Chapter 9 - 01 - Understand Secure Application Design and Architecture - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Application Security Exam 212-82 Application Security Frame L3 3 © Application Security Frame ' Input Validation Sensitive Data Protection Parameter Manipulation Authentication Session Management Exception Management Authorization Cryptography Auditing and Logging Configuration Management Web Server Applicauon Server """".___."‘ EEN Firewall EJ Apps Host -'-'-"-'ll‘ I-- : Apps - Firewall : i[9 Securing the Nehvork Router Firewall Switch 1DS IPS < ". Host == == —) 9 Database Host Secuflng the Host : i i Patches and Updates Services Accounts Files and Directories Ports Registry Protocols ~ Shares Auditing and Logging Threats and Countermeasures > Copyright © by E. All Rights Reserved. Reproductionis Strictly Prohibited Application Security Frame An application security frame, also referred to as a web-application security schema, incorporates skillful technical operations such as threat modeling to discover and categorize threats, vulnerabilities, and attack surfaces as well as provide appropriate countermeasures. It minimizes risks that can evolve from public platforms while accessing security frame can establish a regular framework that can merge skills though firewalls, IDSes, routers, and other networking solutions and by releasing on time patches, maintaining individual accounts, logging, Module 09 Page 1144 application services. The to secure the web server to secure the host server etc. Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security trrsrsssssannnn e. e NN a et e RN Exam 212-82 AR ARSI SRS R SRR. Application Security Frame Input Validation Sensitive Data Protection Authentication Session Management Parameter Manipulation Exception Management Authorization Cryptography Auditing and Logging Configuration Management Web Server Apps --===.1 I = o e Firewall e g o Host : : : : i | I Sersraresaane.E -------------------- T Router Firewall Switch IDS IPS = R — (@ s Threats i i i Patches and Updates Accounts Ports Services Files and Directories Registry Host A Securing the Host : Database i """"""""""""" PRDRTPIIRRLE AN PEIN N R et Securing the Network : S. T Protocols Shares Auditing and Logging and Countermeasures Figure 9.3: Application security frame Module 09 Page 1145 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 3W’s in Application Security : W hv Why should we care about N. application security? Owing to theur globally accessible nature, applications are becoming popular targets for attackers to. PR. compromise an organization’s security Constant security vigilance is required at various m phases of the application development lifecycle What do we need for [ 1] application security ? Managers, architects, developers, testers, and 3BErs, ! 'oP o administrators are responsible for application security Who is responsible for —. application security? Copyright © by EC. i All Rights Reserved. Reproduction is Strictly Prohibited. 3W’s in Application Security As a web application passes through complex networks and connects to multiple users, it must be secured with all the necessary security measures, which requires proper planning and expertise. The following are the three Ws involved in providing effective application security. = Why: Why should we care about application security? As applications are globally accessible, they are becoming popular targets for attackers to compromise an organization’s security. Therefore, an application must be evaluated while considering all the target portions or attack surfaces. Through appropriate security implementations, the application can maintain confidentiality and integrity of data as well as ensure the uninterrupted availability of services. = What: What do we need for application security? To overcome all the security challenges that an application can face in the global network, constant security vigilance is required at various phases of the application development lifecycle. The application also requires security controls or tools to identify, address, and handle threats and to enhance the overall security, thus making it less vulnerable to cyberattacks. Standard policies and guidelines can also play a major role in implementing application security. = Who: Who is responsible for application security? Irrespective of where an application is hosted, securing it is a major concern for the organization. Entities such as managers, architects, developers, testers, and administrators take equal responsibility in securing the application. All these parties must collaborate to detect common application security bugs as well as create and deliver patches after thorough inspection. Module 09 Page 1146 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 g (@ Secure Application Design and Architecture A security negligence at design and architecture phase may lead to vulnerabilities that are difficult to detect and expensive to fix in production Security vigilance at design phase enables detecting potential security flaws early in the software development lifecycle > Secure design of an application is based on security requirements identified in the previous phase of the SDLC Secure design is a challenging process as designing required security controls may obstruct the business functionality requirements Copyright © by Secure Application Design and Architecture A security negligence at design and architecture phase may lead to vulnerabilities that are difficult to detect and expensive to fix in production. The security vigilance at design phase enables detecting potential security flaws early in the software development lifecycle. Secure design of an application is based on security requirements identified in the previous phase of the SDLC. Secure design is a challenging process as designing required security controls may obstruct the business functionality requirements. Module 09 Page 1147 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security g 7)) 780\ Exam 212-82 i c—tztzmramues s~ -~ — > Identifying the threats in ) Designing an architecture in such sufficient details for developers to understand and code a way that it mitigates as many threats as possible Enforcing secure design principles that force developers to consider security while coding accordingly to mitigate the risk associated with the threats All Rights Reserved. Reproduction is Strictly Prohibited Goal of Secure Design Process = |dentifying the threats in sufficient details for developers to understand and code accordingly to mitigate the risk associated with the threats. = Designing an architecture in such a way that it mitigates as many threats as possible. = Enforcing secure coding. * Ensuring confidentiality, integrity, and availability of data used within the application. Module 09 Page 1148 design principles that force developers to consider security while Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Secure Design Actions Security Requirement Specifications Design the application according to security specifications gathered at requirement phase 00© Secure Design Principles Define the secure coding standards to be implemented in development phase Secure Application Threat Modeling Architecture Perform threat modeling to know your threats @ Design secure application architecture Copyright © by. Al Rights Reserved. Reproductionis Strictly Prohibited Secure Design Actions The secure design actions include the following: = Security Requirement Specifications: Design the application according to security specifications gathered at requirement phase. = Secure Design Principles: Define the secure coding standards to be implemented development phase. * Threat Modeling: Perform threat modeling to know your threats. = Secure Application Architecture: Design secure application architecture. Module 09 Page 1149 in Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.