www.bluedog.net

Web Security 1 of 12

Understanding Our Web Security Model

The importance of the Internet as an information management and delivery technologyis well known, and the obvious advantages of the three-tier web application modelopens new avenues to exploit the benefits of this technology to generate competitiveadvantage, reduce costs, and improve programmer and end user productivity. There isa concurrent rise of internal web portals (i.e., intranets) that exist behind organizations’firewalls -- one of the most important areas for the development of new, component-orweb-services-based applications. But security issues abound.

Looking beyond traditional client-server architecture, we will endeavor to fostercommunities that link different initiatives of the project in order to ease (throughautomation, work flow streamlining, and process improvement) the exchange ofinformation. XML and a number of related technologies are the focus as a potentialstandard for cross-enterprise integration, as well as within the boundaries of a public-sided intranet.

However, the benefits of ubiquitous web-based computing pose as many challenges -- itmagnifies challenges such as scalability, high reliability, and availability for web-basedapplications. Then there are the inherent limitations of the medium itself, including thesynchronous nature of http and stateless paradigm of the web, and a vulnerablesecurity model. This section will address our security model, how our approach toapplication design addresses concerns for maintaining customer confidential dataduring development and once application development has been completed.

www.bluedog.net

Web Security 2 of 12

Basic Security Model

In the three-tier web application architecture, security is built-in at several levels. Exhibit1 illustrates the nominal architecture of our security model vis-a-vis three-tieredapplications.

Exhibit 1. Nominal Architecture

Authorization differs from authentication in that authentication ensures that only validusers obtain access to an application. Authorization is more about controlling the datathe authenticated user is allowed to obtain after entering the application.

www.bluedog.net

Web Security 3 of 12

Confidentiality is the mechanism for making the information available to only theintended recipient. A systems administrator usually protects resources by creating listsof users and groups that have the permissions required to access this resource -- theaccess control list.

Auditing is invaluable when an action performed on a user’s account must be verified.Non-repudiation is the act of proving a particular user performed some action. Forexample, a user submits a data change. By using proper record keeping and audit trails,a systems administrator can prove that the action was performed by the particularuser’s account. Designing an application for raise a flag or notify certain partied whenfraud is detected limits vulnerabilities and reduces loss by being proactive.

The fourth component for three-tier application-level security is encryption or dataintegrity. This ensures that data has not been tampered with between the sender andthe receiver. Encryption ensures that no outside parties could modify the information,which is possible when sent over the public network. Biometric, card key, or othersecondary level security could also be considered when data integrity and networksecurity is being architected.

Web Tier

Our applications will be architected to provide secure web server communication andsupport for Secure Sockets Layer/Transport Layer Security Protocols (SSL), HTTPS,and HTTP challenge-response authentication. Further, the web tier of the applicationwill support user authentication against the single-sign-on authority, may supportcookies (if desired) and database access controls for the secure handling of transactionoperations.

www.bluedog.net

Web Security 4 of 12

A the web tier, user access is fundamental. To achieve security here, we will start withauthentication, and maintain secure transmission of data between the client (webbrowser) and web server via SSL.

Authentication is the process of entities proving to one another that they are acting onbehalf of specific identities. For example, when a user provides a user name andpassword for a logon, the authentication process verifies that this is a valid applicationuser and that the password matches the real user’s provided password.

Two types of authentication are weak or simple authentication and strongauthentication. Weak or simple authentication involves the user providing a usernameand password to be authenticated. The user provides no further authenticationinformation. A major problem arises when someone else gets the other person’susername and password and a security breach occurs. Strong authentication, on theother hand, is more secure because the user provides a digital certification or otherprivate means of being authenticated.

A primary goal will be protecting communication privacy and data integrity. We will relyon Public Key Infrastructure to accomplish a substantial chunk of this goal. Creating aCertificate Authority, putting in place a policy for using this C.A. (for SSLimplementation, and documenting the procedures and mechanisms our developers canuse to ensure web traffic communication, end user/customer privacy, and message dataintegrity will be part of the infrastructure build out defined in our project managementplan. Developers will be provided the guidelines for the proper use of the C.A. for SSLtraffic. The guidelines will be presented to avoid the common implementation mistakesthat can compromise security and performance.

Cryptography will be employed (via SSL for web or graphic user interface traffic, and atthe application level to encrypt and sign data before it is sent to the database).Byworking with digital certificates and a descending hierarchy based on our C.A.,

www.bluedog.net

Web Security 5 of 12

management and control of security will be centralized and simplified. This approachensures bad user data is purged quickly and easily, intrusions are more quickly isolated,and the client has overarching control of the secure environment independent of thedevelopers.

