Application Security Controls


Up to this point, our discussion has centered on system architectures and development processes. Hopefully, you’ve begun to wonder how applications are made to be secure in the first place. We discuss several techniques, characteristics, and mechanisms in this section.

Process isolation

With process isolation, running processes aren’t allowed to view or modify memory and cache that’s assigned to another process. For instance, if a user can see that a payroll program is running on the system, he won’t be able to read the memory space used by the payroll program.

Process isolation is a service that’s provided by the operating system. Windows, UNIX - and even much older OSs such as Kronos and TOPS-10 - perform and provide this function. The system developer doesn’t have to build a wall around his application to prevent others from snooping on it.

Hardware segmentation

Hardware segmentation refers to the practice of isolating functions to separate hardware platforms as required to ensure the integrity and security of system functions. This concept can also refer to keeping developers off of production systems and vice versa.

 Instant Answer   Hardware segmentation is used to keep application developers off of production systems. It is also used to keep different applications or environments from interfering with each other.

Separation of privilege

Also known as least privilege, separation of privilege assures that no individuals or objects (such as programs that make requests of databases) have excessive functions on a system. For instance, in a finance application, you have at least three people involved in payments to others: those who request the payment, those who approve the payment, and those who perform the payment. Each of these functions should have privileges that permit them to perform only their approved function, but no others.

Accountability

Accountability refers to an application’s ability to record every auditable event by describing the event: who made the change, what the change was, and when the change was made. This feature makes it impossible (you hope) for an individual to make any change to data without the application (or database) capturing details about the change.

Accountability is only as strong as the underlying authentication and access control mechanisms. If employees habitually share passwords or use each other’s accounts, then it’s very difficult to associate any inappropriate data tampering with a specific individual.

Defense in depth

Also known as layering, defense in depth is a security architecture concept wherein assets requiring protection are protected with multiple separate mechanisms that form protective layers around the assets being protected. For example, a company may have a firewall but additionally implement hostbased access control and other mechanisms. Then if any one of these fails, the others will still presumably run and prevent or detect security problems in the environment.

 Instant Answer   The practice of protecting a system or network with several concurrent mechanisms is defense in depth.

Abstraction

Abstraction is a process of viewing an application from its highest-level functions, which makes all lower-level functions into abstractions. Lower-level functions are treated as black boxes - known to work, even if we don’t know how.

Data hiding

Data hiding is an object orientation term that refers to the practice of encapsulating an object within another in order to hide the first object’s functioning details.

System high mode

System high mode refers to a system that operates at the highest level of information classification. Any user who wants to access such a system must have clearance at or above the information classification level.

Security kernel

The security kernel is a part of the protection rings model in which the operating system kernel occupies the innermost ring, and rings farther away from the innermost ring represent fewer access rights. The security kernel is the innermost ring and has full access to all system hardware and data. User programs occupy outer rings and have fewer access privileges.

Reference monitor

Reference monitor is the operating system component that enforces access controls on data and devices on a system. In other words, when a user tries to access a file, the reference monitor ultimately performs the Is this person allowed to access this file? test.

 Instant Answer   The system’s reference monitor enforces access controls on a system.

Supervisor and user modes

Modern operating systems use the concept of privilege that’s associated to user accounts. For instance, UNIX has the root account, and Windows NT has the Domain Administrator and Local Administrator roles. These accounts and roles are intended to be used only by system or network administrators for operating system and utility management functions.

 Warning   Now and again you may hear of administrators who grant root or administrator privileges to normal applications. This is a serious mistake because applications that run in supervisor mode bypass some or all security controls, which could lead to unexpected application behavior. For instance, any user of a payroll application could view or change anyone’s data because the application running in supervisor mode was never told no by the operating system.

Supervisor mode is for system administration purposes only. Business applications should always be run in user mode.

Service Level Agreements

In the real world, users of any business application need to know whether their application is going to be functioning when they need it. Users need to know more than “Is it up?” or “Is it down AGAIN?” The users of an application are held accountable to their customers and superiors for getting a certain amount of work performed in a given period of time, so consequently they need to know whether they can depend upon their application to help them get there as promised.

The Service Level Agreement (SLA) is a quasi-legal document (a real legal document when the application service provider is a different company than the user[s] using it) that is a pledge that the application will perform to a set of minimum standards, such as

  • Hours of availability: This refers to the wall clock hours that the application will be available for users. This could be 24 x 7 (24 hours per day,
    7 days per week) or something more limited, like daily from 4 a.m.–12 p.m. Availability specifications may also cite maintenance windows (for instance, Sundays from 2 a.m.–4 a.m.) when users can expect the application to be down for testing, upgrades, and service.

  • Average and peak number of concurrent users: This standard refers to the maximum number of users who can log on to the application at the same time.

  • Transaction throughput: This standard is the number of transactions that the application can perform in a given time period. Usually, throughput is expressed as transactions per second, per minute, or per hour.

  • Data storage capacity: This standard determines the amount of data that the users can store in the application. Capacity may be expressed in raw terms (megabytes or gigabytes) or in numbers of transactions.

  • Application response times: Response time refers to the maximum period of time (in seconds) that key transactions take. All response times for long processes (nightly runs, and so on) should be in an application’s SLA.

  • Escalation process during times of failure: When things go wrong, this standard describes how quickly the service provider will contact the customer as well as what steps will be taken to restore service.

Because the SLA is a quantified statement, the service provider and the user alike can take measurements to see how well the service provider is meeting the SLA’s standards. This measurement, which is sometimes accompanied by analysis, is frequently called a scorecard.




CISSP For Dummies
CISSP For Dummies
ISBN: 0470537914
EAN: 2147483647
Year: 2004
Pages: 242

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net