Generic Threats and Security Controls
Generic Threats and Security Controls
following table:
STRIDE Threat List Type Spoofing Examples Threat action aimed to illegally access and use another user's credentials, such as username and password. Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet. Threat action aimed to perform illegal operations in a system that lacks the ability to trace the prohibited operations. Threat action to read a file that one was not granted access to, or to read data in transit. Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable. Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system. Security Control Authentication
Tampering
Integrity
Authorization
Security Controls
Once the basic threat agents and business impacts are understood, the review team should try to identify the set of controls that could prevent these threat agents from causing those impacts. The primary focus of the code review should be to ensure that these security controls are in place, that they work properly, and that they are correctly invoked in all the necessary places. The checklist below can help to ensure that all the likely risks have been considered. Authentication:
Ensure all internal and external connections (user and entity) go through an appropriate and adequate form of authentication. Be assured that this control cannot be bypassed.
Ensure all pages enforce the requirement for authentication. Ensure that whenever authentication credentials or any other sensitive information is passed, only accept the information via the HTTP POST method and will not accept it via the HTTP GET method. Any page deemed by the business or the development team as being outside the scope of authentication should be reviewed in order to assess any possibility of security breach. Ensure that authentication credentials do not traverse the wire in clear text form. Ensure development/debug backdoors are not present in production code.
Authorization:
Ensure that there are authorization mechanisms in place. Ensure that the application has clearly defined the user types and the rights of said users. Ensure there is a least privilege stance in operation. Ensure that the Authorization mechanisms work properly, fail securely, and cannot be circumvented. Ensure that authorization is checked on every request. Ensure development/debug backdoors are not present in production code.
Cookie Management:
Ensure that sensitive information is not comprised. Ensure that unauthorized activities cannot take place via cookie manipulation. Ensure that proper encryption is in use. Ensure secure flag is set to prevent accidental transmission over the wire in a nonsecure manner. Determine if all state transitions in the application code properly check for the cookies and enforce their use. Ensure the session data is being validated. Ensure cookies contain as little private information as possible. Ensure entire cookie is encrypted if sensitive data is persisted in the cookie. Define all cookies being used by the application, their name, and why they are needed.
Data/Input Validation:
Ensure that a DV mechanism is present. Ensure all input that can (and will) be modified by a malicious user such as HTTP headers, input fields, hidden fields, drop down lists, and other web components are properly validated. Ensure that the proper length checks on all input exist. Ensure that all fields, cookies, http headers/bodies, and form fields are validated. Ensure that the data is well formed and contains only known good chars if possible. Ensure that the data validation occurs on the server side. Examine where data validation occurs and if a centralized model or decentralized model is used. Ensure there are no backdoors in the data validation model.
Golden Rule: All external input, no matter what it is, is examined and validated.
Ensure that all method/function calls that return a value have proper error handling and return value checking. Ensure that exceptions and error conditions are properly handled. Ensure that no system errors can be returned to the user. Ensure that the application fails in a secure manner. Ensure resources are released if an error occurs.
Logging/Auditing:
Ensure that no sensitive information is logged in the event of an error. Ensure the payload being logged is of a defined maximum length and that the logging mechanism enforces that length. Ensure no sensitive data can be logged; e.g. cookies, HTTP GET method, authentication credentials. Examine if the application will audit the actions being taken by the application on behalf of the client (particularly data manipulation/Create, Update, Delete (CUD) operations). Ensure successful and unsuccessful authentication is logged. Ensure application errors are logged. Examine the application for debug logging with the view to logging of sensitive data.
Cryptography:
Ensure no sensitive data is transmitted in the clear, internally or externally. Ensure the application is implementing known good cryptographic methods.
Examine the file structure. Are any components that should not be directly accessible available to the user? Examine all memory allocations/de-allocations. Examine the application for dynamic SQL and determine if it is vulnerable to injection. Examine the application for main() executable functions and debug harnesses/backdoors. Search for commented out code, commented out test code, which may contain sensitive information. Ensure all logical decisions have a default clause. Ensure no development environment kit is contained on the build directories. Search for any calls to the underlying operating system or file open calls and examine the error possibilities.
Session Management:
Examine how and when a session is created for a user, unauthenticated and authenticated. Examine the session ID and verify if it is complex enough to fulfill requirements regarding strength. Examine how sessions are stored: e.g. in a database, in memory etc. Examine how the application tracks sessions. Determine the actions the application takes if an invalid session ID occurs. Examine session invalidation. Determine how multithreaded/multi-user session management is performed. Determine the session HTTP inactivity timeout. Determine how the log-out functionality functions.