CF4.1.1
Business applications should be protected against invalid connections by:
a) assuming input from external systems (eg Web Services, SOA components and other applications) is insecure by default
b) checking access permissions when a request is made to access an object (eg a database record, fi le or equivalent)
c) repeating any client validation at the server, to defend against ‘man-in-the-middle’ attacks.
CF4.1.2
Business applications should be protected against unauthorised access to information by:
a) hardening the operating system (eg ensuring that all unnecessary software, network services and applications have been disabled / removed)
b) providing ‘defence in depth’ (ie using multiple layers of different types of protection) to avoid reliance on one type or method of security control
c) employing secure defaults (eg requiring authentication and recording user activity in an event log as a preselected option)
d) ensuring key components ‘fail securely’ (ie in the event of a system failure, information is not accessible to unauthorised individuals, and cannot be tampered with or modifi ed).
CF4.1.3
Business applications should protect information against unauthorised disclosure of sensitive information by ensuring that they:
a) run with ‘least privilege’ (ie only the minimum possible access privileges are granted to a user or a process when accessing the system, and not high-level privileges such as ‘root’ in UNIX systems or ‘Administrator’ in Windows systems)
b) enforce separation of privilege (eg by dividing application functions and splitting cryptographic keys)
c) are prevented from initiating network connections to the Internet (eg through server confi guration or by rules on a fi rewall)
d) prevent information about the internal workings of applications (eg in application responses or error messages) from being disclosed.
CF4.1.4
Business applications should incorporate security controls to protect the integrity of information by: a) minimising manual intervention (eg by automating processes)
b) preventing unauthorised changes to software (eg malware protection, change management disciplines) c) producing error and exception reports.
CONTROL FRAMEWORK
www.securityforum.org
CF
Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF4.1
SPECIALISED
CF4.1 Application Protection
(continued)CF4.1.5
Business applications should incorporate security controls to help ensure availability of information by: a) providing adequate capacity to cope with normal / peak volumes of work
b) performing load-balancing and load-monitoring c) reducing or eliminating single-points-of-failure.
CF4.1.6
Servers that support critical business applications should be:
a) segregated from internal networks and untrusted networks (eg by locating them in a ‘Demilitarised Zone’ (DMZ))
b) run on one or more dedicated computers (ie they do not provide other services such as fi le and print, database, email or other business applications).
CF4.1.7
Connections between servers (eg web servers) and back-offi ce systems (eg application and database servers) should be:
a) protected by fi rewalls
b) restricted to only the services that are required by business applications
c) restricted to those originating from web server applications (ie rather than originating from client applications) d) based on documented, tested and approved application programming interfaces (APIs)
e) encrypted (eg using IPSec).
Related areas / topics
CF7.1 Computer and Network Installations
CF8.1 Security Architecture CF18 Systems Development Lifecycle
ISF resources
Security Architecture: Workshop Report Securing Business Applications
ISF Briefi ng: Security of Service Oriented Architecture (SOA) and Web Services
CONTROL FRAMEWORK
www.securityforum.org
CF
CF4.2 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum
SPECIALISED
CF4.2
Browser-based Application Protection
Principle
Specialised procedural and technical controls should be applied to internal and ‘Internet-facing’browser-based applications and the servers on which they run.
Objective
To ensure that the increased risks associated with browser-based applications are minimised.CF4.2.1
Additional security controls should be employed when deploying browser-based applications and supporting systems to protect against increased risks associated with being accessible from unprotected networks (eg the Internet).
CF4.2.2
Information used by browser-based applications (eg confi guration fi les) should be protected against corruption or disclosure by:
a) locating them on partitions inaccessible to web servers (or other connected servers) b) restricting fi le permissions.
CF4.2.3
Website content (eg web pages, articles, images) should be protected against corruption or disclosure by: a) storing it on a separate partition / disk from the operating system
b) setting strict fi le permissions
c) restricting updates to authorised individuals and using approved methods (eg via removable media at the web server console or transferring fi les using secure shell (SSH) or secure FTP from a predefi ned IP address) d) reviewing content to ensure that it is accurate, that hyperlinks are valid and functional, and that vulnerabilities
have not been introduced by scripts or ‘hidden’ form fi elds
e) performing regular checks to ensure that website content is not defamatory, offensive or in breach of legal and regulatory requirements.
CF4.2.4
Sensitive information in transit should be protected against disclosure by using encryption (eg using Secure Sockets Layer (SSL) or Transport Layer Security (TLS)).
CF4.2.5
The disclosure of information about system confi guration (that could be useful to hackers) should be prevented by:
a) suppressing or modifying the server fi eld in HTTP headers that identify the web server’s brand and version b) verifying that directories of fi les on web servers are not indexable
c) preventing source code of server-side executables and scripts from being viewed by a web browser
d) ensuring that the source of HTML, JavaScript and other client-side scripting languages does not contain unnecessary information (eg comments and details of functions).
CF4.2.6
Web application sessions should be protected against being hijacked or cloned by:
a) ensuring SessionIDs cannot be easily predicted (eg by using randomly generated SessionIDs) b) confi guring the security parameters in ‘cookies’ used to hold session information
CONTROL FRAMEWORK
www.securityforum.org
CF
SPECIALISED
Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF4.2
CF4.2
Browser-based Application Protection
(continued)CF4.2.7
‘Internet-facing’ web servers that support business applications should be confi gured to: a) record actions performed (eg those associated with server-side executables and scripts) b) log security-related events generated by the website.
CF4.2.8
There should be a process to ensure that:
a) important domain name registrations are renewed (eg every two years)
b) domain names that could be used to masquerade as the organisation are registered by the organisation c) websites that may have been set up using domain names similar to those used by the organisation are
monitored (eg by using external party monitoring services)
d) illegitimate websites (eg those used for phishing attacks) are closed down as quickly as possible e) relationships with Internet service providers are covered by a service level agreement (SLA).
Related areas / topics
CF8.1 Security Architecture CF18 Systems Development Lifecycle
ISF resources
Securing a Web Server Environment Security Guide
CONTROL FRAMEWORK
www.securityforum.org
CF
FUNDAMENTAL
CF4.3 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum
CF4.3 Information validation
Principle
Business applications should incorporate security controls that protect the confi dentiality andintegrity of information when it is input into, processed by and output from these applications.
Objective To protect the integrity (validity, accuracy, completeness and timeliness) of critical information,
stored in or processed by business applications.
CF4.3.1
Information entered into business applications should be checked to ensure its validity (eg by using range, consistency and ‘hash total’ checks) and completeness (eg comparison with control balances or original documentation).
CF4.3.2
The integrity of information processed by business applications should be maintained by ensuring that: a) information cannot be overwritten accidentally (eg by write-protecting key fi elds or fi les)
b) the processing of information is validated (eg by record counts, and hash, session, batch or balancing totals) c) changes to key ‘static’ business information such as customer master fi les or currency exchange rates are
reviewed (eg by inspecting the contents of records before and after they have been changed)
d) unauthorised or incorrect changes to information are detected (eg by inspecting change logs, using automated ‘checksum’ tools or reconciling data back to its original source).
CF4.3.3
The integrity (validity, accuracy, completeness and timeliness) of information processed and output by business applications should be confi rmed by checking against external sources (eg by reconciling bank statements, comparing against order processing logs, customer / supplier records or physical stock, or by performing plausibility checks to ensure output is reasonable).
Related areas / topics
CF18 Systems Development Lifecycle
ISF resources
Securing Business Applications Protecting Information in the End User Environment