Concepts of Application Security

Confidentiality

  • Definition: Confidentiality means that sensitive information should not be readable by unauthorized persons.  For a part, confidentiality can be achieved by authentication and authorization.  In this chapter, we discuss other confidentiality measures you can take to keep private information private.
  • Remediation: SSL + Cryptography, browser settings: disable browser features, directory listing on web-server, cached data + cookies.

Integrity

  • Definition: Integrity means that data should not be able to be changed during data transmission.  If data is tampered with, this should be detected.
  • Remediation: SSL + Cryptography.

Authentication

  • Definition: Authentication means we should assure that only legitimate persons are able to access the application.  During authentication, the identity of a user is established, and his credentials are checked.
  • Remediation: Authentication + Access Control, caching authentication tokens, account locked out after retries, hard-coded credentials in code, difficult and encrypted session ID’s, limit number of sessions, session timeout, no default passwords, secure kept open channels, secure administrative interfaces, apply patches, secure DB connections.

Authorization

  • Definition: Authorization means we should control access to application resources by authenticated users or code.
  • Remediation: Code-access security, role based security, secured DB accounts, secure DB admins to avoid direct data manipulation bypassing the system.

Non-repudiation

  • Definition: Non-repudiation, in its simplest form, means that proof should be provided about the fact that a certain message has been sent by a certain party.  Non-repudiation of this kind can be obtained by using cryptography: digital signatures assure that a certain message is sent by the owner of a certain private key, and that the message has not been tampered with. 
  • Remediation: SSL + Cryptography

Availability

  • Definition: Availability means that we should prevent attacks that try to make the application unavailable for legitimate users of the application.
  • Remediation: Input Validation, HTTP request validation, input length validation, unsupported characters, character set validation.

More details in the following overview slide deck:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.