Web Services Security Frame
The key to making principles, patterns, and practices more effective is to have an organizing frame. While working on our patterns & practices WCF Security Guidance Project, we created the Web Services Security Frame for just such a purpose. We use the frame throughout the guidance to organize threats, attacks, vulnerabilities and countermeasures, as well as to organize principles, patterns, and practices.
Web Services Security Frame
Here's a snapshot of the frame (the power of the frame is that it's a durable, evolvable backdrop -- in other words, you can shape it to your own purposes.) You'll see this frame used throughout our upcoming guide. Notice that the categories serve as a pivot that we can hang other viewpoints (threats/attacks, vulnerabilities, countermeasures.)
| Category |
Description |
| Auditing and Logging |
Auditing and logging refers to how security-related events are recorded, monitored, and audited. |
| Authentication |
Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password. |
| Authorization |
Authorization is how your service provides access controls for resources and operations. |
| Configuration Management |
Configuration management refers to how your service handles database connections, administration and other configuration settings. |
| Exception Management |
Exception management refers to how you handle exceptions within your application, including fault contracts. |
| Impersonation/Delegation |
Impersonation and delegation refers to how your service impersonates users and passes identity information downstream for authorization purposes. |
| Message Encryption |
Message encryption refers to protecting a message by converting the contents to cipher-text using cryptographic methods. |
| Message Replay Detection |
Message replay detection refers to identifying and rejecting messages that are re-submitted. |
| Message Signing |
Message signing refers to signing a message with a digital signature using cryptographic methods, to confirm the source of the message and detect if the contents have been tampered with (i.e. authentication and integrity of the message.) |
| Message Validation |
Message validation refers to how you verify the message payload against schema, as well as message size, content and character sets. This includes how your service filters, scrubs and rejects input and output before additional processing. Input and output includes input from clients consuming the service as well as file-system input, as well as input from network resources, such as databases. Output typically includes the return values from your service or disk / database writes among others. |
| Sensitive Data |
Sensitive data includes data integrity and confidentiality of your user and application data that you need to protect. This includes how you protect sensitive data from being stolen from memory, from configuration files or when transmitted over the network. |
| Session Management |
A session refers to a series of related interactions between a client and your service. |
Threats / Attacks Organized By the Web Services Security Frame
| Category |
Threats / Attacks |
| Auditing and Logging |
Repudiation
Denial of services
Disclosure of confidential information |
| Authentication |
Network eavesdropping
Brute force attacks
Dictionary attacks
Cookie replay attack
Credential theft |
| Authorization |
Elevation of privilege
Disclosure of confidential data
Data tampering
Luring attacks
Token stealing |
| Configuration Management |
Unauthorized access to configuration stores
Retrieval of clear text configuration secrets |
| Exception Management |
Information disclosure
Denial of service
Elevation of privilege |
| Impersonation/Delegation |
Elevation of privilege
Disclosure of confidential information |
| Message Encryption |
Stealing sensitive data.
Theft of encryption keys.
