Table Of ContentSecure
Java
For Web Application Development
BOOkS On SOFTwARE AnD SYSTEMS
DEvELOPMEnT AnD EnGInEERInG
FROM AUERBACH PUBLICATIOnS AnD CRC PRESS
CAD and GIS Integration Quality Assurance of Agent-Based
Hassan A. Karimi and Burcu Akinci and Self-Managed Systems
ISBN: 978-1-4200-6805-4 Reiner Dumke, Steffen Mencke, and
Cornelius Wille
Applied Software Product-Line
ISBN: 978-1-4398-1266-2
Engineering
Kyo C. Kang, Vijayan Sugumaran, and Modeling Software Behavior:
Sooyong Park, eds. A Craftsman’s Approach
ISBN: 978-1-4200-6841-2 Paul C. Jorgensen
ISBN: 978-1-4200-8075-9
Enterprise-Scale Agile Software
Development Design and Implementation of Data
James Schiel Mining Tools
ISBN: 978-1-4398-0321-9 Bhavani Thuraisingham, Latifur Khan,
Mamoun Awad, and Lei Wang
Handbook of Enterprise Integration
ISBN: 978-1-4200-4590-1
Mostafa Hashem Sherif, ed.
ISBN: 978-1-4200-7821-3 Model-Oriented Systems Engineering
Science: A Unifying Framework for
Architecture and Principles of Systems
Traditional and Complex Systems
Engineering
Duane W. Hybertson
Charles Dickerson, Dimitri N. Mavris,
Paul R. Garvey, and Brian E. White ISBN: 978-1-4200-7251-8
ISBN: 978-1-4200-7253-2 Requirements Engineering for Software
Theory of Science and Technology and Systems
Transfer and Applications Phillip A. Laplante
Sifeng Liu, Zhigeng Fang, Hongxing Shi, ISBN: 978-1-4200-6467-4
and Benhai Guo
Software Testing and Continuous
ISBN: 978-1-4200-8741-3
Quality Improvement, Third Edition
The SIM Guide to Enterprise Architecture William E. Lewis
Leon Kappelman, ed. ISBN: 978-1-4200-8073-5
ISBN: 978-1-4398-1113-9
Systemic Yoyos: Some Impacts of the
Getting Design Right: A Systems Second Dimension
Approach Yi Lin
Peter L. Jackson ISBN: 978-1-4200-8820-5
ISBN: 978-1-4398-1115-3
Architecting Secure Software Systems
Software Testing as a Service Asoke K. Talukder and Manish Chaitanya
Ashfaque Ahmed ISBN: 978-1-4200-8784-0
ISBN: 978-1-4200-9956-0
Delivering Successful Projects
Grey Game Theory and Its Applications with TSPSM and Six Sigma:
in Economic Decision-Making A Practical Guide to Implementing
Zhigeng Fang, Sifeng Liu, Hongxing Shi, Team Software ProcessSM
and Yi LinYi Lin Mukesh Jain
ISBN: 978-1-4200-8739-0 ISBN: 978-1-4200-6143-7
Secure
Java
For Web Application Development
Abhay Bhargav and B.V. Kumar
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2011 by Taylor and Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed in the United States of America on acid-free paper
10 9 8 7 6 5 4 3 2 1
International Standard Book Number-13: 978-1-4398-2356-9 (Ebook-PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been
made to publish reliable data and information, but the author and publisher cannot assume responsibility for the valid-
ity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright
holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this
form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may
rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or uti-
lized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopy-
ing, microfilming, and recording, or in any information storage or retrieval system, without written permission from the
publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://
www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923,
978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For
organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for
identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the CRC Press Web site at
http://www.crcpress.com
Contents
Foreword ...........................................................................................................................xvii
Preface ................................................................................................................................xix
Acknowledgments ..........................................................................................................xxiii
About the Authors .............................................................................................................xxv
SeCtIon I oVeRVIeW
1 The Internet Phenomenon ............................................................................................3
1.1 Evolution of the Internet and the World Wide Web ................................................3
1.1.1 Mainframe Era ...........................................................................................3
1.1.1.1 Initial Mainframe Systems ..........................................................3
1.1.1.2 Mainframe Systems Today..........................................................5
1.1.2 Client/Server Era ........................................................................................5
1.1.2.1 Server .........................................................................................5
1.1.2.2 Client .........................................................................................5
1.1.2.3 Client/Server Architecture ..........................................................6
1.1.3 Distributed Computing Architecture..........................................................6
1.1.3.1 Remote Procedure Call ...............................................................7
1.1.3.2 Messaging ...................................................................................8
1.1.4 Internet and World Wide Web Era .............................................................8
1.1.4.1 B2B E-Commerce .....................................................................10
1.1.4.2 B2C E-Commerce .....................................................................10
1.1.5 Problems with Web Architecture ...............................................................10
1.2 Web Applications and Internet ...............................................................................11
1.3 Role and Significance of Java Technology in Web Applications ..............................11
1.3.1 Applets .....................................................................................................12
1.3.2 Java Servlet ...............................................................................................12
1.3.3 JavaServer Pages Technology .....................................................................13
