HTTP headers for a more secure web application

The following headers are default when you enable Spring Security for a resource. If you are not using Spring Security you might want to add these manually. You might need to adjust the HSTS and X-Frame-Options to your needs so don’t just copy and paste here!

Cache-Control, Pragma, Expires

Prevent caching of resources that can leak information. Note that you might actually need to cache some resources in some systems.

X-Content-Type-Options

Prevent browsers from guessing the content type to protect agains polyglots.

Strict-Transport-Security

Require HTTPS for every connection after the first.

X-Frame-Options

Deny embedding in iframes to prevent click jacking.

X-XSS-Protection

Always block CSS when a filter catches it rather then try to fix it.

Wait, you need more (CSP)

Also you really should get a proper Content Security Policy in there as well. You can run your application in report only mode to check what you need to fine tune. Google has a great guide and evaluator that will get you set up.

Java secure coding guidelines

Writing secure code is hard.

The following checklist contains at least some pointer of what to keep in mind. Note that this does not include web development checks. Please check the OWASP Application Security Verification Standard Project for more information on that.

Antipatterns

  • Not validating input
  • Code has unnecessary permissions
  • Misusing public static variables
  • Ignoring changes to superclasses
  • Assuming exceptions are harmless
  • Beliving space of integers is unbounded
  • Trust user input to obey invariants
  • Beliving a constructor exception destroys the object
  • Beliving deserialisation in unrelated to constructors

0. Fundamentals

  • Prefer obviously no flaws to no obvious flaws
  • Design API’s to avoid security concern (i.e. final classes)
  • Avoid duplication
  • Restrict privileges (policy files, javax.security.AccessController.doPrivileged)
  • Establish trust boundaries
  • Minimize number of permissions checks (single point of access)
  • Encapsulate methods, fields and classes to coherent sets of behaviour

1. Denial of Service

  • Beware of activities that may use dispropportionate resources
    • Image processing
    • Complex object graphs
    • Zip bombs
    • Billion laughs attack
    • Parsing and processing complex grammars
    • Deserialisation processing anomalies
  • Release sources in all cases
  • Resource limit checks should not suffer from integer overflow

2. Confidential information

  • Purge sensitive information from exceptions
  • Do not log highly sensitive information
  • Purge highly sensitive information after use
    • Do not depend on garbage collection
    • Keep information local
    • Use char[] to clear traces

3. Injection and inclusion

  • Generate valid formatting
  • Avoid dynamic SQL
  • XML and HTML generation requires care
  • Avoid untrusted data on command line
  • Restrict XML inclusion
  • Care with files
  • Disable HTML display in Swing components
  • Take care of interpreting untrusted code

4. Accessibility and extensibility

  • Limit accessibility of classes, methods and fields
  • Limit accessibility of packages
  • Isolate unrelated code
  • Limit exposure of classloader instances
  • Limit extensibility of classes and methods
  • Understand how a superclass modifications affects subclass behaviour
  • Prefer composition insted of inheritance

5. Input validation

  • Validate inputs
  • Validate output from untrusted objects as input
  • Define wrapper arounds native methods

6. Mutability

  • Prefer immatable value types
  • Create copies of mutable output values
  • Create safe copies of mutable and subclassable input values
  • Support copy functionality for a mutable class
  • Do not trust identy equality when overridable
  • Treat passing input to untrust object as output
  • Treat output from untrust object as input
  • Define wrapper methods around modifiable internal state
  • Make public static fields final
  • Ensure public static final values are constants
  • Make classes final
  • Do not expose mutable statics
  • Static variables are global across a JRE

7. Object construction

  • Avoid exposing constructors of sensitive classes
  • Prevent unauthorized construction of sensitive classes
  • Defend against partially initialized instances of non-final classes
    • Throwing an exception from a constructor does not precent a partially constructed instance from being acquired
    • Attacker can override finalize() to obtain object
    • Constructors that call into outside code often naivelt propagate exceptions
  • Leaking this enables the same attack as if the constructor directly thre the exception
  • Prevent constructors from calling into methods tht can be overridden
  • Defend agains cloning of non-final classes
  • Throw exception BEFORE super() to destroy object

8. Serialisation and deserialisation

  • Avoid serialisation for security-sensitive classes
  • Guard data during serialisation
  • View serialisation the same as object construction
  • Duplicate SecurityManager checks during serialisation and deserialisation
  • Understand security permissions given to serialisation and deserialisation
  • Validate the data

