{"id":41442,"date":"2016-10-10T14:05:01","date_gmt":"2016-10-10T08:35:01","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=41442"},"modified":"2016-10-10T15:29:08","modified_gmt":"2016-10-10T09:59:08","slug":"security-best-practices","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/security-best-practices\/","title":{"rendered":"Security Best Practices"},"content":{"rendered":"<p><strong>Security Best Practices<\/strong><\/p>\n<p>More and more organizations today realize how important it is to manage security of their websites and applications on cloud or on-premise datacenters. Organizations are rapidly <a title=\"product engineering services\" href=\"http:\/\/www.tothenew.com\/product-engineering\">adopting Hybrid Cloud models<\/a> in which managing security is of paramount importance. In order to cater to rapidly changing business realities, organizations are constantly evaluating methods to deploy software&#8217;s faster and meet or exceed organization goals. This has resulted in Information security teams to be more competitive and faster in aligning to business needs.<\/p>\n<p>A recent survey by WhiteHat Security puts an average number of threats to as much as 32 per site (in IT industry)<\/p>\n<p>Traditionally, <a title=\"devOps consulting\" href=\"http:\/\/www.tothenew.com\/devops-automation-consulting\">DevOps<\/a> have always worked in silos, and when it came to security; security teams were brought in to check for security only once the development had been over. This often meant that product releases were delayed because of security issues, or security issues were overlooked in order to meet the aggressive timelines.<\/p>\n<p><span style=\"font-weight: 400;\">There are a number of organizations that\u00a0have learned the need of effective security a very hard way, and often it was too late for some<\/span><span style=\"font-weight: 400;\">. Regardless of such lapses there are businesses which continue to ignore such lapses because they either don\u2019t understand the implications of such lapses or are unable to bridge the security gap due to adequate knowledge &amp; support and this now threatens businesses to lose their competitive edge.<\/span><\/p>\n<p>Organizations are increasingly adopting Agile processes to ensure faster delivery time for applications. DevOps collaborates to make sure app is built and deployed quickly while making <a href=\"http:\/\/www.tothenew.com\/devops-chef-puppet-docker\">use of automation tools<\/a> at every step. And most often security is overlooked which should be an integral part of product life cycle.<\/p>\n<p>In order to make security the integral part of <a title=\"product development consulting\" href=\"http:\/\/www.tothenew.com\/product-engineering\">product development<\/a> we\u00a0recommend implementing OWASP Top 10 controls along with additional controls on infrastructure on Cloud of different service provides (AWS, Azure etc.)<\/p>\n<p><strong>OWASP 10 Security Controls:<\/strong><\/p>\n<p><strong><strong>\u00a0<\/strong><\/strong><strong>Verify for Security Early and Often<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">How?:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Include security as an integral part of development<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Security is part of every sprint, user story<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Instead of performing vulnerability assessment at the end of development, assessment is taken as one of the milestone for every sprint cycle<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Security is included while testing every story and task, i.e. while building a feature for passing data from one service to another service, data is stored in encrypted form transmitted in a secure manner to ensure it is safe while at rest and in transit<\/span><\/li>\n<\/ul>\n<p><strong>Parameterize Queries<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">How?<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use of prepared statements (Parameterized Queries<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use of Stored procedures<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Escaping all user supplied inputs to ensure untrusted data is not processed<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Enforcing least privilege for every user\/action<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Whitelist input validation in order to ensure required function only is allowed for a certain action<\/span><\/li>\n<\/ul>\n<p><strong>Encode Data<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">How?<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use of encoding like translating special characters in some equivalent characters which is not dangerous for target interpreter<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\"><strong>Validate All Inputs<\/strong><\/span><\/p>\n<p><span style=\"font-weight: 400;\">How?<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Every input is treated as dangerous hence encoding and parameterization is used to ensure entered data meets security requirements<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">For e.g. if user is entering a 4 digit account info, data is treated as dangerous data and is checked whether it is only a 4 digit numerical value and does not contain special characters for performing an SQL injection attack as well as check that user is authorized to access the said account info<\/span><\/li>\n<\/ul>\n<p><strong>Implement Identity and Authentication Controls<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">How?<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Implementing MFA for securing authentication<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Mobile Application: Token based authentication so that server authenticates each request instead of using session cookies which often stores data unencrypted<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Access validation controls to ensure rights of each user is validated before they\u00a0perform any function. This ensures that only an authorized user is making the required changes<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Secure Password Storage<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Secure Password recovery mechanism, for e.g. user can only retrieve password using authorized email account on the system<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Session generation &amp; expiration mechanism to ensure timely closure and revalidation of session information<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Session reauthentication for sensitive features, for e.g. password change<\/span><\/li>\n<\/ul>\n<p><strong>Implement Appropriate Access Controls<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">How?<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">All requests will go through Access control checks<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Least privilege principle<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Deny All by default<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use of separate access control engine for better performance and security controls<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Server side trusted data controls, for e.g. does user have required access etc.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Validation of access by access control engine before granting access<\/span><\/li>\n<\/ul>\n<p><strong>Protect Data<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">How?<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Encryption of data at rest<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Encryption of data in transit using TLS<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">SSL &amp; TLS encryption<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Secure storage on Mobile devices<\/span><\/li>\n<\/ul>\n<p><strong>Implement Logging and Intrusion Detection<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">How?<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Application monitoring<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Business analytics &amp; insight<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Application logging for Access Control requests<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Activity auditing &amp; compliance reporting<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use of IDS\/IPS for protecting the environment against unauthorized access<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use of Web application firewalls for mitigating DDoS attacks, &amp; sql injection attacks etc<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Forensics for identifying security lapses<\/span><\/li>\n<\/ul>\n<p><strong>Leverage Security Frameworks and Libraries<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">How?<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use inbuilt language security framework instead of third party frameworks<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Lesser use of 3rd party security frameworks can reduce the surface of attack<\/span><\/li>\n<\/ul>\n<p><strong>Error and Exception Handling<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">How?