tags:

views:

137

answers:

5
+2  Q: 

Application security issues to consider

I am working on the design of a high security application (involving financial information, personal information etc). I need to identify what security measures (application level) will be implemented. The application will involve sending data to and from a database, user login, import export to csv, txt files, and print function.

What security features do I need to consider for such an application. (SQL injection for starters) ?

Also, if I want to ensure that a legit user is moving from page to page, do I have to check on every page if (UserLogin.IsValid) etc? That might require a few too many server hits I am guessing.

+2  A: 

Few initial thoughts:

  • Use minimum privilege for all SQL operations (i.e accounts)
  • Use the proper HTMLDecode/URLDecode on any form submitted data
  • Encrypt the all web config
  • Check the environment securely
  • Check/think about social engineering (hacking) possibilities
  • Consider insider security operations, i.e security from developers

My links on security suggest you read:

  1. http://msdn.microsoft.com/en-us/library/ms998375.aspx
  2. http://msdn.microsoft.com/en-us/library/bb355989.aspx
  3. http://www.cyphersec.com/
  4. http://msdn.microsoft.com/en-us/library/aa302426.aspx
  5. http://msdn.microsoft.com/en-us/magazine/dd347546.aspx#id0070044
  6. http://weblogs.asp.net/scottgu/archive/2006/08/12/Tip_2F00_Trick_3A00_-Show-Detailed-Error-Messages-to-Developers.aspx
Curtis White  2010-05-12 19:45:22
+1 for insider security checks, even against developers.
Chris Lively  2010-05-12 20:11:30
+1  A: 

You mentioned SQL injection attacks. The most sure fire way to avoid SQL injection attacks are to make any and all calls to the database within your application via stored procedures, and only call these procedures through parameters. Make sure that your stored procedures do NOT use dynamic SQL in any place, as this also opens the door to SQL injection. Also be certain LINQ to SQL also provides security against attacks.

EDIT: When I talked of dynamic SQL, I didn't mean in your source code since that would implicitly violate my LINQ recommendation. I meant don't construct a SQL statement inside your stored procedure and execute it dynamically, since this leaves the door open for injection attacks even if the parameters to the procedure itself are scrubbed.

MrGumbe  2010-05-12 19:51:46
by dynamic SQL, you mean a SQL query being built at run time?
user279521  2010-05-12 19:55:12
Or simply make sure you always use parameterized queries. Edit: With the caveat Chris mentioned. Typically, though, stored procedures will allow you access to most (if not all) of the database, so I'm not sure how beneficial that really is.
Nelson  2010-05-12 20:05:38
@user279521: yes. @Nelson: not good enough. Sure, that will stop sql injection, but the number of targeted attacks are increasing. Parameterized queries don't save you if the site itself is broken and a hacker is able to use your web sites configuration information to attach to the sql server and run their own queries.
Chris Lively  2010-05-12 20:09:40
@Chris: I suppose it makes it a bit harder, which is what security is all about. Make it hard enough that it's not worth it. Nothing is 100%. If you enforce the security model in the sproc, then I would say it's much harder, especially if most accounts don't have access to most sprocs.
Nelson  2010-05-12 20:14:23
@Chris Lively being able to steal connection information from the application and sql injection are entirely 2 unrelated facets. You sound like a DBA that is terrified of NHibernate.
Chris Marisic  2010-05-12 21:01:48
@Chris marisic: No, I'm just a developer who has been called in to way too many clients to replace code generated with tools like nHibernate after the bad guys have already made off with the valuables. This is a very real problem.
Chris Lively  2010-05-12 22:34:03
@Nelson: exactly. You can't stop the most determined, but you can make it difficult enough that they have no choice but to leave traces all over the place.
Chris Lively  2010-05-12 23:00:46
To reiterate what Nelson was saying, `sp_executesql` is, despite being dynamic SQL, not vulnerable to SQL injection (as long as you make sure all the parameters are passed as parameters, not as strings concatenated to the query).
Brian  2010-05-13 13:18:13
@Chris Lively if you were called in to replace NHibernate with stored procs the companies that paid you to do this clearly had no idea what their real security problem was and wanted to grasp for straws.
Chris Marisic  2010-05-13 17:01:42
A: 

You must test everything. The first step would be to use a vulnerability scanner in your software development. You should run scans periodically during development, this will identify problems as they emerge and you can hold the developer responsible for the flaws in hopes they don't write it again.

Problems will always slip though the cracks. Make sure you higher a penetration tester. I can tell you from being a pen tester in the field that this is the most effective means of preventing your system from getting owned in the real world.

Rook  2010-05-12 20:03:03
+3  A: 

The referenced link to http://stackoverflow.com/questions/72394 is a good start. However, you will need to go further.

Specifically, encrypt ALL data at all levels. In transit via ssl (I'd say a 4KB key length minimum). At rest via encrypted file system AND encrypted database. For example MS SQL Server allows you to encrypt the entire database, not just passwords.

Do NOT use inline sql, stick with stored procedures. I don't care if you are properly escaping things. Inline sql means that you have a password in the open somewhere (generally in a config file) which allows the application to execute pretty much any sql call it wants. In the event your web app is cracked, they will have full access.