9. Access control

  • Understand how permissions are checked
  • Beware of callback methods
  • Safely invoke AccesssController.doPrivileged
  • Know to restrict privileges through AccesssController.doPrivileged
  • Be careful caching results
  • Understand the context transfer
  • Understand how thread constructors transfer context
  • Safely invoke standard API’s that bypass SecurityManager checkes depending on the callers class loaer
  • Safely invoke standard API’s that perform tasks using the callers class loader instance
  • Be aware of standard API’s that perform Java language access checks against the caller
  • Be aware of java.lang.reflext.Method.invoke is ignored for checking the caller

AWS Overview

This is an overview of the Amazon Web Services most common components and some information about the AWS security model.

Infrastructure and Services

  1. Regions and availability zones
  2. Foundation services
  3. Platform services

1. Infrastructure

Regions

  • Regions are split into Availability zones
  • Availability zones can have multiple data centers

Edge locations

  • Instead of using the data centers data can be cached in edge locations
  • Used as CDN

2. Foundation services

  • Compute (EC2, Lambda, Auto-scaling)
  • Networking (Load-balancing, Route53, VPC)
  • Storage (S3, Block storage, glacies, EFS)

3. Platform services

  • Databases (DynamoDB, Relational DBs, Redshift)
  • Analytics (Kinesis, EMR, Data pipeline)
  • Deployment (Elastic beanstalk, CodeDeploy)
  • Mobile (Cognito, SNS)

AWS Elastic Compute Cloud (EC2)

  • Infrastructure as a Service (IaaS)
  • Spins up virtual machines in the cloud
  • Custom VM’s
  • Fully manages infrastructure
  • Fast provisioning
  • Elastic scaling
  • Pre-built images or bring your own
  • Configurable network
  • Use security groups to open/close ports

Amazon Machine Images (AMI)

  • Different images available
  • Configures OS and Root Volume
  • Public images available in AMI repo
  • AMI defines EBS backend (most common, flexible) or instance backend (faster and restricted)
  • AMI marketplace includes pre-build images with popular configurations

Storage options

  1. Root volume configuration
  2. Instance backend vs EBS backend
  3. Lifecycle of an instance

Root volume configuration

Defines where should OS be stored

Instance stored backed

Fast IO Drive directly connected to the instance Ephemereal storage Cannot be stopped

EBS stored backend

Slower IO Persistant storage Can be stopped

Lifecycle

Advanced features

  1. Machine types with different optimisations (cpu/memory/storage/gpu etc.)
  2. Instance metadata (info on system) and user data (scripts can be launched on startup). NOT SECURE!
  3. Pricing models

AWS Simple Storage Service (S3)

  • Online HTTPS accessible storage
  • Built for unstructured binary data (files)
  • Highly scalable, durable, limitless

Features

  • Access via SOAP/REST/Web/shell
  • Unlimited number of objects (each up to 5TB)
  • Secure with client-side or AWS provided server-side encryption
  • Bucket and object level access logs for auditing and compliance

Concepts

  1. Architecture
  2. Buckets and Object
  3. Security options

1. Architecture

2. Buckets and Object

Buckets
  • Top level containers for data (Objects)
  • Exist in gobal namespace
  • Created in a region
  • Cannot be nested
  • Usage/Charges can be aggregated by Bucket
Objects
  • Discrete data files betwenn 0-5 TB
  • Can be versioned
  • Bucket + Object + Version can map to unique URL

3. Security options

  • Access control at Bucket and Object
  • ACL’s
  • Identity and Access management policies
  • Bucket and Object policies can be defined with Access Policy Language (json)
  • Encrypt at rest with AES-256 or/and BYO and encrypt before sending

Advanced features

  1. Object Versioning
  2. Object Storage Classes
  3. Lifecycle Management

1. Object Versioning

  • Versioning set at bucket level
  • Existing objects have “null” version
  • New objects are assigned new version id
  • All versions are retained… even after delete

2. Object Storage Classes

  • Set at object level
  • Standard, Infrequently Accessed, Glacier, Reduced Redundancy
  • Different pricing, durability, and availablity

3. Lifecycle Management

  • Can delete old versions of files after some specified time
  • Can automatically move objects between storage classes
  • Configured with xml