1.3.4 JavaServer Pages Standard Tag Library ......................................................13
1.3.5 JavaServer Faces Technology......................................................................13
1.3.6 Java Message Service ..................................................................................14
1.3.7 JavaMail API and the JavaBeans Activation Framework ............................14
1.3.8 Java Naming and Directory Interface ........................................................14
v
vi ◾ Contents
1.3.9 Miscellaneous ............................................................................................14
1.4 Security in Java Web Applications ..........................................................................15
1.5 Summary ................................................................................................................16
2 Introducing Information Security ..............................................................................19
2.1 Information Security: The Need of the Hour .........................................................19
2.1.1 The Need for Information Security ............................................................19
2.1.1.1 Internet .....................................................................................20
2.1.1.2 Hackers and Their Backers .......................................................20
2.1.1.3 Digitization ...............................................................................21
2.1.1.4 Legal and Compliance Requirements ........................................21
2.1.2 The Motivation for Security ......................................................................22
2.1.2.1 Reputation ................................................................................22
2.1.2.2 Business Value ..........................................................................22
2.1.2.3 Financial Impact .......................................................................23
2.1.2.4 Legal and Compliance ..............................................................23
2.2 Some Basic Security Concepts ...............................................................................24
2.2.1 The Pillars of Security—The CIA Triad ....................................................24
2.2.1.1 Confidentiality .........................................................................24
2.2.1.2 Integrity .....................................................................................25
2.2.1.3 Availability ................................................................................25
2.2.2 Risk 101 ....................................................................................................25
2.2.2.1 Vulnerability .............................................................................26
2.2.2.2 Threat .......................................................................................26
2.2.2.3 Risk ..........................................................................................26
2.2.3 Defense-in-Depth .....................................................................................27
2.2.3.1 Network Security .....................................................................27
2.2.3.2 Host Security ............................................................................28
2.2.3.3 Application Security .................................................................29
2.2.3.4 Physical Security .......................................................................29
2.3 Internet Security Incidents and Their Evolution ....................................................30
2.3.1 The 1970s ..................................................................................................31
2.3.2 The 1980s ..................................................................................................31
2.3.3 The 1990s .................................................................................................32
2.3.4 The 2000s–Present Day ............................................................................32
2.4 Security—Myths and Realities ...............................................................................33
2.4.1 There Is No Insider Threat ........................................................................34
2.4.2 Hacking Is Really Difficult .......................................................................34
2.4.3 Geographic Location Is Hacker-Proof........................................................35
2.4.4 One Device Protects against All ................................................................35
2.5 Summary ...............................................................................................................36
3 Introducing Web Application Security ......................................................................37
3.1 Web Applications in the Enterprise .......................................................................37
3.1.1 What Is a Web Application? .....................................................................37
3.1.2 Ubiquity of Web Applications ..................................................................38
3.1.3 Web Application Technologies .................................................................39
Contents ◾ vii
3.1.4 Java as Mainstream Web Application Technology ....................................39
3.2 Why Web Application Security? ............................................................................39
3.2.1 A Glimpse into Organizational Information Security ...............................40
3.2.1.1 Physical Security .......................................................................40
3.2.1.2 Network Security .....................................................................40
3.2.1.3 Host Security .............................................................................41
3.2.1.4 Application Security .................................................................42
3.2.2 The Need for Web Application Security ...................................................43
3.2.2.1 Ubiquity of Web Applications in the Enterprise Scenario .........43
