Enterprise Security Insights: Networks, Architecture, and App Security
Enterprise Security Insights: Networks, Architecture, and App Security
Enacting strong cyber-security practices for your business are crucial to its overall success. Check out this post to gain more insight on enterprise security.
Join the DZone community and get the full member experience.Join For Free
Cybersecurity in today’s connected world is a fundamental component of your enterprise. Weak policy implementation is the foremost disruption to any business; therefore, it’s vital to understand and incorporate security in any IT-enabled organization.
As the adoption of digital transformation worldwide is enabling enterprises to add value to its business unremittingly, it is also creating avenues for hackers that lead to cybersecurity challenges and vulnerabilities. The continued rise of cyber-attacks on enterprises have become a threat for business, especially the financial sector. To tackle this, companies need to focus on the following key areas to stay ahead of intruders:
- Security policy framework
- Security awareness program
- Continuous threat monitoring and reporting
- Secure IT infrastructure
To build and maintain a secure IT landscape, the following security considerations can fortify enterprises for any unforeseen security intimidation.
- Firewalls are used to block unwanted IP addresses or users from accessing networks or services. It keeps unwanted files away from manipulating a network, asset, or device.
- Secure router bundled with Intrusion Defense/Prevention System (IDS) functions, like a traffic monitoring system, can detect any potential security threat.
- Wi-Fi Protected Access 2 (WPA2) is used on Wi-Fi networks that uses stronger wireless encryption methods.
- Network security scanners are used to detect threats for any insecure server and network device. These scanners are also used to check patch updates status for servers and devices.
- Security is a basic design principle of architecture and should be inherited in each building block of an IT architecture to ensure inclusive security across all systems.
- It should not be added on top of existing IT architectures that increase complexities and loopholes to guard cyber-attack.
- It should integrate the business process with risk exposure within the business domain.
- It should consider all possible risk areas, i.e. Service level agreement, financial, regulatory, operational etc.
- It should measure the risk and shield needed at the module level.
- It should create transparency to monitor and control security compliance across different layers.
While creating an enterprise application, security plays a vital role. Each component access over an open network can be exposed to any invader that may breach the enterprise’s confidentiality.
Top 10 Most Critical Web Application Security Risks as per Open Web Application Security Project (OWASP) 2017 Are:
An attacker manipulates injections to hoax the interpreter into executing malicious code or granting access to sensitive data, which can be done through markup/expression languages, queries, commands, and various protocols, like LDAP.
2. Broken Authentication
Insecure password and session management are the key vulnerabilities where attackers can get user account access and exploit the application.
3. Sensitive Data Exposure
Weak or no cryptography/encryption implementation on data and unpatched servers are some of the key vulnerabilities an attacker can use to perform fraud.
4. XML External Entities (XXE)
Some outdated XML processors evaluate external entity references in XML documents that can allow attackers to expose internal file shares, internal port scanning, and remote code execution.
5. Broken Access Control
When restriction on authenticated users are not well defined and enforced, attackers can access the user’s accounts and exploit sensitive data.
6. Security Misconfiguration
Some of the common misconfiguration security risks that attackers use to identify security flaws are as follows:
- Misconfigured HTTP headers
- Default sensitive configuration
- Sensitive information in error/info messages
- Outdated security updates
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
Remote code execution is a major threat when decentralization is insecure. Technically, it can impact enterprises severely.
9. Using a Component With Known Vulnerabilities
Applications use open source libraries and frameworks that can have known vulnerabilities and may or may not run with the same level of privileges as the application. An attacker can trace vulnerable components and exploit them.
10. Insecure Logging and Monitoring
Logging and monitoring assist an organization to identify any type of threat by ensuring login, access failures, and input validation failures are logged with sufficient details.
For in-depth details, check out this link to learn more.
Network scanners are not designed to identify web application vulnerabilities, there are several ways to detect vulnerability in web application.
- Black box security scan looks for known vulnerabilities and weak defense/control areas from outside of the application. It can be done faster since it’s not comprehensive.
- White box security scans application’s internal working, including architecture, design, and source code.
- Grey box security scan is comprehensive that includes black and white box security scan.
Application Security Traits
This ensures that the client /server is eligible for authorization process. It is a process by which the client and server authenticate each other by well-defined methodology.
Authorization or Access Control
This ensures that users have specific permissions to access/process resources.
This ensures that sensitive data is only viewed by authorized users.
This ensures that data is only modified by authorized users and not by hackers.
This ensures that a transaction is performed by a specific user and it can’t be denied by that user.
Quality of Service
Better service is provided by using a secure technology stack and network.
Auditing is used to evaluate the effectiveness of security policy and mechanism.