Elastic Block Store (EBS)

  • Virtual hard drives in the cloud
  • Create volumes during EC2 creation or independently
  • SSD or Magnetic available
  • 1GB to 16TB available
  • Take snapshot into S3 at anytime
  • Use for root volumes, databases, application data
  • Pay per provision rather then usage

S3 comparasion

Virtual Private Cloud (VPC)

  • Private, isolated, virtual network
  • Create logically isolated subntes
  • Resolve ip adress ranges and assign to resources
  • Remotely connect to on-pre network with VPN
  • Supports both public and private networks
  • Available per Availability Zone

Security inside a VPC

  • Use network ACL’s and IAM Security Groups to controll access
  • Security groups control inbound and outbound traffic at intance level
  • Network ACL control inbound and outbound traffic at subnet level
  • Use a NAT gateway instance to allow access from private network to WAN
  • Setup route tables, firewalls, gateways

AWS Shared Responsibility Model

Defines who is responsible for what. Security in the cloud is up to user. Security of the cloud is handled by Amazon.

  1. Shared responsibility
  2. Physical security
  3. Hardware, software, network

EC2 Example

  • Amazon controls physical security
  • The user controls patching, firewall, security groups of the instance

S3 Example

  • Amazon controls patching and firewalls
  • The user controls access to filesm encryption, transport etc

2. Physical security

  • Non-descript, undisclosed locations
  • 24/7 security staff
  • Two factor auth for entry
  • Continual monitoring, logging and auditing

3. Hardware, software and network security

  • Automated change control process
  • Physical acces requires authorization with frequent renewal
  • Bastion servers act as gateways for privileged users
  • Network bboundary devices monitor and audit access
  • Unusual or abnormal activity monitoring of application usage, intrusion etc.

Regulatory compliance

  • HIPPA
  • PCI
  • ISO 27001
  • Many many more…

Grid

Container

Display

Defines the element as a grid container and establishes a new grid formatting context for its contents.

Grid-template-columns, grid-template-rows

Defines the columns and rows of the grid with a space-separated list of values.

Grid-template-areas

Defines a grid template by referencing the names of the grid areas which are specified with the grid-area property. Repeating the name of a grid area causes the content to span those cells. A period signifies an empty cell.

Grid-column-gap, grid-row-gap

Specifies the size of the grid lines. You can think of it like setting the width of the gutters between the columns/rows.

Grid-gap

A shorthand for grid-column-gap + grid-row-gap.

Justify-items

Aligns the content inside a grid item along the column axis (as opposed to align-items which aligns along the row axis).

Align-items

Aligns the content inside a grid item along the row axis (as opposed to justify-items which aligns along the column axis).

Justify-content

This property aligns the grid along the column axis (as opposed to align-content which aligns the grid along the row axis).

Align.-content

This property aligns the grid along the row axis (as opposed to justify-content which aligns the grid along the column axis).

Grid-auto-columns, Grid-auto-rows

Specifies the size of any auto-generated grid tracks (aka implicit grid tracks).

Grid-auto-flow

This property controls how the auto-placement algorithm works. Any items not explicitly given a grid-row and grid-column will be auto aligned.

Child styles

Grid-column-start, grid-column-end, grid-row-start, grid-row-end

Determines a grid item’s location within the grid by referring to specific grid lines. Can use names specified in grid-template-columns and grid-template-rows.

Grid-column, grid-row

Shorthand for grid-column-start + grid-column-end, and grid-row-start + grid-row-end, respectively.

Grid-area

Gives an item a name so that it can be referenced by a template created with the grid-template-areas property. Alternatively, this property can be used as an even shorter shorthand for grid-row-start + grid-column-start + grid-row-end + grid-column-end.

Justify-self

Aligns the content inside a grid item along the column axis (as opposed to align-self which aligns along the row axis).

Align-self

Aligns the content inside a grid item along the row axis (as opposed to justify-self which aligns along the column axis).

Flexbox

Examples

HTML

CSS

See the Pen Demo Flexbox 3 by CSS-Tricks (@css-tricks) on CodePen.

Container styles

Display

This defines a flex container.

Flex-direction

This establishes the main-axis.

Flex-wrap

Allow the items to wrap as needed.

Flex-flow

This is a shorthand flex-direction and flex-wrap properties. Default is row nowrap.

