Application Security Testing: An Integral Part of DevOps
Everybody uses a network to transfer data; this is obvious. Less obvious is the fact that the data has value (and cost), and so it is a subject to theft.
Types of information that are stolen include a user's personal information, commercial or technical data (including commercial secrets and intellectual property), or even security and military information. Leaking such information can stay undiscovered for months, if not years, doing damage to people who sent information, and also to third parties.
- On the remote side itself.
- In the middle of network conversation; in other words, on the way from the user's computer to the remote side.
If the remote side is supposed to be a secure place (as in an e-commerce merchant with a good reputation), theft is still possible. How can this happen? Suppose you are calling somebody using the phone and the person on other side answers you. If the voice of the respondent sounds similar to the one you expect, it is possible that you will not perform other authentication and can possibly tell him some secrets. Sounds strange? This is quote a common situation in real life.
The situation regarding network servers is no better. When the user expects to see an often-used Web page, it is relatively easy to create a similar-looking page on the other ("fraudulent") server and attempt to direct the user to that server. Chances are that the user will share his login/password information or even credit card info with the unknown thief. So, the first problem with network security is remote side identification.
Even when the remote side can be identified for sure, we are still not safe. As we know, information doesn't reach the remote side directly. Instead, it travels through 5–20 (on average) network nodes to get to the server. Each of these nodes is technically capable to capture, record, or even modify the information being sent. Of course, this is a serious threat to data security. The second problem is tolerance to so-called man-in-the-middle attacks.
There are many types of man-in-the-middle attacks; they differ in the goal of their initiator and in the way they are carried.
So, two main tasks of any network security solution is to:
- Provide correct identification of the remote side in the network conversation.
- Prevent third parties that have a possibility to access the network, over which the data is transmitted, from accessing the data being sent.
The most obvious way is to encrypt the data in the way that is known to both sides of network communication session, but is not known to other parties. A strong encryption algorithm would work fine, but only if both sides know the password (some data sequence), which is used during encryption. Such an approach can be used in some cases, but certainly it is not usable on the Internet, where thousands of client devices connect to servers for information and services. Of course, the server could transfer the password to the client during the conversation, but the obvious drawback is that the third party in the middle can get the password too, effectively making such "security" useless.
So, it is necessary to utilize some more advanced scheme that lets the client and the server securely exchange the passwords and still minimize the chance for attack.
Nowadays, there are several widely used schemes available. They are SSH (Secure Shell) and SSL (Secure Socket Layer/Transport Level Security). Both protocols work on the transport-network level ("above" TCP protocol) and utilize similar schemes. SSL is more widely used because of its adoption for secure WWW data transfer.
Both protocols provide transparent security; this allows the use of standard Internet protocols over SSL or SSH.
As mentioned, only a properly authenticated server (and, in some cases, the client) can be treated as secure. SSL utilizes certificates to authenticate the parties and also to encrypt the data being transferred. You will find more information about certificates on the SecureBlackbox site.
Briefly speaking, the certificate is a secure replacement for a common username/password pair, with enhanced functionality and strengthened security. By utilizing asynchronous algorithms, the certificate approach provides more features than other authentication systems; for example, certificates have a predefined lifetime and range of use.
Also there exist standard approaches to centralized certificate management, backup, and recovery.
The best-known application for SSL protocol is securing commercial Internet communications. Most commercial Web sites offer an option (or even force) for use of SSL, which is used for HTTPS protocol. This is, however, not the only protocol to use SSL. Actually, most TCP-based protocols (such as POP3 and IMAP for mail, NNTP for news, and so forth) can work over SSL. SSH is also used to provide security for FTP and shell protocols.
SSL is useful in public operations; due to its perfect authentication capabilities, SSL is indispensable in distributed and n-tier applications, in providing authorization in heterogeneous environments and in securing data transactions and remote operation control.
For example, certificates and SSL are the optimal way of controlling the access of multiple people to the database. Certificates in this scenario provide the following features:
- Authenticate the user
- Check whether the user is authorized to access the resource
- Apply the necessary access restrictions
- Encrypt the private user's information
- Ease logging and security audits
- Unify security management procedures
How SSL Works
SSL provides identification of the server, optional identification of the client, and also provides encryption and compression to the data being transferred.
An SSL description uses the following terms:
- Cipher suite—set of encryption and digest (hash) algorithms, which are used together during SSL session.
- Asymmetric encryption algorithm—encryption algorithm, based on a pair of keys, one of which is private (secret) and the other one is public (known to everybody)
- Symmetric encryption algorithm—encryption algorithm that uses one secret key.
- Random data—(here) some data that is used to create common secret values used during SSL session.
- Certificates—blocks of data, used to identify the parties and for encryption information. There's a separate article about certificates, their creation, use, and validation in the article about Certificates.
When the socket connection is established, an SSL handshake should be carried out. The handshake lets the parties define the version of SSL protocol they use, select cipher suites and (optionally) compression methods, (optionally) authenticate each other, and use asymmetric encryption algorithms to exchange random data.
- The handshake is started by the client, which sends an SSL greeting packet to the server. The client's greeting packet contains:
- Client version—the highest version of SSL/TLS protocol supported by the client
- Random data, which consists of a date/time stamp and some random bytes
- Session ID (can be omitted if new session is started)—SecureBlackbox supports session management
- Supported cipher suites that define which encryption algorithms are supported by the client
- Supported compression. Current protocol implementations don't use this field
- Server version—the version of SSL/TLS that was selected for use by the server
- Random data block, independent from client random data
- Session ID. If the client-specified session ID and this ID were found by the server (and is valid—not expired, security was not compromised, and so forth), the value supplied by the client is put to the server greeting packet. Otherwise, the server sends the ID of the newly created session.
- Cipher suite field—the cipher suite that was selected by the server from the list of supported cipher suites, supplied by the client
- Compression method—the ID of compression type selected by the server from the list of supported compression types, supplied by the client
Because generation of the keys is quite a slow operation, The SSL protocol supports sessions. The session is defined as a set of information necessary for the re-use of already exchanged information for another SSL-secured data exchange. The session data includes cipher suites and keys used. Support for sessions in your application can increase the efficiency of SSL protocol if more than one connection is done from the client to the server.
Only a properly closed session can be resumed.
Taking into account the growing value of information in distributed systems, each developer must pay special attention to the services, which are provided by SSL and certificates. SecureBlackbox can be a good assistant in achieving ultimate security in your solutions.