Secure. Java. Abhay Bhargav. and BY. Kumar. (ro(c) For Web Application Development. CRC Press J Taylor & Francis Group

Transcription

1 Secure Java For Web Application Development Abhay Bhargav and BY. Kumar (ro(c) CRC Press J Taylor & Francis Group Boca Raton London New York CRC Press Is an Imprint of the Taylor & Francis Croup, an Informa business AN AUERBACH BOOK

2 Contents Foreword Preface Acknowledgments About the Authors xvit xix xxiii xxv SECTION I OVERVIEW 1 The Internet Phenomenon Evolution of the Internet and the World Wide Web Mainframe Era Initial Mainframe Systems Mainframe Systems Today Client/Server Era Server Client Client/Server Architecture Distributed Computing Architecture Remote Procedure Call Messaging Internet and World Wide Web Eta B2B E-Commerce B2C E-Commerce Problems with Web Architecture Web Applications and Internet H 1.3 Role and Significance of Java Technology in Web Applications Applets JavaServlet JavaServer Pages Technology JavaServer Pages Standard Tag Library JavaServer Faces Technology * Java Message Service JavaMail API and the JavaBeans Activation Framework Java Naming and Directory Interface!4 v

3 vi Contents Miscellaneous Security in Java Web Applications Summary 16 2 Introducing Information Security Information Security: The Need of the Hour The Need for Information Security Internet Hackers and Their Backers Digitization Legal and Compliance Requirements The Motivation for Security Reputation Business Value Financial Impact Legal and Compliance Some Basic Security Concepts The Pillars of Security The CIA Triad Confidentiality Integrity Availability Risk Vulnerability Threat Risk Defense-in-Depth Network Security Host Security Application Security Physical Security Internet Security Incidents and Their Evolution The 1970s The 1980s The 1990s The 2000s-Present Day Security Myths and Realities There Is No Insider Threat Hacking Is Really Difficult Geographic Location Is Hacker-Proof One Device Protects against All 35, Summary 36 3 Introducing Web Application Security 3.1 Web Applications in the Enterprise What Is a Web Application? Ubiquity of Web Applications Web Application Technologies 39

4 Contents vii Java as Mainstream Web Application Technology Why Web Application Security? A Glimpse into Organizational Information Security Physical Security Network Security Host Security Application Security The Need for Web Application Security Ubiquity of Web Applications in the Enterprise Scenario Web Application Development Diversity Cost Savings Reputation and Customer Protection Web Application Incidents,, Web Application Security The Challenges Client-Side Control and Trust Pangs of the Creator Flawed Application Development Life Cycle Awareness Legacy Code Business Case Issues Summary 53 4 Web Application Security A Case Study The Business Need An E-Commerce Application The Company Proprietary Solution Vendor Lock-In Security Vulnerabilities Lack of Support for Security Compliance Integration Issues Capacity Issues The Existing Application Environment Webserver Database Server and Messaging Server Importance of Security Security Incidents Security Compliance and Regulation Panthera's Plan for Information Security Physical Security Network Security Host Security Application Security 61,2 Outlining the Application Requirements The Request for Proposal Purpose Users 61

5 viii Contents Communication Interfaces Security Requirements in the Request for Proposal An Overview of the Application Development Process The Application Development Process Detailed Application Requirements Application Design Application Development White- and Black-Box Testing User Acceptance Testing Deployment Summary 67 SECTION II FOUNDATIONS OF A SECURE JAVA WEB APPLICATION 5 Insights into Web Application Security Risk The Need for Web Application Security Risk Management Risk Management Risk Assessment Risk Mitigation Continuous Evaluation Hie Benefits of Risk Management for Web Applications Clarity on Security Functionality Software Development Life Cycle Compliance Cost Savings Security Awareness Facilitates Security Testing Overview ofthe Risk Assessment Phase System Characterization Process Risk Assessment An Overview of the System Characterization Process Identifying Critical Information Assets Developing a List of Critical Information Assets User Roles and Access to Critical Information Assets Understanding Basic Application Architecture Deployment Topology System Interfaces Developing Security Policies for the Web Application A Broad Overview of Security Policies for the Web Application Financial Risk and Impact Regulatory and Compliance Contractual Obligations Reputation and Goodwill Security Compliance and Web Application Security PCI-DSS! PA-DSS SOX HIPAA 88