Once user access privileges are known (via C.A. and LDAP authentication), we will usecryptographic functionality (encrypting and hashing data, application of one-waysignatures to ensure authenticity of sources) in the application tier to keep data awayfrom unauthorized view.

Application Tier

By linking to a single-sign on authority we will code applications to provide data securityby using access control lists and password policies. We will store information aboutusers and groups in a Lightweight Directory Access Protocol LDAPv3 database. LDAPis an open directory access protocol that uses TCP/IP and scales to millions of entries,and lookups are fast A unified management of user and password data assures allapplications run off of a certified environment that is centrally managed and governedmy explicit security policies that conform to customer and regulatory requirements.“consumer” LDAPs can be made available to other applications or modules, mirroringsome or all of the centralized data.

Application-level security will provide a means to authenticate users, defineauthorization and roles based on access control lists mapped to the central userdatabase for those users, a mechanism to audit and have non-repudiation ofinformation to be processed, encryption for data security, and support for securetransmission and data storage.

Critical data (defined as customer confidential, business confidential or legallymandated as confidential) will be transmitted in encrypted form (using SSL), then

www.bluedog.net

Web Security 6 of 12

encrypted in the application before transmission to the database. Connection from theapplication to the database may also use SSL encryption (Oracle and other majordatabase vendors support this protocol for the application-to-database connection). Thiswill ensure sensitive or confidential data (such as social security numbers, credit cardnumbers, or passwords) will be hashed in the persistent data store, making casualperusal of the data by DBAs or internal users impossible.

We will architect application and database components to be in compliance with theJ2EE v1.2 EJB v1.1 Java Servlet v2.2 security models as defined by Sun and the Javacommunity.

Java 2 security architecture with the security model, itself composed of three layers:Java language, compiler and runtime system, and the Security Manager. At thelanguage layer, Java achieves security in various ways. First, Java defines that allprimitive data types are of a specific size and independent of the machine architecture.Second, pointer arithmetic and forging access to objects cannot be done. Third, Javaprovides array-bound checking.

Objective of MVC Approach -- Segregating Presentation, BusinessLogic and Persistent Data

The model-view-controller design of the three-tier architecture serves multiplepurposes. Two important ones are presentation can occur in various formats,independent of the application; and business logic is coded in the Java classes,so database independence is maintained and scalability is enhanced. A furtherbenefit is that the component architecture allows organizations to build scalable,secure, multi-platform applications as re-usable server-side components. Thisarchitecture has three main security goals.

www.bluedog.net

Web Security 7 of 12

• It reduces the burden placed on the developers who working onindependent application components containing the business logic of anyenterprise application. Modules pertaining to sensitive or confidentialinformation can be segregated via a “Chinese wall” approach.

• This approach also allows applications to be portable across differentvendors’ servers and permits different vendors to use different securitymechanisms. For example, the reliability of Unix systems can bedeployed facing the public, while internal systems can have theadvantage of a Windows environment without the fear of compromise.

• This approach provides support for security policies to be set by theapplication developers, experts in a specific operational environment oran application assembler who provides the solution, rather than by thecode developer.

Database Tier

Access to the persistent data store from the various applications will be controlled byassigning specific user identifiers based on the needed application role. The application,on the protected side of the firewall, may communicate to the database(s) via secureport, with encryption of traffic. Data may also be encrypted in the application level (seeabove) before it is transmitted via the database connector (JDBC, in many cases).

Specific database controls will be implemented as well. For example, SQL Serverprovides for secure connections, and can implement role-based security that limitsdeveloper (and application module) access to certain table spaces. In the case ofMicrosoft’s product, we would pay special attention to preventing so-called SQLInjection Attacks.

www.bluedog.net

Web Security 8 of 12

Network Tier

The emphasis on network security will not just on installing firewalls and Virtual PrivateNetworks (VPNs) to prevent outside hackers from gaining access to valuable andconfidential data. We will design and enforce a traditional DMZ-style networkarchitecture that segregates the web (presentation) layer on Apache or IIS web servers,and the only traffic through the firewall will be via the application adapter (leaving onlyports 80 and 443/SSL open to the outside world).

The DMZ model is proven for exposing public-accessed assets in the most secure way.Our approach, relying on true three-tier architecture, ensures no uncompiled code isavailable for tampering. Further, only HTTP/HTTPS traffic can pass to the outside world,while web server-to-application traffic is limited to the secure side of the network.Finally, the application-to-database traffic is further restricted.

Operating System Tier

Internet Protocol Security (IPSec) provides application-transparent encryption servicesfor IP network traffic as well as other network access protections in the Windowsoperating system environment. Furthermore, for a Windows environment, The mostimportant thing we can do to help maintain system security is to stay current withsecurity updates. We will craft guidelines to secure Windows operating system serversbased on known security flaws and guidelines from the vendor.