<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Manage exceptions in centralized way to avoid duplicated catch blocks in the code<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">To ensure all unexpected behavior are correctly handled inside the application<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Ensure that the error messages do not display critical data and only display necessary information enough to explain the issue to the user<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Ensure logged information gives information for understanding of IT Team without giving any critical\/sensitive information<\/span><\/li>\n<\/ul>\n<p><strong>Cloud Infrastructure security controls<strong><br \/>\n<\/strong><\/strong><\/p>\n<p>Apart from the above controls we also should implement controls to secure the infrastructure hosted in Cloud.<\/p>\n<p><strong>Operating System hardening<\/strong><\/p>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Disable unnecessary services on the servers<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use encrypted volumes for storing data<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Anti-malware for protecting the systems from malware<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Data integrity checks to ensure data is intact and only authorized changes are made<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Disable Root Login on the servers<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use strong SSH Keys instead of passwords and rotate SSH keys every 30-45 days<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use individual user accounts on server so it is easier to audit the actions performed on the servers<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Log account login &amp; access audit logs<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use firewall for whitelisting legitimate traffic<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use of CM Tools (Chef, Puppet) to automatically roll back unauthorized configuration changes with approved configuration<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Stop direct access to the servers hosted in cloud and instead use a Jump Server to connect to servers in cloud and use separate accounts for JumpHosts &amp; production servers hosted in cloud to increased security.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use MFA for accessing Jump Host so that only authorized users can access the servers<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use VPN Server for private communication from corporate network to Cloud<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use LDAP or extend directory authentication services from corporate network to Cloud to have same security controls as in Corporate datacenter.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Perform periodic security updates. Install critical security updates within 48 hours to mitigate potential security risks<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use log management software for centralized logging that could be used for investigating security breaches. Use centralized logging with alerting capabilities so that security events can be detected early and corrective actions can be taken quickly<\/span><\/li>\n<\/ol>\n<p><strong>Cloud Security Controls<\/strong><\/p>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use separate environment (VPC\u2019s or Networks) for UAT, Staging, &amp; Production environments<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use Isolated subnets (Public &amp; Private Subnets)<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use NAT Server for internet access on instances in Private Subnets and block all the unnecessary traffic<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use Acess control lists for whitelisting required traffic. By default all the traffic should be blocked<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use security groups for individual instances\/services for authorizing inbound traffic<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Restrict inbound &amp; outbound traffic via NAT, Security groups, &amp; Network access lists on private subnets<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use encryption between network load balancers and servers for traffic<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use SSL\/TLS for internal and external communication of services\/servers<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">SSL for external communication<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Implement role based authentication controls for accessing the servers\/services<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use MFA for accessing cloud user accounts<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use encrypted volumes<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Whitelist Corporate IP\u2019s to connect to Jump host in Cloud or use VPN Servers for better security of network and its resources.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Implement Disaster recovery plan and keep at least one copy of data at offsite location (not cloud) in case all the data is only available at Cloud.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use encryption services provided by cloud service provides, i.e. AWS provides option to encrypt RDS<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Log all network traffic to the cloud network (Inbound &amp; outbound)<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Audit events for unusual activity and alarm admins to take corrective action whenever unusual activity occurs.<\/span><\/li>\n<\/ol>\n<p><strong>Network Controls<\/strong><\/p>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">IP Whitelisting<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">IDS\/IPS solutions for network<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Network access control lists &amp; Security groups for traffic whitelisting<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Anti-Malware &amp; Anti virus solutions<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Mitigate Zero-day vulnerabilities by using third party security gateways<\/span><\/li>\n<\/ol>\n<p><strong>Additional Security Controls for applications hosted in cloud<\/strong><\/p>\n<ol>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Encryption of data at rest<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Encryption of data in transit<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Opacity layer between different cloud services and platform by using<\/span>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Data encryption<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Data integrity authentication<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Software \u00a0and data signing<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Secure time stamping<\/span><\/li>\n<\/ol>\n<\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Encrypted communication between services<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Encrypted communication to outside world<\/span><\/li>\n<li style=\"font-weight: 400;\">Use third party vulnerability management software to perform periodic scans for vulnerabilities. Resolve critical vulnerabilities within 48-72 hours once identified.<\/li>\n<\/ol>\n<\/ol>\n<p>To conclude a holistic approach has to be taken to improve security. In this blog we discussed application security as well as <a title=\"cloud devOps\" href=\"http:\/\/www.tothenew.com\/devops-aws\">Cloud Infrastructure security<\/a>. In order to stay cloud ready, secure and competitive every organisation should follow the recommendations outlined in this article. This will definitely help in distinguishing self from the competition.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security Best Practices More and more organizations today realize how important it is to manage security of their websites and applications on cloud or on-premise datacenters. Organizations are rapidly adopting Hybrid Cloud models in which managing security is of paramount importance. In order to cater to rapidly changing business realities, organizations are constantly evaluating methods [&hellip;]<\/p>\n","protected":false},"author":949,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":5},"categories":[2026,1174,2348,1],"tags":[324,2366,3468,1892,3912,3911],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/41442"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/949"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=41442"}],"version-history":[{"count":0,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/41442\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=41442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=41442"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=41442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}