Threats Driven - Web Applications Security, Part 2

Leonardo Felicissimo — Sun, 07 Nov 2021 21:07:39 +0000

In the previous article I've started writing a quite about why I'm currently studying about Securing Web Applications. Now moving on, I'm going to deeper to the theme starting from the STRIDE Microsoft Model and exploring the Basic Security Design Principles from a paper of 1975 published by John H. Saltzer at MIT.

Sometimes when building an application, we think the only way to make it secure is to avoid hackers attack and this is not for devs, but a job for the operations team. Let's talk the true here (secure env). Which words come on your mind when you think about security? Password and Hackers (right?).

But, the process of secure an application starts when we firstly get an answer to the question: What might we fighting against?

The propose of Saltzer's paper is explore "the mechanics of protecting computer-stored information from unauthorized use or modification". Saltzer goes from the basic security design principles to state of art. The funny thing is that the points from the paper called as security basic principles, to me has sound like a WOW! (HHAHAH Jesus, what a gap I had!).

Once we have understood privacy protection and so, information security as the main security strategies objective, Saltzer helps giving a definition for the terms:

The words "privacy," "security," and "protection" are frequently used in connection with information-storing systems. Not all authors use these terms in the same way. This paper uses definitions commonly encountered in computer science literature.

The term "privacy" denotes a socially defined ability of an individual (or organization) to determine whether, when, and to whom personal (or organizational) information is to be released.

The term "security" describes techniques that control who may use or modify the computer or the information contained in it.

Saltzer propose a way of categorize the security issues in the following way:

Category	Description
Unauthorized information release	an unauthorized person is able to read and take advantage of information stored in the computer
Unauthorized information modification	an unauthorized person is able to make changes in stored information--a form of sabotage
Unauthorized denial of use	an intruder can prevent an authorized user from referring to or modifying information

I remember in older professional experience where a teammate from Infosec team has schedule a series of meetings related to Threat Modeling. And at least for me at the time it was awesome. Instead of built something based on basic security patterns familiar to us or accounting with what the framework have out of the box, the challenge was to built an architecture considering a couple of security threats from start.

For this, Microsoft propose a model called STRIDE a acronym that helps to organize the known threats in categories:

Category	Description
Spoofing	Illegal access and using of username and password for example
Tampering	Malicious modification of data. For example, unauthorized changes to a database
Repudiation	A weakness related to a lack of criptography and traceability of a transaction between two parties. One of parties deny has performed an action and the system is unabled to proof the integrity (I confess. It was being a challenge try to explain this part. Feel free to help me on comments! :D)
Information Disclosure	Users accessing information on resources that they are not granted to access to, or steal information sniffing the traffic
Denial of Service	Causes a fall down to a web app, forcing it to be unavailable
Elevation of Privilege	When a user that doesn't have access to a resource break the deny and gain the access to using some way. SQL Injection for example.

Well, seeing the table and when we do a research about the them, seems that all involves the application data. At the end, all our security strategies have a single one objective, protect the user privacy prevent not authorized access to information.

Then, the conclusion at this moment is that if we want design a architecture considering security efforts we shouldn't just thinking on what to do or to use to avoid unauthorized access, but how to prevent from threats modeling security strategies since at start of architectural decisions.

Before of thinking the main structure of application and how should be the design patterns to use, or how are the test cases, design how should we use or plan for grant that this new API is safe from security threats?

In many projects we start building things doing the possible for see faster the database result returned on a http request or in a screen. The challenge when we start to consider a secure app, is start answering: How are the possible threats related to that we are going to build?

Concluding with Saltzer's words:

The objective of a secure system is to prevent all unauthorized use of information, a negative kind of requirement. It is hard to prove that this negative requirement has been achieved, for one must demonstrate that every possible threat has been anticipated. Thus an expansive view of the problem is most appropriate to help ensure that no gaps appear in the strategy. In contrast, a narrow concentration on protection mechanisms, especially those logically impossible to defeat, may lead to false confidence in the system as a whole.

In the next part I want to share the Security Basic Principles propose by Saltzer.

See ya!

Why I'm studying this? - Web Applications Security, Part 1

Leonardo Felicissimo — Sat, 06 Nov 2021 19:57:37 +0000

This and the followings texts will be part of my personal study about security for Web Applications. It represents a big challenge for me. For two reasons: First, because english is not my first language and I couldn't imagine to write a text in english at my life. And second, because security is a gap that I have at this exactly moment. And with this and others texts I want to win this two challenges and get enter in a beautiful and new world!

Just kidding lol, let's move on!

The importance of security and my shame

Security is an important them when we are building an information system, because in this kind of application we have private data going from a side to another. Then, it is not without importance (I know that must exists a better term for this) because in case of have our data stolen our users could be prejudiced and all the system would fall.

But unfortunately when we are building a product not always we are prioritizing build it considering that the best security practices is applied.

Last days I get interviewed and one of the questions was about security. In that time I see a lack of knowledge that I had in this topic. The question was very simple: "How you will store the password in database with security". And the only response that I gave was: "I could use md5 hash for store" HAHAHAHAHAHAHAHAHAHAHAH Jesus! What a shame!

This because in all projects that I've contributed the mechanism for security was granted by framework or by other then came before me and built it.

Then, when I got recovered from my shame feeling and put my self in the path of improving my security skills understanding from zero everything related to how to create secure RESTful APIs. I want to share my study path, bringing examples, sharing code and moving between theory and practice.

My initial point of study is a good text that I found at restfulapi.net. In this text the author explore an overview about the topic, sharing Security Design Principles and Best Practices in a very broad vision.

I would like based on this text, understand better each principle and how to apply as well as show in the practice how to implement the best practices using my preferred languages (I need to decide what first 😰).

Then for now, I'm just introducing the method. If you need to have faster more info about the theme. Start reading the restfulapi.net, it seems a very useful introduction! But If you are interested in follow my path, read the text and come back here to follow with me, I will try to start writing the next asap, I swear!

UPDATE: Continue to the next part here

Forem: Leonardo Felicissimo

Threats Driven - Web Applications Security, Part 2

Why I'm studying this? - Web Applications Security, Part 1

The importance of security and my shame