6 Contents ix GLBA Threat Analysis Understanding and Categorizing Security Vulnerabilities Design Vulnerabilities Development Vulnerabilities Configuration Vulnerabilities Common Web Application Vulnerabilities Cross-Site Scripting SQL Injection Malicious File Execution Cross-Site Request Forgery Cryptographic Flaws Flawed Error Handling and Information Disclosure Authentication and Session Management Flaws Unrestricted URL Access Basic Understanding of Threats and Associated Concepts Threat Actor Threat Motive Threat Access Threat Outcome Threat Profiling and Threat Modeling Threat Profiling Threat Modeling Risk Mitigation Strategy Formulation of Detailed Security Requirements for the Web Application Risk Assessment for an Existing Web Application Summary Risk Assessment for tke Typical E-Commerce Web Application System Characterization ofpanthera's E-Commerce Application Identification of Critical Information Assets 109 Critical Information Assets Practical Techniques to Identify Identified Critical Information Assets for Panthera's Web... Application Customer Credit Card Information Ill Customer Information Ill Gift Card Information Stock/Inventory Information User Roles and Access to Critical Information Assets Application Deployment Architecture and Environment Network Diagram of the Deployment Environment Application Architecture Overview Security Policies for the Web Application and Requirements Panthera's Security Policies Critical Information Assets Threat Analysis Financial Impact Security Compliance and Regulations

7 x Contents Threat Profiling Threat Modeling Risk Mitigation Strategy Formulation of Detailed Security Features for Panthera's E-Commerce Application Authentication and Authorization Role-Based Access Control Password Management and Policy Session Management Storage of User Credentials Other Measures Cryptographic Implementation for Panthera's E-Commerce Application Encryption for Data at Rest Encryption for Data in Transit Encryption Key Management Logging Secure Coding Practices Input Validation and Output Encoding Secure Database Access Error Handling Summary 128 SECTION III BUILDING A SECURE JAVA WEB APPLICATION 7 Developing a Bulletproof Access Control System for a Java Web Application Overview ofaccess Control Systems A Brief History/Evolution of Access Control Mechanisms An Overview ofaccess Control Authentication Authorization Accountability Access Control Models Discretionary Access Control Mandatory Access Control Role-Based Access Control Developing a Robust Access Control System for Web Applications Attacks against Web Application Access Control Session Hijacking Cross-Site Request Forgery Session Fixation Man-in-the-Middle Forceful Browsing User Credentials Usernames and Passwords Session Maintaining a Secure State for Web Applications Authorization Effective Authorization for a Web Application Other Best Practices Security Compliance and Web Application Access Control

8 Contents xi PC1-DSS Requirement 7: Restrict Access to Cardholder Information by Business Need-co-Know Requirement 8: Assign a Unique ID to Each Person with Computer Access Implementing a Secure Authentication and Authorization System for a Java Web Application Java Security Overview Java Authentication and Authorization Services JAAS Core Common Classes Authentication Classes and Interfaces Authorization Classes and Interfaces Process of Authentication Process of Authorization Privileged Block of"code for Authorized Subject: doasprivilegedo Summary Application Data Protection Techniques Overview of Cryptography Evolution of Cryptography Cryptography Terminology and Definitions Encryption and Decryption Cryptosystem Key and Keyspace Substitution and Transposition Initialization Vector One-Way Hash Functions MAC/HMAC Symmetric and Asymmetric Cryptography Block Ciphers and Stream Ciphers Block Cipher Modes of Encryption Electronic Code Book (ECB) Cipher Block Chaining Cipher Feedback Output Feedback Counter Crypto Attacks Brute-Force Attack Known Plaintext Ciphertext Only I Chosen Plaintext and Chosen Ciphertext Meet-in-the-Mtddle Attack Side-Channel Attacks Linear and Differencial Gyp (analysis Birthday Attack 171

9 xii Contents, 8.2 Crypto Implementation for Web Applications Data Protection with Primer Cryptography A Necessity for Storage of Data Varied Data Protection Techniques A Study of Encryption Algorithms and Hashi ng Functions DES/Triple DES AES Blowfish RC RSA MD SHA Implementation Implications of Encryption in Web Applications Homegrown Crypto Weak Ciphers Insecure Implementation of Strong Ciphers Weak or Nonexistent Transport Layer Security Key Management Principles and Practical Implementation General Guidelines for Key Usage Generation of Keys Storage of Keys Period of Key Usage Revocation of Keys Security Compliance and Cryptography PCI Standards SB Java Implementation for Web Application Cryptography Implementation Independence Implementation Interoperability Algorithm Extensibility and Independence Architecture Details Cryptographic Service Providers (CSP) Core Classes, Interfaces, and Algorithms ofjca The Provider and Security Classes Engine Classes and Algorithms Key Interfaces and Classes Protection of Data in Transit History of Secure Socket Layer/Transport Layer Security The SSL/TLS Handshake Process Implementation Best Practices for Secure Transmission Web Applications Java Secure Socket Extensions for Secure Data Transmissions Features of the JSSE Cryptography and JSSE Core Classes and Interfaces ofjsse 197