Justify-content

This defines the alignment along the main axis.

Align-items

This defines the default behaviour for how flex items are laid out along the cross axis.

Align-content

This aligns a flex container’s lines within when there is extra space in the cross-axis, similar to how justify-content aligns individual items within the main-axis.

Child styles

Order

This controls the order in which they appear in the flex container.

Flex-grow

This defines the ability for a flex item to grow if necessary.

Flex-shrink

This defines the ability for a flex item to shrink .

Flex-basis

This defines the default size of an element before the remaining space is distributed.

Flex

Shorthand for flex-grow, flex-shrink and flex-basis.

Align-self

This allows the default alignment (or the one specified by align-items) to be overridden for individual flex items.

ISO 27001 – The big picture

The ISO27001 protects Confidentiality, Integrity and Availability (CIA) of information. This is a quick overview of what it covers and how the process works.

Structure

4 main areas

  • Clauses 0-3 General definitions and content
  • Clauses 4-10 ISMS mandatory compliance
  • Annex A Technical controls
  • Bibliography

Clauses 4-10

7 clauses relating to the nature and operation of the ISMS.

4 – Context of the organisation

  • Boundaries of ISMS and its scope
  • Makes sure you understand the organisation
  • Makes sure you understand interested parties
  • States that the organisation shall implement a information security management system

5 – Leadership

  • Support from leadership
  • Documented information security policy that is communicated properly
  • Define and assign responsibilities for the policies

6 – Planning

  • Determine risk and opportunities
  • How to apply risk assessment process
  • How to identify and analyse risk
  • How to treat those risks
  • How to set and reach security objectives

7 – Support

  • Ensure enough support is available for the information security management system
  • Ensure organisation has adequate resources, competence and awareness
  • Requirements for documentation and how it can be controlled and updated

8 – Operation

  • Operating the ISMS processes
  • Operating risk assessments
  • Operating risk treatment

9 – Performance evaluation

  • Evaluate the effectiveness of the ISMS
  • Monitoring and measuring and analysing the performance
  • Handles management reviews

10 – Improvement

  • ISMS should be continuous process

Annex A

  • Lists control objectives and domains used in ISMS
  • 114 controls in total

Scope

  • Set scope as early as possible
  • Applies to process, data, people, places, activities
  • Consider internal and external factors
  • Consider interested parties
  • Consider relationship between activities in your and other organisations

Boundaries

  • Business activities, data
  • Location specific data (production/test in different place)
  • Channel specific transactions
  • Specific products/services
  • What’s important from customer point of view

Risk assessment

Key part of ISMS. Repeatable method for risk assessment.

  • Criteria for accepting risk (appetite)
  • Identifying risks
  • Analyzing risks
  • Evaluating risks

Statement of applicability

Contains a list of controls necessary to treat identified risks.

  • Go through all 114 controls
  • Justify inclusion of controls
  • Justify exclusion of controls
  • Whether implemented or not

Required documents

16 mandatory documents

  • Procedures
  • Policies

7 mandatory records

  • Internal audit records
  • Correct action records

Case study Background

Globomantics is an online web service that allows a user to fill in their personal info and request a brochure from a company for some specific service.

  • 25 staff in total, IT team of 4
  • 2 developer, 1dba, 1 sysadmin
  • Want to be 27001 as customers ar financial services and they capture PII

Scope

Brochure request

  • Requester web site
  • Requester database
  • Mailing labels

New client onboarding

  • Configure new client and campaign

Statement of applicability

  • Tailor ISO 27001 to your business
  • Go through all 114 controls
  • List include/exclude information in columns

Certification lifecycle

  1. Start with scope
  2. Risk assessment, Statement of applicability, Internal audit, Management review, Mandatory documents
  3. State 1 audit with external auditor (all should be done)
  4. Stage 2 audit with external auditor (more strict)
  5. Recommended for certification
  6. Audit findings

Toolset and support

Tool support

  • File share (no versioning or history)
  • Templates and toolkits (rapid generation, might not align to organisation needs)
  • Document management system (VCS, Sharepoint)
  • Risk management and governance system

Organisational support

  • Human resources
  • Facilities
  • Training
  • IT operations
  • Software development
  • Business stakeholders

3rd party support

  • Gap analysis prior to Stage 1 audit to find issues
  • Other external help