Improving Web Application Security: Threats and - CGISecurity

Chapter 3: Threat Modeling 53Identify Trust BoundariesIdentify the trust boundaries that surround each of the tangible assets of yourapplication. These assets are determined by your application design. For eachsubsystem, consider whether the upstream data flows or user input is trusted, and ifnot, consider how the data flows and input can be authenticated and authorized.Also consider whether the calling code is trusted, and if it is not, consider how it canbe authenticated and authorized. You must be able to ensure that the appropriategatekeepers guard all entry points into a particular trust boundary and that therecipient entry point fully validates all data passed across a trust boundary.Start by analyzing trust boundaries from a code perspective. The assembly, whichrepresents one form of trust boundary, is a useful place to start. Which assembliestrust which other assemblies? Does a particular assembly trust the code that calls it,or does it use code access security to authorize the calling code?Also consider server trust relationships. Does a particular server trust an upstreamserver to authenticate and authorize the end users, or does the server provide its owngatekeeping services? Also, does a server trust an upstream server to pass it data thatis well formed and correct?For example, in Figure 3.3, the Web application accesses the database server by usinga fixed, trusted identity, which in this case is the ASPNET Web application processaccount. In this scenario, the database server trusts the application to authenticateand authorize callers and forward only valid data request data on behalf ofauthorized users.Note In a .NET Framework application, the assembly defines the smallest unit of trust. Wheneverdata is passed across an assembly boundary — which by definition includes an application domain,process, or machine boundary — the recipient entry point should validate its input data.Identify Data FlowA simple approach is to start at the highest level and then iteratively decompose theapplication by analyzing the data flow between individual subsystems. For example,analyze the data flow between a Web application and an Enterprise Servicesapplication and then between individual serviced components.Data flow across trust boundaries is particularly important because code that ispassed data from outside its own trust boundary should assume that the data ismalicious and perform thorough validation of the data.Note Data flow diagrams (DFDs) and sequence diagrams can help with the formal decompositionof a system. A DFD is a graphical representation of data flows, data stores, and relationshipsbetween data sources and destinations. A sequence diagram shows how a group of objectscollaborate in terms of chronological events.