About Me

My photo
Rohit leads the Pivotal Labs App Modernization Practice in engineering, delivery training & cross-functional enablement, tooling, scoping, selling, recruiting, marketing, blog posts, webinars and conference sessions. Rohit has led multiple enterprise engagements including ones featured in the Wall Street Journal. Rohit focuses on designing, implementing and consulting with enterprise software solutions for Fortune 500 companies on application migration and modernization.

Saturday, December 20, 2014

How to Prevent a SONY style hack in your enterprise


The sony hack of critical application systems of both personal and company data has sent shivers down the spine of most corporate organizations.  How do you combat such an egregious targeted hacking of your infrastructure.  I wonder if a radical rethink of security systems is required. Security software needs to  evolve from a preventive to a reactive mindset. i.e. Just like distributed systems are designed around the fallacies of network computing, security software ought to be designed assuming that one or more of the attack vectors listed in the OWASP top 10 will succeed.  Securing data in transit and rest is critical for prevention; however an approach where even if the critical data is exposed no harm results will be key for future security.

From a microservices perspective follow these are the current best practices for application security -

1. Multi-factor authentication utilizing a Time-based One-time Password Algorithm http://www.insaneprogramming.be/blog/2014/05/14/two-factor-otp-security.  Universal 2nd Factor (U2F), a solution managed by the FIDO Alliance based on public key cryptography and inexpensive USB hardware tokens.

2. Perimeter security - Applying different security policies to public and private microservices via network segmentation https://blog.starkandwayne.com/2014/10/31/public-and-private-microservices-on-the-same-cloud-foundry/

3. Authenticate - HTTP Endpoints using OAuth2, OpenID,  SAML, etc.,

4  Authorize - resources  in multiple layers, inspect HTTP request and do authorization logic based on URL patterns followed by method based security.

5. Out Of The Box Protection: Built-in framework protection against common attacks - like session fixation, XSS, SQL Injection, etc., Examples of frameworks include spring-security, Java EE and Java SE security models, etc.,

6. Data ParsimonyDatensparsamkeit taken from German privacy legislation describes the idea to only store as much personal information as is absolutely required for the business or applicable laws. Reduce data breach and data loss risk by anonymizing all information and capturing as little as possible and not reselling the data to third parties.

7. Data Loss Prevention Strategy - Prevent data loss and theft by putting in a comprehensive data loss and data theft policy in place.

8. Key Management: The only way to effectively secure data is strong encryption combined with rigorous hygiene around key management and access controls.

9. Web application Security Best Practices : Isolate critical information in the DB, Protect from Remote Code Execution, Flood and spam protection, Hash passwords with unique salts, Global XSS protection, Protect from SQL injection vulnerability, Protect from CSRF, Ask for password before modifying critical information, HTTP Strict Transport Security, Use HTTPS throughout the application and Validate session against browser and location


No comments:

Post a Comment