Passwords

I set a unique reset password for any user, and set them to expire immediately. As much as feasible, the technology being implemented must enforced password complexity. I allow users to change their own passwords.

I protect passwords at all times.

I change default accounts and passwords immediately.

I ensure authentication over the network is encrypted. I provide the user appropriate assurances of the identity of the site.

In a database, passwords can be stored once salted and then hashed to limit risk if compromised. I take measures to ensure no disclosure of passwords to any unauthorized person nor entity. I prevent users from re-using recent passwords.

Accounts and permissions

I never want to use a generic or service account if the same function can be performed effectively with a named account. Otherwise, I must make an expiration date and specific responsible party for such use.

The day-to-day administration, operation and protection of any system must be the responsibility of specifically named individuals. To maintain an effective relationship, I must document changes to responsible parties (systems and accounts) in a Service Level Agreement (SLA) or Operational Level Agreement (OLA).

I follow the least privilege principle with role-based access control (RBAC). Not following this principle could draw unwanted attention during an incident or audit. It violates least privilege to clone from an existing user's permissions to grant permissions to a new user. Temporary permissions may be granted by approval for exceptional tasks and revoked immediately upon completion.

I avoid user elevation in all my implementations.

Traceability, backup and encryption

I ensure authentication is traceable to a user. Wherever possible, this includes administrator privileged users. I ensure all access to accounts with administrative privileges is authenticated. I preserve logging of all authentication transactions.

I treat information collected by access control systems with a high degree of confidentiality. I label information as confidential if it has content about its physical location, configuration, security, and management details.

I ensure personal, confidential or restricted information is encrypted if the storage media must travel with me in public spaces. I ensure private or sensitive data stays encrypted at all times except where superceded by a high degree of physical security.

I must have a formal backup and recovery plan for my servers.

I ensure capture of important events in logs to support regular audits. Important events include transactions, login, logout, and other critical application operations. I backup log files to protect integrity of the audit trail. I monitor and inspect log files regularly. I do not log session tokens, nor any PII. I log all configuration changes.

Threat and vulnerability management

Threat and vulnerability management is all about minimizing the attack vectors. I disable unused Administrator or debug functions in software. I disable or delete unnecessary files and services. I control file permissions. I minimize the number of administration interfaces and amount of administrative access. I require authentication and authorization before permitting configuration changes.

I implement security patching within the defined timeline. I act upon skipped patches as a risk. Inadequate or untimely patching can leave systems vulnerable. Security flaws in any tier of software may affect the security of an application.

I use industrial security toolkits to circumvent viruses and malware. I use strong firewalls and avoid connection to a hostile network.

I enable malware scanning tools to be capable of daily update.

I review the system for weak passwords. I review the system for open file shares. I review the system for configuration mistakes.

Incident Reporting

In any incident violating security policies or the law, it is important to

  • contain the incident,
  • preserve evidence,
  • eradicate the source of threat,
  • report the incident locally,
  • restore the environment, and
  • follow up to evaluate the effectiveness of the process in managing the incident.

Securing complex applications

Software is not limited to single executables or platforms, but can span multiple server tiers. For example, an application with 5 tiers spanning 4 networks is not uncommon.

Layer Tier Data Runtime and protocols
app 1 Client device local disk App, browser, ...
with java, HTML, javascript, flash, ...
net 1 Public network firewall HTTP, HTTPS, ...
app 2 Web server local disk Apache, IIS, ...
with JSP, ASP, CGI, PHP, C++, ...
net 2 DMZ network firewall HTTPS, SMTP, SFTP, ...
app 3 Business server local disk Weblogic, Tomcat, ...
with servelets, J2EE, .NET, ...
net 3 Internal network trust JDBC, SQL, ...
app 4 Database server local disk SQL Server, Oracle, ...
with views, stored procedures, tables, ...
net 4 Storage network trust FCIP, iSCSI, ...
app 5 SAN storage SAN disk SAN volume