Security Architecture Consulting - Hiren Shah

Information about Security Architecture Consulting - Hiren Shah

Published on February 1, 2020

Author: NSCONCLAVE

Source: slideshare.net

Content

1. SecurityArchitecture Consulting- TheNext Stop!

2. #whoami – Hiren Shah • 25 Years in Business & IT field • President & Mentor of Net Square • LinkedIn: hirens • Twitter: @hiren_sh Business & IT Leader Mixed into One

3. Security Architecture Consulting - The Next Stop!

4. 1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” Key Drivers and Considerations of today’s Global Banks 2

5. 1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE 2

6. 1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE CLOUD ENABLED MICROSERVICES DRIVEN INTEGRATION APPROACH PERSONALIZATION AND CONTEXTUALIZATION MULTILINGUAL SUPPORT FUTURE PROOF OMNI CHANNEL POLYGLOT PERSISTENCE 2 ADVANTAGES

7. 1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE Stateless Architecture API Management Infrastructure Security Data Security CLOUD ENABLED MICROSERVICES DRIVEN INTEGRATION APPROACH PERSONALIZATION AND CONTEXTUALIZATION MULTILINGUAL SUPPORT FUTURE PROOF OMNI CHANNEL POLYGLOT PERSISTENCE 2 ADVANTAGES SECURITY CHALLENGES

8. Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on MQ Config-Server Databases Orchestrator 3

9. Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception MQ Config-Server Databases Orchestrator 3

10. Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Challenges in System administration on new platforms and Technologies MQ Config-Server Databases Orchestrator 3

11. Config-Server Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Orchestrator Databases Redis MQ AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Polyglot persistence -How data should be stored? Challenges in System administration on new platforms and Technologies 3

12. Config-Server Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Orchestrator Databases Redis MQ AngularJS app WAF mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Polyglot persistence -How data should be stored? Challenges in System administration on new platforms and Technologies Limitation of Tools e.g. CoPnCtFaPilantfoermrisationof Messaging layer? 3

13. 4 Build Security Design Patterns

14. Secured SPA Applications JSON /HTTPS CSS Images Fonts Model (JSON) Angular Framework View Controller (HTML) +Service (TypeScript) Http Interceptor (AUTH) Stateless Microservices Spring Boot + Allied Frameworks Protocol Adaptor (REST/JMS) Application Database OIDC / OAuth Server HTTPS NotificationEngine (SMS / Email) JMS Unstructured Datastore Caching Http Interceptor (AUTH-FILTER) RestController Message Listener Service Model (POJO)DAO JDBC Internal Queues JMS TCP /IP JDBC 4 Security Specs: • jsrsasign v8.0.12 (Javascript library) on client ( https:// www.npmjs.com/package/jsrsasign ); • Java Cryptography Extension (JCE) implementation of Java SE 8 (on server) • Secret Key generation per sessionon • Encryption of sensitive data on client using RSA (2048 bits) public key • MAC computation using HmacSHA512 and secret-key for every request/response Build Security Design Patterns TYPICAL TECHNICAL ARCHITECTURE

15. Secured SPA Applications JSON /HTTPS CSS Images Fonts Model (JSON) Angular Framework View Controller (HTML) +Service (TypeScript) Http Interceptor (AUTH) Stateless Microservices Spring Boot + Allied Frameworks Protocol Adaptor (REST/JMS) Application Database OIDC / OAuth Server HTTPS NotificationEngine (SMS / Email) JMS Unstructured Datastore Caching Http Interceptor (AUTH-FILTER) RestController Message Listener Service Model (POJO)DAO JDBC Internal Queues JMS TCP /IP JDBC Security Specs: • jsrsasign v8.0.12 (Javascript library) on client ( https:// www.npmjs.com/package/jsrsasign ); • Java Cryptography Extension (JCE) implementation of Java SE 8 (on server) • Secret Key generation per sessionon • Encryption of sensitive data on client using RSA (2048 bits) public key • MAC computation using HmacSHA512 and secret-key for every request/response Build Security Design Patterns 4 Validate design principlese.g. Is the proposed solution tomaintain state in stateless architecture Build patterns of Security Principles e.g. OTT TYPICAL TECHNICAL ARCHITECTURE

