What is Security & Compliance?

Security is fundamentally about protecting assets, such as a Web page or your customer data in the database. As you analyze your infrastructure and applications, you identify potential threats and understand that each threat presents a degree of risk. Security is about risk management and implementing effective countermeasures.

The Foundations of Security Security relies on the following elements:

Authentication: "Who are you?" Authentication is the process of identifying the clients of your applications. These might be end-users, services, processes, or computers. Authenticated clients are referred to as principals.

Authorization: "What can you do?" Authorization is the process that governs the resources and operations that the authenticated client is permitted to access. Resources include files, databases, tables, rows, and system resources such as registry keys and configuration data. Operations include performing transactions such as CRUD operations.

Auditing Effective auditing and logging are the keys to non-repudiation, guarantee that a user cannot deny performing an operation.

Confidentiality Confidentiality is the process of making sure that data remains private and confidential, and that it cannot be viewed by unauthorized users or who monitor the traffic across a network. Encryption is frequently used to enforce confidentiality. Access control lists (ACLs) are another means of enforcing confidentiality.

Integrity Integrity is the guarantee that data is protected from accidental or malicious modification. Like privacy, integrity is a key concern, particularly for data passed across networks. Integrity for data in transit is typically provided by using hashing techniques and message authentication codes.

Availability Availability means that systems remain available for service users. The goal for many attackers is a denial of service and they attack to make sure that there are less than sufficient resources so that other users cannot access the application.

How to Build a Secure Web Application? It is not possible to design and build a secure Web application until you know your threats. An increasingly important discipline and one that is recommended to form part of your application's design phase is threat modeling. The purpose of threat modeling is to analyze your application's architecture and design and identify potentially vulnerable areas that may allow a user, perhaps mistakenly, or an attacker with malicious intent, to compromise your system's security.

After that, design with security by applying proven security principles. As developers, you must follow secure coding techniques to develop secure and robust solutions. The design and development of application layer software must be supported by a secure network, host, and application configuration on the servers where the application software is to be deployed.

A design approach to security

Securing Your Network The network infrastructure consists of routers, firewalls, and switches. The role of the secure network is not only to protect itself from TCP/IP-based attacks, but also to implement countermeasures such as secure administrative interfaces and strong passwords. The secure network is also responsible for ensuring the integrity of the traffic that it is forwarding. If you know at the network layer about ports, protocols, or communication that may be harmful, counter those potential threats at that layer.

Table: Network Component Categories [1]

Securing Your Host Secure a host, whether it is your Web server, application server, or database server, this guide breaks down the various secure configuration settings into separate categories. With this approach, you can focus on a specific category and review security, or apply security settings that relate to that specific category. When you install new software on your servers with this approach, you can evaluate the impact on your security settings. For example, you may address the following questions: Does the software create new accounts? Does the software add any default services? Who are the services running as? Are any new script mappings created?

Table: Host Configuration Categories [2]

Securing Your Application The top security issues across many Web applications, you would see a pattern of problems. By organizing these problems into categories, you can systematically tackle them. These problem areas are your application's vulnerability categories.

Table: Application Vulnerability Categories [3]

Summary An ever-increasing number of attacks target your application. They pass straight through your environment's front door using HTTP. The conventional fortress model and the reliance on firewall and host defenses are not sufficient when used in isolation. Securing your application involves applying security at three layers: the network layer, host layer, and the application layer. A secure network and host platform infrastructure is a must. Additionally, your applications must be designed and built using secure design and development guidelines following timeworn security principles.

References [1] Microsoft, "Microsoft Pattern & Practices proven practices for predictable results", Web Application Security Fundamentals, Chapter 1, Network Component Categories, Table 1.1: Avaliable: https://msdn.microsoft.com/en-us/library/ff648636.aspx#c01618429_008. [Accessed Nov 14, 2017]. [2] Microsoft, "Microsoft Pattern & Practices proven practices for predictable results", Web Application Security Fundamentals, Chapter 1, Rationale for Host Configuration Categories, Table 1.2: Avaliable: https://msdn.microsoft.com/en-us/library/ff648636.aspx#c01618429_008. [Accessed Nov 14, 2017]. [3] Microsoft, "Microsoft Pattern & Practices proven practices for predictable results", Web Application Security Fundamentals, Chapter 1, Application Vulnerability Categories, Table 1.3: Avaliable: https://msdn.microsoft.com/en-us/library/ff648636.aspx#c01618429_008. [Accessed Nov 14, 2017].