By limiting your web site to only execute stored proc's will increase difficulty in doing mass select's/delete's/whatever. Further, you can enforce your security model in side the s'procs themselves by first checking credentials passed in as parameters before executing anything. This let's the database protect itself and implies that you don't even trust your own webserver.

Ensure your server is physically protected. I've seen boxes go dark and when someone checked they found a blank spot where the server was. Secure access with video monitoring will help.

Also, log EVERYTHING. Who accessed what, what ip was used on login attempts, etc. It's nice when a client calls and asks "what happened to record X?" and I say "according to the log Bill Smith deleted it on April 3 from his house."

Next, research intrusion detection systems. These monitor the traffic coming in, parse it for the type of traffic, and can generally alert you when funny things are going on like failed login attempts to the sql server.

Test for replay attacks, also known as session hijacking. Put a token in the cookie value that gets confirmed on each post. Once confirmed, change the token to a non-guessable value. Repeat until user logs off. Whenever you see mismatched tokens, have the app scream loudly.

Make sure server to server communication is also encrypted. If on windows, this means setting good domain policies that enforce kerberos encryption on the line. I've been at several places where I brought up cain and able and could easily sniff everything from database and email passwords to actual sql transactions and responses going over the wire. Along these lines, make sure any routers involved are properly configured. As a side note, showing a CEO his email password 15 minutes into an audit is one way to prove a security audit was needed.

Finally, when you're done and ready to deploy hire an outside and reputable company (like IBM) to do a full security audit including PEN (penetration) testing. I don't now, nor have ever worked for IBM. However, I've seen some of the reports they've compiled. They are thorough.

Chris Lively  2010-05-12 20:04:22
Your argument is very flawed about inline sql. You need to be able to connect to the database regardless of whether you use inline sql or stored procs, you can correctly configure encryption in web configs to store connectionstrings or use more elaborate means of key passing. I also find the rationale of stored procs offer security to be rather dubious at best. Inline sql if you use an ORM like NHibernate is perfectly acceptable and 100% secure as stored procs, sql injection is impossible with parametrized sql. The fact you mentioned escaping instead of parametrization is a major fault.
Chris Marisic  2010-05-12 21:00:19
Yes, you still have to connect, but once connected you are limited to only performing the functions expressly granted to you. As far as "encrypted connection strings", once the web server is cracked, the bad guys have the same access to those encryption keys as the web server does. That part is trivial.
Chris Lively  2010-05-12 22:36:08
Concerning nHibernate. You are only secure if they use your web application to hit the database. However, once in, they don't have to. Further, inside attacks don't have to go through the web server at all, which are the majority of them. Ergo, stick with well defined stored procedures, and EVERYONE (inside and out) would have to go through them to get to your data.
Chris Lively  2010-05-12 22:36:59
And, technically speaking, escaping is equivalent to parameterized sql. Obviously you've never hacked a site before, nor apparently understand what defense in depth is.
Chris Lively  2010-05-12 22:37:57
If they can logon to your database your stored procedures aren't going to protect you, they will just make it take more effort to extract the data. Using stored procedures for security is security by obscurity and that we all know means nothing. If they can compromise your SA login what do your procs do for you then? Nothing.
Chris Marisic  2010-05-13 16:58:29
Also escaping is error prone, where as parametrization is impossible period for sql injection to occur.
Chris Marisic  2010-05-13 17:00:26
@chris marisic: if your s'procs are responsible for enforcing the security model, then it most definitely is not "security by obscurity". Incidentally, what do you think encrypting config sections does? The decryption key is on the server and accessible by the user account the site executes under. All anyone has to do is drop a page that reads and emits the config section and the encryption is completely blown. Without having to crack anything.
Chris Lively  2010-05-13 17:39:44
As far as escaping: yes, it is error prone. However, done right it is just as effective as parameterized queries. By no means am I advocating using escaping over parameterized queries. Rather I'm advocating having exactly zero embedded queries in your application. Further, making it "take more effort to extract the data" is the name of the game in security. Anything can be broken; but the more road blocks you put up the less likely someone will be in getting in. And this is an easy one to do.
Chris Lively  2010-05-13 17:41:46
+7  A: 

The first thing to do is build a threat model. Only once you understand:

  • what are the resources being protected?
  • what are the vulnerabilities of those resources that expose them to attack?
  • what are the motivations of attackers?
  • what threats do the attackers pose?

can you reasonably start to craft a solution. For example, if the resource is my television, the vulnerability is an open window, the attackers have financial gain as a motive, and the threat they pose is the theft of my television, then I can start to craft a solution.

Consider the multi-pronged solution that becomes apparent once you have a list of resources, vulnerabilities, motivations and threats. I can:

  • Make the vulnerability harder to exploit: close and lock the window, get an alarm, get unbreakable glass
  • Make the resource less valuable to the attacker, thereby demotivating them: buy a cheaper, heavier television
  • Make the loss of the resource less costly to me: buy insurance
  • And so on.

Notice that a good solution has defense in depth. Don't just stop there. Look for more vulnerabilities. Look for more ways to demotivate attackers. Look for more ways to lower the cost of a successful attack. But all of this depends on having an accurate threat model, so do that first.

Here's some resources to get you started:

http://www.microsoft.com/security/sdl/getstarted/threatmodeling.aspx

Eric Lippert  2010-05-12 20:09:31
Thanks Eric. Thats incredibly helpful information.
user279521  2010-05-13 11:55:15

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?