems (XSS)

Interpreter Injection attacks

Development, testing and documentation

Man Man Man PT

Avoid using pop-ups Phishers use pop-ups to redirect users to criminal sites

Pop-ups are often browser disabled,

Rec Rec Rec




Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

Avoid problems with browser frames

Phishers can use your application iframes and frames to host their malicious content

* Use the TARGET directive to create a new window* Check the DOM model regularly

Rec Rec Rec

Move your application one link away from your front page

* Make application authenticator a separate page. * Implement a simple referrer check. * Encourage your users to type your URL

Rec Rec Rec

Enforce local referrers for images and other resources

Force hackers to use their own copies of your images. Change your images

Anti-leeching, Request Based Blocking, watermarked images

Rec Rec Rec

Do not unnecessarily modify the browser interface

Standardize and simplify user interface

Keep the address bar, use SSL, do not use IP addresses or obscure URLs

Rec Rec Rec

Reduce data exposure Minimize amount of data displayed or even held by the application

E.g. physical/email addresses, credit card numbers, password or PIN

Man Rec Rec

Verify registration info Do not allow transaction/change to userid

E.g. not ZIP code - California, phone number - New York

Man Rec Rec

Institute transaction limits

Amounts, numbers of trans, annually, monthly, daily, within seconds…

Daily totals, denial of service attacks…

Man Rec Rec

Verify changes in key contact details

Send notification to new and old addresses

Names, email addresses, physical addresses, passwords

Man Rec Rec




Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

Do not send existing or permanent passwords via e-mails or physical mail.

Use one time, time limited verifiers instead

Man Man Man

Implement SMS or email notification of account activities,.

Transfers and change of address or phone details

Man Rec Rec

Prevent pharming – DNS poisoning

Consider staggering transaction delays using resource monitors or add a delay to the same transactions being performed quickly from one IP address

By 10th transaction should take 3 minutes or more

Rec Rec Rec

10.1 Operational procedures and responsibilities10.1.4 ISO 17799

Separation of development, test, & operational facilities

To ensure the correct and secure operation of information processing facilities.

Development, test, and operational facilities should be separated to reduce the risks of unauthorized access or changes to the operational system.

a) Document procedures for transferring software from development to production

Change Management Procedures

Testing and operations Man. Rec. Opt. ETSS???

b) Run development and production software on separate systems; run development and production software in separate domains where possible

Operational procedures

c) Remove access to compilers, editors, and other development tools from production systems when not required

Maintenance procedures

d) Make the test system environment emulate the operational system environment as closely as possible

Volumes, Hardware, operating system software levels




Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

e) Create separate user profiles (including user id/passwords) for production and development/test environments OR ensure that profiles are managed outside of test/development environments

System Administration Procedures

f) Remove High Security Data elements before copying data sets to development/testing environments

See also 12.4 below


Security of system files

Control of operational software

Updating of the operational software, applications, and program libraries should only be performed by trained administrators upon appropriate management authorization


Design, development, testing, maintenance and operations

Man. Rec. Opt. PT

Operational systems should only hold approved executable code, and not developmentcode or compilers or other toolsOnly implement applications and operating system software after extensive and successful testing; the tests should include tests on usability, security, effects on other systems and user-friendliness, and should be carried out on separate systems from operationalUse a configuration control system to keep control of all implemented test and operational software as well as the system documentation


Maintenance and Operational

Man. Rec. Opt. PT and Operations

Prepare a rollback strategy before changes are implemented




Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

Maintain an audit log of all updates to operational program librariesRetain previous versions of application software as a contingency and audit measure

Disaster Recovery Procedures

Archive and hold old versions of software, together with all required information and parameters, procedures, configuration details, and supporting software for as long as the data is retained in archive

Disaster Recovery Procedures

Maintain vendor supplied software used in operational systems at a level supported by the supplier

Operational SLA

Take into account the business requirements during the decision to upgrade to a new release for the need for the changes in the release, and the security of the release

Operational SLA

Apply software patches when they help to remove or reduce security weaknesses

Operational SLA

Chapter 9

OWASP Guide - Phishing

Avoid social engineering to appear as a trusted identity within a Web application – - e.g. Phishing

User Education Create a security policy on your web site in easy to understand terms detailing how you will communicate with your users. Include Phishing topic. Communicate the policy.

Types of email used, valid contents of app. email, never click on Web links in email…

Design, development, testing, maintenance and operations

Man Rec Rec Maintenance and Operations

Make it easy for your users to report security incidents

Create and monitor an email address such as [email protected] , or provide a Web page for reporting incidents

Phishing, Malware, unusual application behavior…

Man Rec Rec




Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

Never ask your users for their secrets

In Web pages, on the phone or especially in emails

Such as credit card number, password or PIN

Man Man Man

Monitor unusual account activity

Use heuristics and other business logic to investigate user activity

* Clearing/closing out accounts/userids* Conducting many small transactions* Transactions from multiple userids affecting same accounts

Rec Rec Opt

Get the phishing target servers offline quickly

Work with law enforcement agencies, banking regulators, ISPs

Let phishers know you take it seriously

Rec Rec Opt

Take control of the fraudulent phishing domain name

Use the dispute resolution process of the domain registrar, register misspellings of your own domain

May not always work…

Rec Rec Opt



Protection of test data Avoid use of operational databases containing personal information or any other sensitive information for testing purposes

Testing procedures Development, testing, maintenance and operations

Man. Man. Man. PT

Remove all sensitive data from candidate test data or modify sensitive details and content beyond recognition before use