16. The Devil is in the Detail! 5 this.clientSessionId = this.generateRandom(); function generateRandom() { var asciiArray = new Uint32Array([0xFAFBA, 0xAFFBC, 0xFABBD, 0xFFFBA, 0xFAFFE, 0xFADBA, 0xFEFBB, 0xFAFBD]); window.crypto.getRandomValues(asciiArray); return this.padZero(asciiArray); } function padZero(randomNumberArray) { return '0' + randomNumberArray[0] + '0' + randomNumberArray[1] + '0' + randomNumberArray[2] + '0' + randomNumberArray[3] + '0' + randomNumberArray[4] + '0' + randomNumberArray[5] + '0' + randomNumberArray[6] + '0' + randomNumberArray[7]; } New “nonce” header value sent on every Request and validated against Response header value. Also acts as correlation-id to trace & correlate user requests in logs across backend services. Format: (16-digit random per session | 16-digit random per request) var requestId = this.generateRandom(); RequestHeaders[‘nonce’] = this.clientSessionId + '|' + requestId; “state” is unique server session id. Created for tracking conversation of Multi-Factor Login Flow with max. idle/inactivity timeout of short duration (e.g. 5 mins). Format: Base64.getUrlEncoder().withoutPadding().encode( User-Agent | client_id | clientSessionId | UID | UUID.randomUUID().toString() ) LogonUI (AngularClient) Authentication Service End-User 1. InputUserId [nonce]{state,authMethod} CacheServer (Redis) POST/v1/idp/login [nonce]{client_id, userId} HTTP Server https://www.kotak.com/Signin/ generateNonce() //Look-upUserIdand CRN, generateState() validateNonce() put(state,HashMap) Display Fields Relevant for authMethod //BustFrames Reverse Proxy should add standard Security Headers to ALL Responses: Strict-Transport-Security: max-age=599 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Access-Control-Allow-Origin: https://www.abcbank.com FindUID authMethod

17. Prioritise review of some controls over theothers

18. These you will get a chance to test thoroughly during Appsec also Controls Testing Goals Authentication Authenticate users before allowing access to any sensitive data or operations. Safeguard user accounts from misuse or unauthorized use. Protect authentication credentials when stored or in transit. Authorization Prevent user access to resources outside their assigned privileges. Restrict functionality to only those resources required to fulfil the task. Input Validation All client side input must be regarded asuntrusted. All input must be validated before being passed to the application logic. Only good and expected input should be allowed. Session Management Protect against session hijacking. Protect against brute forcing. Well-defined login and logout points. Expired sessions cannot be re-used later. Client Protection Assume an untrusted endpoint environment. Assist in application layer endpoint security. Prohibit sensitive data to be stored on the client. Assist in preventing data leaks from the endpoint. Prioritise review of some controls over theothers

19. a chance totest Controls Testing Goals Authentication Authenticate users before allowing access to any sensitive data or operations. Safeguard user accounts from misuse or unauthorized i Authorizatio use. Protect authenticat transit. Prevent user access privileges. Restrict functionalit y n credentials when stored or in o resources outside their assigned These you will get to only those resources required Session Managemen n t i to fulfil the task. on All client side input All input must be va application logic. Only good and expe Protect against sess Protect against brut Well-defined login a Expired sessions can o t m li c o e n n ust be regarded as untrusted. thoroughly duringdated before being passed to the ted input should be allowed. Appsec also n hijacking. forcing. d logout points. ot be re-used later. Client Protection Assume an untrusted endpoint environment. Assist in application layer endpoint security. Prohibit sensitive data to be stored on the client. Assist in preventing data leaks from the endpoint. Cryptography Appropriate choice and justification of cryptographic algorithms. Well-known and tested cryptography. Detect inadvertent use of cryptography. Logging Input Validati Auditing capabilities independent of any other system audit trails. Events should be labelled appropriately within the log data. Log review. Protected from unauthorized access and tampering. Prioritise review of some controls over theothers

20. Orchestrator Node NodeNode Container Orchestration Assessment Network Assessment Multiple Instances Infrastructure Virtualization Take a “Holistic” View 7 Extend the coverage to include all aspects of the solution including administration of platforms

21. 8 Process & Policy are not“out-of-scope”!

