Security Best Practices
Security Best Practices
More and more organizations today realize how important it is to manage security of their websites and applications on cloud or on-premise datacenters. Organizations are rapidly adopting Hybrid Cloud models in which managing security is of paramount importance. In order to cater to rapidly changing business realities, organizations are constantly evaluating methods to deploy software’s faster and meet or exceed organization goals. This has resulted in Information security teams to be more competitive and faster in aligning to business needs.
A recent survey by WhiteHat Security puts an average number of threats to as much as 32 per site (in IT industry)
Traditionally, DevOps have always worked in silos, and when it came to security; security teams were brought in to check for security only once the development had been over. This often meant that product releases were delayed because of security issues, or security issues were overlooked in order to meet the aggressive timelines.
There are a number of organizations that have learned the need of effective security a very hard way, and often it was too late for some. Regardless of such lapses there are businesses which continue to ignore such lapses because they either don’t understand the implications of such lapses or are unable to bridge the security gap due to adequate knowledge & support and this now threatens businesses to lose their competitive edge.
Organizations are increasingly adopting Agile processes to ensure faster delivery time for applications. DevOps collaborates to make sure app is built and deployed quickly while making use of automation tools at every step. And most often security is overlooked which should be an integral part of product life cycle.
In order to make security the integral part of product development we recommend implementing OWASP Top 10 controls along with additional controls on infrastructure on Cloud of different service provides (AWS, Azure etc.)
OWASP 10 Security Controls:
Verify for Security Early and Often
How?:
- Include security as an integral part of development
- Security is part of every sprint, user story
- Instead of performing vulnerability assessment at the end of development, assessment is taken as one of the milestone for every sprint cycle
- Security is included while testing every story and task, i.e. while building a feature for passing data from one service to another service, data is stored in encrypted form transmitted in a secure manner to ensure it is safe while at rest and in transit
Parameterize Queries
How?
- Use of prepared statements (Parameterized Queries
- Use of Stored procedures
- Escaping all user supplied inputs to ensure untrusted data is not processed
- Enforcing least privilege for every user/action
- Whitelist input validation in order to ensure required function only is allowed for a certain action
Encode Data
How?
- Use of encoding like translating special characters in some equivalent characters which is not dangerous for target interpreter
Validate All Inputs
How?
- Every input is treated as dangerous hence encoding and parameterization is used to ensure entered data meets security requirements
- For e.g. if user is entering a 4 digit account info, data is treated as dangerous data and is checked whether it is only a 4 digit numerical value and does not contain special characters for performing an SQL injection attack as well as check that user is authorized to access the said account info
Implement Identity and Authentication Controls
How?
- Implementing MFA for securing authentication
- Mobile Application: Token based authentication so that server authenticates each request instead of using session cookies which often stores data unencrypted
- Access validation controls to ensure rights of each user is validated before they perform any function. This ensures that only an authorized user is making the required changes
- Secure Password Storage
- Secure Password recovery mechanism, for e.g. user can only retrieve password using authorized email account on the system
- Session generation & expiration mechanism to ensure timely closure and revalidation of session information
- Session reauthentication for sensitive features, for e.g. password change
Implement Appropriate Access Controls
How?
- All requests will go through Access control checks
- Least privilege principle
- Deny All by default
- Use of separate access control engine for better performance and security controls
- Server side trusted data controls, for e.g. does user have required access etc.
- Validation of access by access control engine before granting access
Protect Data
How?
- Encryption of data at rest
- Encryption of data in transit using TLS
- SSL & TLS encryption
- Secure storage on Mobile devices
Implement Logging and Intrusion Detection
How?
- Application monitoring
- Business analytics & insight
- Application logging for Access Control requests
- Activity auditing & compliance reporting
- Use of IDS/IPS for protecting the environment against unauthorized access
- Use of Web application firewalls for mitigating DDoS attacks, & sql injection attacks etc
- Forensics for identifying security lapses
Leverage Security Frameworks and Libraries
How?