Testing procedures Development, testing, maintenance and operations

Man. Man. Man. PT

Apply access control procedures, as close to operational application systems as possible, while testing application systemsErase operational information from a test application system immediately after testing is completed




Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

Authorize afresh each time operational information is copied to a test application systemErase operational information from a test application system immediately after the testing is completeLog copying and use of operational information to provide an audit trail.Perform system and acceptance testing with volumes of test data that are as close as possible to operational levels



Control access to program source code during development

Do not hold (or substantially protect) program source libraries in operational systems

Development Procedures / Change Management Procedures

Development, testing, maintenance and operations

Man. Rec. Opt. PT

Manage program source code and the program source libraries according to established procedures in order to prevent the introduction of unauthorized functionality and to avoid unintentional changes.Do not allow support personnel unrestricted access to program source librariesSubject maintenance and copying of program source libraries to strict change control procedures

12.5.4 ISO 17799 Information systems

Security in development and support processes

Information leakage avoidance and detection

Scan outbound media and communications for hidden information and covert channels

SNORT, IPS, … Testing and Operational

Rec. Opt. Opt. IAS




Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

acquisition, development & maintenance

Mask and modulate system and communications behavior to reduce the likelihood of a third party being able to deduce information

SSL, VPN

Make use of systems and software that are considered to be of high integrity

Acquisition and development

Rec. Rec. Rec. IAS review

Regularly monitor personnel and system activities, where permitted under existing legislation or regulation

Testing and Operational

Rec. Opt. Opt. Operations?

Monitor resource usage in applications and associated computer systems

Rec. Rec. Rec. Operations?

Take measures to protect against Trojan code in order to reduce covert channel exploitation.

Rec. Rec. Rec. Operations?

Access Control11.6.1 ISO 17799

Application & information access control

Information access restriction

Limit access to functions

Menus with individual user or role rights by menu line item

Detailed design & development

Rec. Rec. Rec. PT (Users)Operations, (users)Role based access by user business

functionMan. (People-soft)

Rec. Opt.

Department table Man. (People-soft)

Rec. Opt.

Security tree Man. (People-soft)

Rec. Opt.

Control access to data (user access rights)

Permission lists by User/Role E.g. Security matrix Operational Man. Man. Rec. IAS (Users)Restrict OUC university-wide access

Man. (People-soft)

Rec. Opt.




Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

Process authorization approval for users to application function & data

ASAP Man. Rec. Rec.

Ensure that outputs containing sensitive information show only the information relevant to the use of the output and are sent only to authorized devices and locations

Man. Rec. Rec.

Conduct periodic reviews of such outputs to ensure that redundant information is removed.

Man. Rec. Rec.

Limit access rights of other applications

EDI, OLE, COM/DCOM, shared data access, …

Development Man. Rec. Rec. PT

Database row-level security to restrict access by range of values

Man. (People-soft)

Rec. Opt.

Database views limited to functional needs only

Man. (People-soft)

Rec. Opt.

Database triggers (e.g. integrity control)

Rec. Rec. Rec.

Chapter 13

OWASP Guide - Authorization

Principle of least privilege – Web applications authorization control

Allow running code only the permissions needed to complete the required tasks

Spans the configuration of the web and application servers through the business capabilities of business logic components

Limit Application role privileges, Database privileges, root, Administrator, AllPermission(Java), FullTrust(.NET)…

Development Man. Rec. Opt. PT

Create user accounts as unprivileged and give permissions incrementally

During unit testing

Accounts should not have both business and administrator privileges

Separate business and administrator functions




Standard Control

Objective




RED Zone

YEL-

LOW

Zone

GREEN Zone


Unit

Access the database through one or more limited accounts

Limit schema-modification privileges

Access the database through user role parameterized stored procedures

Allow all table access to be revoked

Implement code access security privileges if possible

E.g. DNS query vs. Database access vs. Network connection

Rec. Rec. Opt.

Use centralized authorization routines

Minimize custom authorization code at multiple entry points

Man. Rec. Opt. PT

Use built-in platform or framework authorization facilities

Rec. Rec. Opt.

Verify Authorization Matrix codeControl access to protected resourcesProtect access to static resourcesGenerate sensitive content dynamically rather than save to tempReauthorization for sensitive activities or after idle outNever implement client-side authorization tokens

Man. Rec. Opt.

References International Standards Organization, ISO 17799: Code of Practice for Information Security Management National Institute of Standards and Technology, Special Publication 800-53: Recommended Security Controls for Federal Systems ISC2: Common Book of Knowledge: Open Web Application Security Project (OWASP) Guide to Building Secure Web Applications v2 http://www.owasp.org/index.php/Guide_Table_of_Contents



http://www.owasp.org/index.php/Guide_Table_of_Contents

Sections not incorporated from ISO 17799 § 12 Information systems acquisition, development & maintenance: 12.3.1 Policy on the use of cryptographic controls (Policy issues - most not included here) 12.3.2 Key management (most not included here - infrastructure) 12.5.1 Change control procedures (for development & maintenance – very management) 12.5.2 Technical review of applications after operating system changes (maybe this should be in table above?) 12.5.3 Restrictions on changes to software packages (maybe this should be in table above?) 12.5.5 Outsourced software development (maybe this should be in table above?) 12.6 Technical Vulnerability Management (This may be more infrastructure? Though they relate it to operating systems and applications, and change control) 11.2 User access management – should this be in this section – or access control section?

Authentication and most Authorization issues that are not controlling access to application function or specific data belong in the Access Control standard?