Man in the middle attack. |
| Message Replay Detection |
Session replay |
| Message Singing |
Data tampering. |
| Message Validation |
XPath injection
XML Bombs
Canonicalization issues
Cross-site scripting
SQL injection |
| Sensitive Data |
Memory dumping
Network eavesdropping
Configuration file sniffing |
| Session Management |
Session hijacking
Session replay
Man in the middle attack
Inability to logout successfully
Cross-site request forgery
Session fixation
Load balancing and session affinity |
Vulnerabilities Organized by the Web Services Security Frame
| Category |
Vulnerabilities |
| Auditing and Logging |
Failing to audit failed logons
Failing to secure log files
Storing sensitive information in log files Failing to audit across application tiers Failure to throttle log files |
| Authentication |
Using weak passwords
Storing clear text credentials in configuration files
Passing clear text credentials over the network
Permitting prolonged session lifetime
Mixing personalization with authentication
Using weak authentication mechanisms (For example, using basic authentication over an untrusted network.) |
| Authorization |
Relying on a single gatekeeper (e.g. relying on client-side validation only)
Failing to lock down system resources against application identities
Failing to limit database access to specified stored procedures
Using inadequate separation of privileges
Permitting over-privileged accounts |
| Configuration Management |
Using insecure custom administration interfaces
Failing to secure configuration files on the server
Storing sensitive information in the clear text
Having too many administrators Using over-privileged process accounts and service accounts |
| Exception Management |
Failing to use structured exception handling (try/catch)
Revealing too much information to the client
Failure to specify fault contracts with the client
Failure to use a global exception handler |
| Impersonation / Delegation |
Failure to revert to a lower privilege after using impersonation
Improper use of global impersonation across the entire service |
| Message Encryption |
Failure to encrypt messages
Using custom cryptography
Distributing keys insecurely Managing or storing keys insecurely |
| Message Replay Detection |
Failure to implement message replay detection feature |
| Message Signing |
Unsigned messages that don't confirm the source
Unsigned messages that don't detect tampering |
| Message Validation |
Using non-validated input used to generate SQL queries
Relying only on client-side validation Using input file names, URLs, or user names for security decisions
Using application-only filters for malicious input Looking for known bad patterns of input
Trusting data read from databases, file shares, and other network resources
Failing to validate input from all sources including cookies, SOAP headers, SOAP parameters, databases, and network resources |
| Session Management |
Passing session identifiers over unencrypted channels
Permitting prolonged session lifetime Having insecure session state stores
Placing session identifiers in query strings |
Countermeasures Organized by the Web Services Security Frame
| Category |
Countermeasures |
| Auditing and Logging |
Identify malicious behavior.
Know your baseline (know what good traffic looks like)
Use application instrumentation to expose behavior that can be monitored
Throttle logging
Strip sensitive data before logging |
| Authentication |
Use strong password policies
Do not store credentials in an insecure manner
Use authentication mechanisms that do not require clear text credentials to be passed over the network
Encrypt communication channels to secure authentication tokens
Use HTTPS only with forms authentication cookies
Separate anonymous from authenticated pages
Using cryptographic random number generators to generate session IDs |
| Authorization |
Use least privilege accounts.
Authentication tied to authorization on the same tier
Consider granularity of access
Enforce separation of privileges
Use multiple gatekeepers
Secure system resources against system identities |
| Configuration Management |
Use ACLs.
Encrypt sensitive sections of configuration files
Use secure settings for various operations of web services using configuration files |
| Exception Management |
Use structured exception handling (by using try/catch blocks)
Catch and wrap exceptions only if the operation adds value/information
Do not reveal sensitive system or application information
Implement a global exception handler
Do not log private data such as passwords |
| Impersonation / Delegation |
Use Using statement to automatically revert impersonation
Granularly impersonate only those operations that need it |
| Message Encryption |
Use message security or transport security to encrypt your messages
Use platform-provided cryptography
Use platform features for key management
Periodically change your keys |
| Message Replay Detection |
Cache an identifier for incoming messages, and use message replay detection to identify and reject messages that match an entry in the replay detection cache |
| Message Signing |
verify messages have not been tampered with in transit (data integrity)
verify messages originate from the expected sender (authenticity) |
| Message Validation |
verify the message payload against schema
verify the message message size, content and character sets
filter, scrub and reject input and output before additional processing |
| Sensitive Data |
Do not store secrets in software
Encrypt sensitive data over the network
Secure the channel
Encrypt sensitive data in configuration files |
| Session Management |
Partition site by anonymous, identified, and authenticated users
Reduce session timeouts
Avoid storing sensitive data in session stores
Secure the channel to the session store
Authenticate and authorize access to the session store |
Thanks
Special thanks to Rudy Araujo and ACE Team members, Richard Lewis and John Steer for their contribution toward helping shape a better frame.
My Related Posts