In the Unix environment (and to the extent possible in other ones), we will maintainsystem security by confirming latest OS versions and patches are installed , regularlycheck logs and file system integrity for suspicious activity, and make regular backups.

A key way to ensure security is to limit access. Password that are strong (longer than 8characters, mixed case and non-standard character requirements, expiration dates)help, as do things such as: session time outs (for web applications), cookie expirations,

www.bluedog.net

Web Security 9 of 12

password protected screen savers, restricting access to shared drives, the abilitydisable remote logons, setting permission properly, and displaying legal and userresponsibility notices before logon Just simply regularly reviewing user list and removeunnecessary accounts ca n boost the reliability of security models.

Restricting Developer Access to Sensitive Data

For development, we will use a Content Versioning System (CVS) to control coderevision, as well as limit access to modules based on role. Our security officer willensure the developers who have access to sensitive data will be vetted, and procedureswill be established to grant and rescind access during the life of the project.

During development, surrogate data will be used rather than life customer- or business-confidential data. Once we enter the Systems Integration Testing phase, the live datawill be used to populate the deployment database. Oversight on the running of SQLscripts by appropriate personnel will be provided by our security officer.

Other Security Issues

Because we have a global view of the three-tier model, we will endeavor to apply high-level techniques to ensuring proper access, communicating securely to authorizedpersons, and controlling where data lives. One example is the proper architecting of anauditing methodology.

Auditing and event logging enables detection of, and protection against, unauthorizedaccess. Furthermore, data recovery, access permissions, and other failure recovery,responsibility and authority questions can be addressed with the robust Audit and EventLogging methodology we will incorporate into our application and database design.

The level of granularity at which access to data can be controlled will be set duringdesign, but typically this includes: at the GUI by user/password access, secure

www.bluedog.net

Web Security 10 of 12

transmission of data via SSL, and C.A. or IP screening. At the application level, classescan re-check user levels of access before presenting data. Transmission of sensitive orconfidential data can be encrypted, and the data itself can be encrypted using strongalgorithms before transmission or recording in the database. The database schema canbe set to control access to tables based on roles, and specific records or fields can haveaccess limited. By keeping security and other business logic in the application layer,database independence can be maintained. For example, we won’t architect securityfunctionality in stored procedures, relying instead on routines defined in Java code.

Use of the ACL and a centralized repository for single-authority (the master user LDAP)defines how different user categories are configured and defined for security. Role-based and group-based security definitions are referenced in the application logic anddatabase schema – even if decompiled code could be modified to let an unauthorizeduser to attempt to view restricted data, two additional levels of control would prevent thephysical display of data. Roles will define who has read-only, edit, or delete privileges inthe applications.

A centralized user data repository means the configuring of new users is simplified – thesystems administrator would import new user lists, configure them to groups, assignprivileges to groups in a user-friendly GUI, and maintain user data in one application.Failover and hot site recovery impact security as well as systems performance andscalability. Our application architecture will take into account defined service levelrequirements to ensure the capability to handle user loads, maintain applicationresponsiveness, audit and verify data changes,

At Project Inception

Upon kickoff of the project, we will define in a project management plan (subject toclient review and approval) a systematic approach that applies our knowledge of

www.bluedog.net

Web Security 11 of 12

security best practices to secure web applications during development and fordeployment.

Action items when the project commences:

• Define the basic policies to ensure web application security, referencing themotivations for each. For example, statute dictates HIPAA/HL7 compliance, sodefine database schema to reflect needed “Chinese walls” to protect appropriatecustomer data.

• Define the performance parameters of a threat analysis of web-accessibleassets.

• Set the SOPs to protect operating systems/file system data by using the featuresin the development, test, and deployment environments. For example, hardenUnix servers by setting up security rules, policies and procedures; implementtechniques to foil common assaults used by hackers such as IP spoofing, denial-of-service attack, and buffer overflow.

• Use one of the Java classes that implement cryptography namespace totransform block or string data from cleartext into cyphertext. Use general securitycoding best practices to ensure a secure Web application.

• Protect the portion of the web applications that requires private communicationsby using SSL and guarding intranet assets with network filtering, defining whichfirewall techniques will be used (such as Network Address Translation and portcontrol).

• Define test plans that use a structured approach to testing for web applicationsecurity in conjunction with systems integration testing and user acceptancetesting.

www.bluedog.net

Web Security 12 of 12

• Apply our knowledge of authentication using Secure User Identifiers (SUIDs) andAccess Control Lists to combat impersonation, and apply the concept of runningwith least group/user privileges to ensure access to only those system resourcesthat are necessary to accomplish normal request processing.