DRAFT APPLICATION SECURITY DEVELOPER’S GUIDE Version 1.0 October 4, 2002 Applications and Computing Security Division Center for Information Assurance Applications 5275 Leesburg Pike Falls Church, VA 22041 (This document is for review. Comments, if any, can be sent to [email protected] or [email protected]) FOR INFORMATIONAL PURPOSES Draft TABLE OF CONTENTS Page Number 1.0 INTRODUCTION................................................................................................................... 1 1.1 PURPOSE............................................................................................................................ 1 1.2 SCOPE ................................................................................................................................. 2 1.2.1 Subjects Not Addressed in This Document ................................................................... 2 1.3 INTENDED AUDIENCE ................................................................................................... 3 1.4 NOTE ON STYLE .............................................................................................................. 4 2.0 BACKGROUND ..................................................................................................................... 5 2.1 ORGANIZATION AND CONTENT OF THIS DOCUMENT ...................................... 5 2.2 HOW TO USE THIS DOCUMENT ................................................................................. 6 3.0 WHAT IS WEB APPLICATION SECURITY? ................................................................ 13 3.1 SECURITY IN THE WEB APPLICATION ARCHITECTURE ................................ 14 3.1.1 Application Layer ........................................................................................................ 16 3.1.2 Application Program Interface..................................................................................... 16 3.1.3 Middleware Layers ...................................................................................................... 16 3.1.4 Infrastructure................................................................................................................ 16 3.2 SECURITY-AWARE DEVELOPMENT....................................................................... 17 3.2.1 Use a Security-Oriented Development Process and Methodology.............................. 17 3.2.1.1 SSE-CMM............................................................................................................. 19 3.2.2 Adopting an Effective Security Philosophy................................................................. 19 3.2.3 Planning the Development Effort Realistically ........................................................... 20 3.2.4 Security Quality Assurance Throughout the Life Cycle.............................................. 20 3.2.5 Accurate, Complete Specifications.............................................................................. 20 3.2.6 Secure Design .............................................................................................................. 21 3.2.6.1 Minimize Functionality......................................................................................... 21 3.2.6.2 Minimize Component Size and Complexity......................................................... 23 3.2.6.3 Minimize Trusted Components............................................................................. 23 3.2.6.4 Minimize Interfaces and Outputs.......................................................................... 23 3.2.6.5 Avoid High-Risk Web Services, Protocols, and Components.............................. 23 3.2.6.6 Disable or Remove Unused Capabilities and Resources...................................... 24 3.2.6.7 Separate Data and Control .................................................................................... 24 3.2.6.8 Protect All Sensitive Transactions........................................................................ 24 3.2.6.9 Protect Sensitive Data at Rest............................................................................... 24 3.2.6.10 Include Trustworthy Authentication and Authorization..................................... 25 3.2.6.11 Always Assume the Operating Environment Is Hostile ..................................... 25 3.2.6.12 Always Assume that Third-Party Software Is Hostile........................................ 25 3.2.6.13 Never Trust Users and Browsers ........................................................................ 26 3.2.6.14 Require and Authorize No Privileged Users or User Processes ......................... 26 3.2.6.15 Do Not Rely on Security Through Obscurity ..................................................... 26 ii FOR INFORMATIONAL PURPOSES Draft 3.2.6.16 Be Accurate in Your Assumptions About the Underlying Platform .................. 27 3.2.6.17 Make Security Mechanisms Easy to Configure and Use.................................... 27 3.2.6.18 Risk Analysis of Application Design.................................................................. 27 3.2.7 Application Middleware Frameworks ......................................................................... 27 3.2.8 Restricting the Development Environment.................................................................. 28 3.2.9 Writing Elegant Software ............................................................................................ 28 3.2.9.1 Document First...................................................................................................... 28 3.2.9.2 Keep Code Simple, Small, and Easy to Follow.................................................... 29 3.2.9.3 Isolate Security Functionality ............................................................................... 29 3.2.9.4 Be Careful with Multitasking and Multithreading................................................ 29 3.2.9.5 Use Secure Data Types ......................................................................................... 30 3.2.9.6 Reuse Proven Secure Code ................................................................................... 30 3.2.9.7 Use Secure Programming Languages and Development Tools............................ 30 3.2.9.8 Call Safely to External Resources ........................................................................ 31 3.2.9.9 Use Escape Codes with Extreme Caution............................................................. 32 3.2.9.10 Maintain a Consistent Coding Style ................................................................... 33 3.2.9.11 Find and Remove Bugs....................................................................................... 33 3.2.9.12 Write for Reuse................................................................................................... 34 3.2.9.13 Keep Third-Party Component Fixes and Security Patches Up to Date .............. 34 3.2.9.14 Common Logic Errors to Avoid ......................................................................... 35 3.2.10 Security-Aware Testing ............................................................................................. 36 3.2.10.1 Rules of Thumb for Security-Aware Testing...................................................... 36 3.2.10.2 Code Reviews ..................................................................................................... 37 3.2.10.3 Source Code Security Audits.............................................................................. 38 3.2.10.4 Penetration Testing During Development .......................................................... 38 4.0 IMPLEMENTING SECURITY MECHANISMS ............................................................. 40 4.1 PUBLIC KEY-ENABLING ............................................................................................. 40 4.1.1 PK-Enabling: A Definition .......................................................................................... 41 4.1.2 Why PK-Enable? ......................................................................................................... 42 4.1.3 When to PK-Enable ..................................................................................................... 42 4.1.4 PK-Enabling Web Applications................................................................................... 44 4.1.4.1 Choosing an SSL 3.0 Tolerant Web Server.......................................................... 45 4.1.5 PK-Enabling Backend Applications: PKI Toolkits ..................................................... 46 4.2 IDENTIFICATION AND AUTHENTICATION MECHANISMS ............................. 46 4.2.1 Notification of Authentication..................................................................................... 47 4.2.2 Client (Browser)-to-Server Trusted Path..................................................................... 48 4.2.2.1 Extending the Chain of Trust to a Backend Server .............................................. 50 4.2.3 PKI-Based I&A............................................................................................................ 50 4.2.3.1 Browser Use of Hardware Tokens........................................................................ 51 4.2.4 Reusable (Static) Password I&A ................................................................................. 51 4.2.4.1 Implementing Reusable Password I&A in Web Applications.............................. 52 4.2.4.2 Confidentiality and Integrity of Usernames and Passwords................................