Application Breakdown (3)
Data
Processes
Functions
cloud-friendliness Assessment
Should be performed by an independent resource or function without bias or preference within the organization
API Formats (2)
REST
SOAP
Representational State Transfer (REST)
A software architecture style consisting of guidelines and best practices for creating scalable web services
Simple Object Access Protocol (SOAP)
A protocol specification for exchanging structured information in the implementation of web services in computer networks
REST Features (4)
Uses simple HTTP protocol
Supports many different data formats like JSON, XML, YAML, etc.
Performance and scalability are good and uses caching
Widely used
SOAP Features (4)
Uses SOAP envelope and then HTTP (or FTP/SMTP, etc.) to transfer the data
Only supports XML format
Slower performance, scalability can be complex, and caching is not possible
Used where REST is not possible, provides WS-* features
Common Pitfalls of Cloud Application Security (5)
On-Premise Does Not Always Transfer (and Vice Versa)
Not All Apps Are "Cloud-Ready"
Lack of Training and Awareness
Documentation and Guidelines (or Lack Thereof)
Complexities of Integration
Phases in SDLC process model include (5)
Planning and requirements analysis
Defining
Designing
Developing
Testing
Design Phase
Threat modeling and secure design elements should be undertaken and discussed here
Secure Operations Phase
Dynamic analysis
Vulnerability assessments and penetration testing
Activity monitoring
Layer-7 firewalls (e.g., web application firewalls)
Disposal Phase
When an application has run its course and is no longer required
Application Isolation
You must take steps to ensure that one application cannot access other applications on the platform unless it's allowed via access control
Shared technology issues
Components that were not designed to offer strong isolation properties; exist in all SIP models
Threat Modeling Goal
Determine any weaknesses in the application and the potential ingress, egress, and actors involved before it is introduced to production
STRIDE Threat Model
A system for classifying known threats according to the kinds of exploit that are used or motivation of the attacker
Threats used by STRIDE (6)
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
Spoofing
Attacker assumes identity of subject
Tampering
Data or messages are altered by an attacker
Repudiation
Illegitimate denial of an event
Benefits of APIs (3)
Programmatic control and access
Automation
Integration with third-party tools
OWASP's Dependency-Check
Utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities
Secure API (2)
Logging Usage
Encryption (SSL/REST, Message-Level/SOAP)
Securing Open Source Software
Leverage standards such as ISO 27034-1
Federation
An association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions
Federated Identities Allow
For the generation of tokens (authentication) in one domain and the consumption of these tokens (authorization) in another domain
Federated Standards (5)
SAML
WS-Federation
OpenID Connect
OAuth
Shibboleth
Reduced Sign-On (RSO)
Operates through some form of credential synchronization. Security concerns.
Step-Up Authentication
Challenge questions
Out-of-band authentication (a call or SMS text message to the end user)
Dynamic knowledge-based authentication (questions unique to the end user)
Cloud WAF
Can be extremely effective in the case of a denial-of-service (DoS) attack
XML Gateways
Also called:
SOA appliance
SOA gateways
Cloud brokers
API Gateway
A device that filters API traffic; it can be installed as a proxy or as a specific part of your applications stack before data is processed. Can implement access control, rate limiting, logging, metrics, and security filtering.
Goal of Application Virtualization
To be able to test applications while protecting the operating system and other applications on a particular system
Software Assurance
Development and implementation of methods and processes for ensuring that software functions as intended while mitigating the risks of vulnerabilities, malicious code, or defects that could bring harm to the end user
Functional Data
Refers to specific services you may offer that have some form of legal implication
ISO/IEC 27034-1
Defines concepts, frameworks, and processes to help organizations integrate security within their software development lifecycle
Organizational Normative Framework (ONF)
Acts as a framework for all components of application security best practices
ONF Containers (7)
Business Context
Regulatory Context
Technical Context
Specifications
Roles
Processes
Application Security Control Library
Business Context
Includes all application security policies, standards, and best practices adopted by the organization
Regulatory Context
Includes all standards, laws, and regulations that affect application security
Technical Context
Includes required and available technologies that are applicable to application security
Specifications
Documents the organization's IT functional requirements and the solutions that are appropriate to address these requirements
Roles
Documents the actors within an organization who are related to IT applications
Application Security Library
Contains the approved controls that are required to protect an application based on the identified threats, the context, and the targeted level of trust
Application Normative Framework (ANF)
Maintains the applicable portions of the ONF that are needed to enable a specific application to achieve a required level of security or the targeted level of trust
Application Security Management Process (ASMP)
Used to manage and maintain each ANF
ASMP Steps (5)
Specifying the application requirements and environment
Assessing application security risks
Creating and maintaining the ANF
Provisioning and operating the application
Auditing the security of the application
Static Application Security Testing (SAST)
A white-box test, where an analysis of the application source code, byte code, and binaries is performed by the application test without executing the application code. More comprehensive results than DAST
Dynamic Application Security Testing (DAST)
A black-box test, where the tool must discover individual execution paths in the application being analyzed. Mainly considered effective when testing exposed HTTP and HTML interfaces of web applications.
Runtime Application Self Protection (RASP)
Focus on applications that possess self-protection capabilities built into their runtime environments, which have full insight into application logic, configuration, and data and event flows. Prevents attacks by "self-protecting" or reconfiguring automati
OWASP Security Testing Catagories (9)
Identity management testing
Authentication testing
Authorization testing
Session management testing
Input validation testing
Testing for error handling
Testing for weak cryptography
Business logic testing
Client-side testing