3.2.2.2 Web Application Development Diversity ..................................44
3.2.2.3 Cost Savings .............................................................................44
3.2.2.4 Reputation and Customer Protection ........................................45
3.3 Web Application Incidents ....................................................................................46
3.4 Web Application Security—The Challenges ..........................................................48
3.4.1 Client-Side Control and Trust ..................................................................49
3.4.2 Pangs of the Creator .................................................................................50
3.4.3 Flawed Application Development Life Cycle ............................................50
3.4.4 Awareness ..................................................................................................52
3.4.5 Legacy Code ..............................................................................................52
3.4.6 Business Case Issues ..................................................................................53
3.5 Summary ................................................................................................................53
4 Web Application Security—A Case Study ..................................................................55
4.1 The Business Need—An E-Commerce Application ................................................55
4.1.1 The Company ............................................................................................55
4.1.1.1 Proprietary Solution .................................................................56
4.1.1.2 Vendor Lock-In ........................................................................56
4.1.1.3 Security Vulnerabilities .............................................................56
4.1.1.4 Lack of Support for Security Compliance .................................56
4.1.1.5 Integration Issues ......................................................................56
4.1.1.6 Capacity Issues ..........................................................................57
4.1.2 The Existing Application Environment ......................................................57
4.1.2.1 Web Server ................................................................................57
4.1.2.2 Database Server ........................................................................58
4.1.2.3 Email and Messaging Server .....................................................58
4.1.3 Importance of Security .............................................................................58
4.1.3.1 Security Incidents .....................................................................58
4.1.3.2 Security Compliance and Regulation ........................................59
4.1.4 Panthera’s Plan for Information Security ...................................................59
4.1.4.1 Physical Security ........................................................................59
4.1.4.2 Network Security .....................................................................60
4.1.4.3 Host Security ............................................................................60
4.1.4.4 Application Security ..................................................................61
4.2 Outlining the Application Requirements ................................................................61
4.2.1 The Request for Proposal ...........................................................................61
4.2.1.1 Purpose......................................................................................61
4.2.1.2 Users ..........................................................................................61
viii ◾ Contents
4.2.1.3 Communication Interfaces ........................................................61
4.2.1.4 Security Requirements in the Request for Proposal ..................63
4.3 An Overview of the Application Development Process ..........................................63
4.3.1 The Application Development Process ......................................................63
4.3.1.1 Detailed Application Requirements ..........................................63
4.3.1.2 Application Design ....................................................................65
4.3.1.3 Application Development ..........................................................65
4.3.1.4 White- and Black-Box Testing ...................................................65
4.3.1.5 User Acceptance Testing ...........................................................66
4.3.1.6 Deployment ..............................................................................66
4.4 Summary ................................................................................................................67
SeCtIon II FoUnDAtIonS oF A SeCURe JAVA WeB APPLICAtIon
5 Insights into Web Application Security Risk .............................................................71
5.1 The Need for Web Application Security Risk Management ...................................71
5.1.1 Risk Management ....................................................................................72
5.1.1.1 Risk Assessment ........................................................................72
5.1.1.2 Risk Mitigation ........................................................................72
5.1.1.3 Continuous Evaluation .............................................................72
5.1.2 The Benefits of Risk Management for Web Applications ..........................73
5.1.2.1 Clarity on Security Functionality .............................................73
5.1.2.2 Software Development Life Cycle .............................................75
5.1.2.3 Compliance ..............................................................................75
5.1.2.4 Cost Savings ..............................................................................76
5.1.2.5 Security Awareness ....................................................................76
5.1.2.6 Facilitates Security Testing .......................................................77
5.1.3 Overview of the Risk Assessment Phase. ...................................................77