10 Contents xiii,, SocketFactory and ServerSocketFactory Classes SSLSocketFactory and SSLServerSocketFactory Classes SSLSocket and SSLServerSocket Classes The SSLEngine Class Support Classes and Interfaces SSLContext Class TrustManager Interface TrustManagerFactory Class KeyManager Interface KeyManagerFactory Class Summary Effective Application Monitoring: Security Logging for Web Applications The Importance of Logging for Web Applications A Primer Overview of Logging and Log Management Loggi ng for Security The Need of the Hour Need for Web Application Security Logging Developing Security Logging Mechanism for a a Web Application The Constituents of a Web Application Security Log Request and Response Information Access Control Information Administrative Actions Errors and Exceptions Access to Sensitive Information Web Application Logging Information to Be Logged Username/IP Details Timestamp Type of Event Success/Failure Indication Name/Path of Affected Resource or Asset Details to Be Omitted from Web Application Logs Application Logging Best Practices Storage of Application Logs Security for Application Logs Security Compliance and Web Application Logging Logging Implementation Using Java Control Flow The Core Classes and Interfaces The Logger Class The Level Class The LogManager Class The LogReoord Class The Handler Class The Formatter Class Summary 215 *

11 xiv Contents 10 Secure Coding Practices for Java Web Applications Java Secure Coding Practices An Overview A Case for Secure Coding Practices Java Secure Coding Practices An Introduction Input Validation and Output Encoding The Need for Input Validation and Output Encoding What Is Validation of Input? Why Validate Input? Output Encoding User Input Validation for Java Web Applications Success Factors for Input Validation The Use of Regular Expressions Whitelist vs. Blacklist Validation Java Implementation for Input Validation and Output Encoding Regex StringEscapeUtils URLEncode/URLDecode Secure Database Queries Need for Secure Database Access Dynamic Use of Data to Construct SQL Query Use of PreparedStatement for Parameterizing SQL Queries Lack of Input Validation Flawed Error Handling Errors and Exceptions in Java Relevance Encapsulating Exception Reason Naming the Exceptions Balancing the Catch Using Finally Throw Early and Catch Late Summary 231 SECTION IV TESTING JAVA WEB APPLICATIONS FOR SECURITY 11 Security Testing forweb Applications Overview of Security Testing for Web Applications Security Testing for Web Applications A Primer Black-Box Testing White-Box Testing Need for Web Application Security Testing Cost Savings Reputation Security Testing Web Applications Some Basic Truths Reliance on Automated Vulnerability Assessment Tools Segregation of Duties Knowledge of Testers 239

12 Contents xv Defense-in-Depch for Security Testing Integration of Security Testing into Web Application Risk...241, Management Designing an Effective Web Application Security Testing Practice Approach to Web Application Security Testing Risk Assessment During Requirements and Design Phase Code Overviews During the Development Phase Code Reviews During the Development Phase Vulnerability Assessment and Penetration Testing During the Testing Phase Configuration Management Testing During Testing and Deployment Change Management and Verification During Maintenance Periodic Health Checks During Maintenance Threat Models for Effective Security Testing Basic Use Case Alternative Flows Threat Models Web Application Security Testing Critical Success Factors Patch-n-Fix Approach vs. Secure SDLC Testing Frequency Documentation for Security Testing Mix Security Testing for Web Applications and Security Compliance Summary 249 Practical Web Application Security Testing Web Application Vulnerability Assessment and Penetration Testing Approach to Practical Web Application Testing Tools and Technologies for Practical Security Testing Primary Tool Web Application Proxy Generic Security Assessment Tools Practical Security Testing for Web Applications Information Gathering and Enumeration DNS and WHOIS Information Enumeration Operating Environment and Services Enumeration Spidering Search Engine Reconnaissance 259 for Access Control Testing Web Application Testing for Nonsecure Passwords Testing for Transmission of Credentials over Encrypted Channel Testing for Authentication Schema Testing for Logout and Other Functionality Testing for Weak or Nonsecure Session Identifiers Testing for Session Fixation 265

13 xvi Contents Testing for Path Traversal Testing for Client-Side Authorization Vulnerabilities Testing for Flawed Business Logic Implementation for Authorization lOTesting for Cross-Site Request Forgery Testing Data Validation Testing for Cross-Site Scripting Vulnerabilities Testing for SQL Injection Vulnerabilities Summary 271 Appendix A: Application Security Guidelines for the Payment Card Industry Standards (PCI-DSS and PA-DSS) 273 Index 275