Core Security Patterns by Steel, Nagappan & Lai (2006)
Notes, Discussion Points and Review
Chapter One - "Security by Default"
Summary: End to End Security is important to implement during
development, not post deployment.
Usage of double negatives can make this a difficult to read text.
Includes one paragraph descriptions of numerous types of attacks
or security issues:
- Input Validation Failures - can allow "code injection attacks"
- Output Sanitation - avoid providing information that hackers could use to
make an attack
- Buffer Overflow - typically results in crashing applications
- Data Injection Flaw - often done with pop up windows
- Cross-Site Scripting (XSS) - hacker injecting malicious scripts into vulnerable
- Improper Error Handling - don't reveal error information to hackers (users)
that will let them learn more of the functioning of your website and software.
- Insecure Data Transit or Storage - transmitting non encrypted information
- Weak Session Identifiers - unencrypted session identifiers or sent before
authentication allows hackers to steal sessions.
- Weak Security Tokens - easily hacked passwords
- Weak Password Exploits - hacking password files or using a keystroke monitor
- Weak Encryption - encryption not strong enough for the situation.
- Session Theft - re-using a session or hijacking a session to bypass authentication
- Insecure Configuration Data - misconfigured SSL certificates, default accounts,
default passwords, etc.
- Broken Authentication -
- Broken Access Control
- Policy Failures
- Audit and Logging Failures
- Denial of Service
- Multiple Sign-On Issues
- Deployment Problems
- Coding Problems
- Sarbanes-Oxley Act (2002) - requires all public companies to comply
with regulations for financial reporting and corporate accountability. For
IT this means maintaining audit trails, controlling access rights, elimination
of multiple user accounts per person, prevention of unauthorized access to
- Gramm-Leach-Bliley Act (1999) - financial privacy. IT primarily concerned
with safeguarding customer information. Calls for training employees (about
security), third party testing of the information security infrastructure,
enhance and upgrade security.
- HIPPA (1996) - use of personal health information should be limited
to what is minimally necessary to administer treatment. Attempts to require
both high availability and security for personal health information.
- COPPA - any organization, which releases personal information about
a child that is used to support a crime, can be prosecuted.
- EU Data Protection Directive (1995) - European Union set of rules
for handling personal data. Personal data must be kept confidential; individuals
must know in advance and in detail what information is collected, who will
use it, how and where it will be used; what procedure can be used to verify
and update it; and how to remove it.
- California Notice of Security Breach - requires immediate disclosure
of security breaches.
Smart Cards and biometrics are introduced and briefly discussed.
Biometrics have been in use for a long time and have proven to be the most accurate
and effective way to provide identification.
The case that lays out "cost justification" for J2EE
security is poor. Not enough information is provided, they might as well be
pulling numbers out of the air (item G even has a math error). Reverse engineering
their assumptions indicates this would be a company of 10,000 people making
$280,000 in sales per day (profit or gross?).