Architecture and Design Considerations - Build Security In - US-CERT
Architecture and Design Considerations - Build Security In - US-CERT
Architecture and Design Considerations - Build Security In - US-CERT
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
» Configure your TLS provider to only support strong (e.g. FIPS 140-2 compliant) algorithms.<br />
» Ensure your certificate is valid, not expired, not revoked, <strong>and</strong> matches all domain used by the site.<br />
» Backend <strong>and</strong> other connections should also use TLS or other encryption technologies.<br />
Securing the Password Process<br />
The username <strong>and</strong> password are important forms of authenticating the user, but with weak passwords <strong>and</strong> poorly developed<br />
“forgot-password” features, a user’s account can be easily infiltrated. To protect the users from creating weak passwords,<br />
passwords should have strongly enforced rules <strong>and</strong> expectations; OWASP’s Secure Coding Practices Quick Reference Guide<br />
suggests the following:<br />
» Enforce password complexity requirements established by policy or regulations. Authentication credentials should be<br />
sufficient to withst<strong>and</strong> attacks that are typical of the threats in the deployed environment. An example of password<br />
complexity is requiring alphabetic as well as numeric <strong>and</strong>/or special characters in the password.<br />
» Enforce a minimum length requirement for the password, as established by policy or regulations. OWASP<br />
recommends at least eight characters, but sixteen characters or the use of multi-word pass phrases will provide a<br />
better solution.<br />
» Enforce password changes based on requirements established in policy or regulations. Critical systems may require<br />
more frequent password changes.<br />
» Prevent password re-use; passwords should be at least one day old before they can be changed.<br />
» Disable the account after a certain number of failed login attempts.<br />
» Display generic error messages when a user types in an incorrect username or password.<br />
» Store passwords in the database as salted hash values.<br />
Carefully thought-out security measures for passwords are often broken when a user forgets his or her password. When<br />
developing the “forgot-password” feature, Dave Ferguson recommends that the application performs the following procedure<br />
before allowing the user to change their password:<br />
1. Ask for the username <strong>and</strong> hard data. Examples of hard data are the user’s last four digits of their social security<br />
number, telephone number, birth date, zip code, <strong>and</strong>/or customer number. The application should display a generic<br />
error message, such as “Sorry, invalid data”, if the data provided is incorrect.<br />
2. Ask the user to answer two or more of the user’s pre-established personal security questions; when developing these<br />
security questions, do not allow the user to type in their own questions.<br />
3. Finally, allow the user to reset their password but with password complexity requirements that exist throughout the<br />
application, avoid sending the username as a parameter when the form is submitted.<br />
To add additional security to this process, Ferguson recommends that after Step 2, the application sends a r<strong>and</strong>omly-generated<br />
verification code (8 or more characters) to the user’s phone or email, <strong>and</strong> then require the user to type the verification code into<br />
the application as they perform Step 3 (resetting their password). The downside to this approach is the phone or email stored<br />
within the system might be obsolete or invalid.<br />
Preventing Content <strong>In</strong>jection<br />
Content injection attacks occur when attackers insert malicious code or content into a legitimate site. During a content injection<br />
attack, attackers inject malicious content using Cross-Site Scripting (XSS), Cross Site Request Forgery (CSRF), <strong>and</strong>/or SQL<br />
injection. Although many sites are aware of these threats <strong>and</strong> have programs in place to find <strong>and</strong> remediate the vulnerabilities,<br />
the sheer size <strong>and</strong> complexity of the websites can make complete remediate of the security weakness implausible.<br />
Content <strong>Security</strong> Policy (CSP) is one of the many mechanisms used to mitigate broad classes of content injection vulnerabilities.<br />
CSP is a declarative policy framework that enables web authors <strong>and</strong> server administrators the ability to specify the permitted<br />
content in their web applications <strong>and</strong> the ability to restrict the capabilities of that content. CSP provides a method for the server<br />
to communicate with the browser, by providing a policy on how content on their website is expected to behave. With proper<br />
implementations of CSP, it can mitigate <strong>and</strong> detect content injection attacks such as XSS <strong>and</strong> CSRF.<br />
<strong>Architecture</strong> <strong>and</strong> <strong>Design</strong> <strong>Considerations</strong> for Secure Software 20