Implementation of Application Security
- Security can be specified either in the deployment descriptor outside of an application, such as an XML file, or inside the code, like the annotation/metadata.
- Authentication, access control, and security roles are some of the common use cases to specify security.
- When security is embedded in an application, it can enhance the security model of the application, in addition to declarative security.
- Standard APIs or customized code can be used to achieve authentication and authorization.
- Transport security is point-to-point security on HTTPS using secure socket layer (SSL), which is used to transmit data over the wire between client and server. Data is only protected until it’s reached to destination.
- It’s used for authentication, confidentiality, and integrity.
- The client/server authenticates each other using digital certificate-based authentication.
- Cryptography and Cipher are used for information exchange.
- Message security can be incorporated in the SOAP message header and/or SOAP message attachment to securely traverse information across a network.
- It’s referred to as end-to-end security since an encrypted message can pass through intermediate nodes before reaching its final destination.
- The application/transport is independent.
Digital certificates are a prerequisite to implementing a secure socket layer between the client and server. Certificates are cryptographically signed by either a trusted third-party (Certificate Authorities — CA) as an intermediate certificate or its owner as a self-signed certificate. Usually, a server shares intermediate certificates, then the client validates the chain by looking up the root certificate and trusted site.
Root certificates for Certificate Authorities (Verisign, Comodo, Symantec, etc.) are stored in the file called truststore that comes with the JDK/JRE. The application server stores its private key and digital certificates in the keystore file as
Java provides a utility keytool bundled with the JDK/JRE to view, modify, or create a certificate.
The user initiates the SSL handshake while sending a request to the server. The SSL Handshake ensures that the client and server can establish secure communication. It can be of two types, i.e. one way or two ways. In one way, the SSL handshake requires the client to validate the server. In the second way, the SSL handshake, with both the client and the server, validate each other.
In the following flow diagram, we look at the client and server SSL handshake:
Security APIs and Frameworks
There are various security APIs and frameworks available in the marketplace that can be used to secure application.
Java Authentication and Authorization Service (JAAS)
This is a core framework for Java EE security where authentication and/or authorization can be enforced on the user. JAAS allows an application to incorporate security features independently.
Java Cryptography Extension (JCE)
This provides a framework for key generation/agreement, Message Authentication Code (MAC) algorithms, and encryption.
Java Generic Security Services (Java GSS-API)
This is an API that is used to securely transmit messages between applications.
Java Secure Sockets Extension (JSSE)
This framework provides an alternative Java version of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. And, it provides APIs for authentication and data encryption.
Simple Authentication and Security Layer (SASL)
This framework provides a mechanism to create generic APIs for authentication, encryption, and data integrity-checking. Click here for more details.
Spring Security offers all-inclusive security services for the Java enterprise application. Authentication and authorization are two main focus areas of the application that Spring Security targets. It supports various authentication models provided by standard bodies/third parties. The integration of Spring Security is very flexible with other technologies. Click here to learn more.
Apache Shiro is an open source Java security framework that provides authorization, authentication, cryptography, and session management for different types of Java applications.
Shiro is flexible and easy to integrate with other frameworks and technologies. In terms of support, it’s a part of the Apache Software Foundation, where various communities actively work in support and services.
OACC provides compressive APIs to secure applications using the authentication and authorization mechanism. Some of the keys features include:
- Fully implemented APIs with a single access control paradigm
- Supports a vast range of pluggable authentication protocols
- Identity delegation without having to know authentication credentials
- Programmatic and dynamic modeling for authorization
- Rich APIs for query capabilities that store and manage the application’s security relationships
HDIV is an open-source, security framework that protects the application against a wide range of web application security threats. Some of the key features are as follows:
- Enable security without compromising performance
- Protects against 90 percent of application security risks mentioned in the OWASP Top 10
- Non-editable data protection and editable data risk mitigation.
Bouncy Castle provides lightweight cryptography APIs for Java and C#. Below are some of their major offerings:
- A provider for the Java Cryptography Extension (JCE) and the Java Cryptography Architecture (JCA)
- A provider for the Java Secure Socket Extension (JSSE)
- A clean room implementation of the JCE 1.2.1
- A library for reading and writing encoded ASN.1 objects
As cyber attacks are continuously rising and pose a major threat to any business, the adoption and implementation of security measures should be a top priority for any organization. It’s not only the unsecured firms that should be concerned, but everyone who has a communication channel with such organizations must take action.
How organizations are catching up with unprecedented changes in the technology to secure businesss will be the key success factor. There are various open-source communities, government, and private bodies out there helping industries to enact a safe and secure cyber-presense.
The following links for helpful cybersecurity association are:
Opinions expressed by DZone contributors are their own.