22. 8 Technical Vulnerability in funds transfer allows unauthorized funds transfer Process & Policy are not“out-of-scope”!

23. Technical Vulnerability in funds transfer allows unauthorized funds transfer Policy User id for customer identification is a sequential number Process Transfer money to a beneficiary without registration Process & Policy are not“out-of-scope”! Serious security breaches typically manifest because of weakness in process and policy design along with Technicalvulnerabilities 8

24. 9 # Activity 1 Documents Review (Network, Data Flow, etc.) Understand the network and data flow of application with all components part of its ecosystem or any other applications it is trying to connect 2 Inter-Tier Authentication Functionality of the interfaces, encryption used (SSL, TLS, etc.) 3 User Authentication & Authorization Authentication – AD/local authentication; Role based access, master maintenance (maker/checker for important functions) Dormant accounts, how are they managed; Service accounts and related security (interactivelogin disabled) Multifactor authentication – known vulnerabilities Check if software component used for authentication has knownvulnerabilities. 4 Data at Rest Identify how sensitive data stored indatabase 5 Data intransit Reviewing how sensitive data transmitting over communicationchannel 6 Security Review API and Web Services associated with integrations (If applicable) Review the technology (OAuth, JWT, etc.) used for API or Web Service and identify any known vulnerability present or not e.g. no validation of session tokens 7 User Access Management (Provisioning / De-provisioning / Modification) Review how users are provisioned and removed. What is frequency of user access review, is there any documented procedure for the same. Dormant account handling. 8 Password Policy Review the password of application, if not integrated with AD then is it as per Kotak defined password policy. Sometimes, “what client wants”

25. 10 # Activity 9 Multifactor Authentication Review multifactor authentication (Google Authenticator) used in and check for any known vulnerabilities and whether implementation is secure or not. 10 Cryptography Management Review encryption /hashing algorithm used in application, are they as per Kotak defined cryptographicstandard 11 Audit Logging Review logging of sensitive information, identify logging various components (OS, App, DB, etc.) 12 Application deployment process How final compiled code is getting deployed, is there any defined process for the same or app owner can directly push the binaries to production. 13 Backend (Database/ MQ) Tampering for initiating a transaction / updating balances Actually tampering request /files which is used for processing the transaction and review whether it getting executed successfully. Trying to update the same values directly in the backend database and reviewing the execution. 14 Financial transaction flow (STP / Manual) Review the transaction flow and check the controls around it, like checking if there is File Integrity solution for file based transaction system. 15 Identify and Configuration review controls (e.g. WAF, IDS / IPS responsible for application) Identify the technologies used as compensating controls for known vulnerabilities and review configuration / implementation. 16 Data Integrity As a security measure request payload or file is sent with checksum to provide assurance on integrity of the data. Reviewing the same whether it is implemented securely (algorithms used for generating checksum is obsolete ornot). Sometimes, “what client wants”

26. Document threat scenarios They are your Test Cases while doing Appsec 11

27. Challenges -Lack of Documentation 12

28. 12 Challenges -Lack of Documentation Give them some Templates…andnudge! You will find manyhere

29. If done right…. 13

30. The response is always “Awesome”! 14

31. Yes! Sometimes it will beDaunting! Thanks! 15

#whoami presentations

Zer 0 no zer(0 day)   dragon jar
25. 09. 2020
0 views

Zer 0 no zer(0 day) dragon jar

Related presentations


Other presentations created by NSCONCLAVE