What is the most important thing in application security? To ask it a different way: What is the single thing that an application must get right in order to protect its data, and by extension its users, from being compromised? After talking with several people that I frequently discuss such things with, it became apparent that it has to be access control. In my opinion, access control is the cornerstone of application security. Without it, all of your data may as well be publicly accessible. When done right, your data will stay where it should be, in your hands under tight control with access to it only by those who have been explicitly granted access.
So, how are developers supposed to implement such a tight access control component? The answer is a surprisingly simple combination of controls: 1) Validate all input for correct format, rationality, and business rule adherence 2)Encode all output in a context aware manner as to prevent corruption/compromise of the system and its users and 3) Perform authorization at every access point in the application.
Although these three guidelines appear simple at first glance, getting them right can be quite difficult depending on the complexity of the application being developed. Additionally, you may notice that the access control guidelines cover more than just ACLs and calls to isAuthorized() and isInRole(). This is for good reason. Access control is so much more than this. Access control is about protecting every piece of data that an application stores, manipulates, and processes. For example, who should be authorized to see the value of a user's session token? Who should be able to see the values set in a user's cookies? By many people's definition of access control, these data elements are not considered even though, in my opinion, they are just as sensitive as any other piece of data in the system. In the case of the session token, this value allows any user to effectively become another logged in user at will. As far as cookie values are concerned, they can hold very sensitive information, although that is highly discouraged for various reasons. As such, these data elements require just as much protection as the data elements you store in your database that you protect from SQL Injection. If you don't know how to protect against SQL Injection, click here to find out how to solve this problem.
Proper input validation, output encoding, and stringent authorization are the keys to getting access control right. At the the heart of the matter, access control is nothing more than keeping what should only be accessed by specific individuals safe from being accessed by others. It does not only apply to the data you process, but it also applies to the data you generate and send back to the user.
About Me
- Matt Presson
- I am an application security analyst and developer for a large Fortune 500 company where I perform security assessments, develop policies and procedures for securing all manner of applications, and provide guidance to developers throughout the SDLC. My personal life consists of caring for my family, reading books (when I am able), and generally enjoying life's experiences.
0 comments:
Post a Comment