5.2 System Characterization Process—Risk Assessment ..............................................78
5.2.1 An Overview of the System Characterization Process ...............................78
5.2.2 Identifying Critical Information Assets ......................................................79
5.2.2.1 Developing a List of Critical Information Assets ......................80
5.2.3 User Roles and Access to Critical Information Assets ................................81
5.2.4 Understanding Basic Application Architecture .........................................82
5.2.4.1 Deployment Topology ..............................................................82
5.2.4.2 System Interfaces ......................................................................82
5.3 Developing Security Policies for the Web Application ...........................................83
5.3.1 A Broad Overview of Security Policies for the Web Application ...............83
5.3.1.1 Financial Risk and Impact ........................................................83
5.3.1.2 Regulatory and Compliance .....................................................84
5.3.1.3 Contractual Obligations ...........................................................84
5.3.1.4 Reputation and Goodwill .........................................................84
5.3.2 Security Compliance and Web Application Security ................................84
5.3.2.1 PCI-DSS....................................................................................85
5.3.2.2 PA-DSS ....................................................................................86
5.3.2.3 SOX ..........................................................................................87
5.3.2.4 HIPAA .....................................................................................88
Contents ◾ ix
5.3.2.5 GLBA .......................................................................................89
5.4 Threat Analysis ......................................................................................................89
5.4.1 Understanding and Categorizing Security Vulnerabilities ........................89
5.4.1.1 Design Vulnerabilities ..............................................................90
5.4.1.2 Development Vulnerabilities ......................................................91
5.4.1.3 Configuration Vulnerabilities ....................................................91
5.4.2 Common Web Application Vulnerabilities ................................................91
5.4.2.1 Cross-Site Scripting ..................................................................92
5.4.2.2 SQL Injection ...........................................................................95
5.4.2.3 Malicious File Execution ..........................................................96
5.4.2.4 Cross-Site Request Forgery .......................................................97
5.4.2.5 Cryptographic Flaws .................................................................97
5.4.2.6 Flawed Error Handling and Information Disclosure ................98
5.4.2.7 Authentication and Session Management Flaws .......................99
5.4.2.8 Unrestricted URL Access .......................................................100
5.4.3 Basic Understanding of Threats and Associated Concepts ......................100
5.4.3.1 Threat Actor ............................................................................101
5.4.3.2 Threat Motive ..........................................................................101
5.4.3.3 Threat Access ...........................................................................101
5.4.3.4 Threat Outcome ......................................................................102
5.4.4 Threat Profiling and Threat Modeling .....................................................102
5.4.4.1 Threat Profiling .......................................................................103
5.4.4.2 Threat Modeling ......................................................................104
5.5 Risk Mitigation Strategy—Formulation of Detailed Security Requirements
for the Web Application .......................................................................................104
5.6 Risk Assessment for an Existing Web Application ................................................107
5.7 Summary ..............................................................................................................107
6 Risk Assessment for the Typical E-Commerce Web Application .............................109
6.1 System Characterization of Panthera’s E-Commerce Application .........................109
6.1.1 Identification of Critical Information Assets ............................................109
6.1.2 Practical Techniques to Identify Critical Information Assets ...................109
6.1.3 Identified Critical Information Assets for Panthera’s Web Application ....110
6.1.3.1 Customer Credit Card Information .........................................111
6.1.3.2 Customer Information .............................................................111
6.1.3.3 Gift Card Information .............................................................112
6.1.3.4 Stock/Inventory Information ...................................................112
6.1.4 User Roles and Access to Critical Information Assets ..............................112
6.1.5 Application Deployment Architecture and Environment .........................113
6.1.5.1 Network Diagram of the Deployment Environment ...............113
6.1.5.2 Application Architecture Overview .........................................113
6.2 Security Policies for the Web Application and Requirements ................................115
6.2.1 Panthera’s Security Policies ......................................................................116
6.2.1.1 Critical Information Assets ......................................................116
6.2.1.2 Financial Impact ......................................................................117
6.2.1.3 Security Compliance and Regulations .....................................117
6.3 Threat Analysis .....................................................................................................117