- Use inbuilt language security framework instead of third party frameworks
- Lesser use of 3rd party security frameworks can reduce the surface of attack
Error and Exception Handling
How?
- Manage exceptions in centralized way to avoid duplicated catch blocks in the code
- To ensure all unexpected behavior are correctly handled inside the application
- Ensure that the error messages do not display critical data and only display necessary information enough to explain the issue to the user
- Ensure logged information gives information for understanding of IT Team without giving any critical/sensitive information
Cloud Infrastructure security controls
Apart from the above controls we also should implement controls to secure the infrastructure hosted in Cloud.
Operating System hardening
- Disable unnecessary services on the servers
- Use encrypted volumes for storing data
- Anti-malware for protecting the systems from malware
- Data integrity checks to ensure data is intact and only authorized changes are made
- Disable Root Login on the servers
- Use strong SSH Keys instead of passwords and rotate SSH keys every 30-45 days
- Use individual user accounts on server so it is easier to audit the actions performed on the servers
- Log account login & access audit logs
- Use firewall for whitelisting legitimate traffic
- Use of CM Tools (Chef, Puppet) to automatically roll back unauthorized configuration changes with approved configuration
- Stop direct access to the servers hosted in cloud and instead use a Jump Server to connect to servers in cloud and use separate accounts for JumpHosts & production servers hosted in cloud to increased security.
- Use MFA for accessing Jump Host so that only authorized users can access the servers
- Use VPN Server for private communication from corporate network to Cloud
- Use LDAP or extend directory authentication services from corporate network to Cloud to have same security controls as in Corporate datacenter.
- Perform periodic security updates. Install critical security updates within 48 hours to mitigate potential security risks
- Use log management software for centralized logging that could be used for investigating security breaches. Use centralized logging with alerting capabilities so that security events can be detected early and corrective actions can be taken quickly
Cloud Security Controls
- Use separate environment (VPC’s or Networks) for UAT, Staging, & Production environments
- Use Isolated subnets (Public & Private Subnets)
- Use NAT Server for internet access on instances in Private Subnets and block all the unnecessary traffic
- Use Acess control lists for whitelisting required traffic. By default all the traffic should be blocked
- Use security groups for individual instances/services for authorizing inbound traffic
- Restrict inbound & outbound traffic via NAT, Security groups, & Network access lists on private subnets
- Use encryption between network load balancers and servers for traffic
- Use SSL/TLS for internal and external communication of services/servers
- SSL for external communication
- Implement role based authentication controls for accessing the servers/services
- Use MFA for accessing cloud user accounts
- Use encrypted volumes
- Whitelist Corporate IP’s to connect to Jump host in Cloud or use VPN Servers for better security of network and its resources.
- Implement Disaster recovery plan and keep at least one copy of data at offsite location (not cloud) in case all the data is only available at Cloud.
- Use encryption services provided by cloud service provides, i.e. AWS provides option to encrypt RDS
- Log all network traffic to the cloud network (Inbound & outbound)
- Audit events for unusual activity and alarm admins to take corrective action whenever unusual activity occurs.
Network Controls
- IP Whitelisting
- IDS/IPS solutions for network
- Network access control lists & Security groups for traffic whitelisting
- Anti-Malware & Anti virus solutions
- Mitigate Zero-day vulnerabilities by using third party security gateways
Additional Security Controls for applications hosted in cloud
- Encryption of data at rest
- Encryption of data in transit
- Opacity layer between different cloud services and platform by using
- Data encryption
- Data integrity authentication
- Software and data signing
- Secure time stamping
- Encrypted communication between services
- Encrypted communication to outside world
- Use third party vulnerability management software to perform periodic scans for vulnerabilities. Resolve critical vulnerabilities within 48-72 hours once identified.
To conclude a holistic approach has to be taken to improve security. In this blog we discussed application security as well as Cloud Infrastructure security. In order to stay cloud ready, secure and competitive every organisation should follow the recommendations outlined in this article. This will definitely help in distinguishing self from the competition.