Java has a security model targeted at running applets and untrusted code, so you don’t need to worry about running your own code on your own servers, right? In fact, there are several vulnerability patterns that can affect server-side Java applications, and this presentation outlines some of the steps you should take to ensure that your server room is not compromised. It looks at the established techniques for enhancing your security and shows new technology from IBM that addresses several attack vectors.
20. Computing Platform
User Sessions
Application
Potential issues attributed to the application's computing platform
Risks from mis-configuration or manipulation of the computer
system hosting the application.
Middleware
Java
OS Platform
Client
Interface
Database
Vulnerabilities affecting the safe and secure operation of the application and its data by
deliberate or inadvertent unauthorized manipulation of the system.
Examples
CWE-842: Placement of User into Incorrect Group
The software or the administrator places a user into an incorrect group.
CWE-605: Multiple Binds to the Same Port
When multiple sockets are allowed to bind to the same port, other services on that port
may be stolen or spoofed.
CWE-405: Asymmetric Resource Consumption (Amplification)
Software that does not appropriately monitor or control resource consumption can lead to
adverse system performance. Sometimes this is a factor in "flood" attacks, but other
types of amplification exist.
21. Java Platform
User Sessions
Application
Potential issues attributed to Java-specific weaknesses
Using APIs as they are intended to be used, and adopting
mitigating actions for those with known high risk.
Middleware
Java
OS Platform
Client
Interface
Database
Designing the application and using coding patterns that promote secure practices, while
avoiding those shown to be at risk of introducing vulnerabilities.
Examples
CWE-227: Improper Fulfillment of API Contract ('API Abuse')
The software uses an API in a manner contrary to its intended use, or makes assumptions
that are not assured by the API documentation.
CWE-487: Reliance on Package Level Scope
Java packages are not inherently closed; therefore, relying on them for code security is
not a good practice.
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
The application uses external input with reflection to select which classes or code to
use, but it does not sufficiently prevent the input from selecting improper classes or
code.
22. Application and Middleware
User Sessions
Application
Potential issues attributed to concepts in the application middleware stack
Ensuring correct usage of high-level concepts and their
semantics by developers.
Middleware
Java
OS Platform
Client
Interface
Database
Potential risks by defining behavior and manipulating data at
Examples
different levels of application-defined authority.
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The software receives input from an upstream component, but it does not neutralize or
incorrectly neutralizes code syntax before using the input in a dynamic evaluation call
(e.g. "eval").
CWE-579: J2EE Bad Practices: Non-serializable Object Stored in Session
The application stores a non-serializable object as an HttpSession attribute, which means
the session cannot be replicated across JVMs.
CWE-613: Insufficient Session Expiration
Insufficient Session Expiration is when a web site permits an attacker to reuse old
session credentials or session IDs for authorization.
23. User Sessions
User Sessions
Potential issues attributed to concepts in management of user level controls
Java
Ensuring that the logical unit of work encapsulated as application
sessions are secure, robust, and do not lead to data exposure.
Application
Middleware
OS Platform
Client
Interface
Database
Protecting the integrity of shared secrets and methods for establishing identity of users,
systems, applications, etc
Examples
CWE-268: Privilege Chaining
Privileges, roles, capabilities, or rights can be combined in a way that allows an entity
to perform unsafe actions that would not be allowed without that combination.
CWE-272: Least Privilege Violation
Elevated privilege levels required to perform operations should be dropped immediately
after the operation is performed.
CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision
Attackers can easily modify cookies and can bypass protection mechanisms such as
authorization and authentication by modifying the cookie to contain an expected value.
CWE-732: Incorrect Permission Assignment for Critical Resource
Giving permissions to a wider range of actors than required, could lead to the exposure
of sensitive information, or the modification of that resource by unintended parties.
24. Client Interface
User Sessions
Risks for systems that depend upon secure communications
Application
Middleware
Avoiding numerous risks that may diminish the assurances of
secrecy through the use of cryptographic techniques.
Java
OS Platform
Client
Interface
Database
Protecting the integrity of secure data exchange and methods for establishing identity of the
participants.
Examples
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may
result in the exposure of sensitive information.
CWE-337: Predictable Seed in PRNG
A PRNG is initialized from a predictable seed, e.g. using process ID or system time.
CWE-299: Improper Check for Certificate Revocation
The software does not check or incorrectly checks the revocation status of a certificate,
which may cause it to use a certificate that has been compromised.
CWE-297: Improper Validation of Certificate with Host Mismatch
The software communicates with a host that provides a certificate, but the software does
not properly ensure that the certificate is actually associated with that host.
25. Database
User Sessions
Risks in managing the data you use to achieve a business objective
Application
Middleware
Risks associated with application data being modified by, or
exposed to, those with no business need for such access.
Java
OS Platform
Client
Interface
Database
Increasing the security assurances around application data that is exposed to external storage,
either temporarily or permanently.
Examples
CWE-313: Cleartext Storage in a File or on Disk
The application stores sensitive information in cleartext in a file, or on disk that
could be read by attackers with access to the file, or with physical or administrator
access to the raw disk.
CWE-499: Serializable Class Containing Sensitive Data
The code contains a class with sensitive data, but the class does not explicitly deny
serialization. The data can be accessed by serializing the class through another class.
CWE-359: Privacy Violation
Mishandling private information, such as customer passwords or social security numbers,
can compromise user privacy and is often illegal..
26. System Data
User Sessions
Consideration of risks handling data associated with the computing
platform itself
Risks associated with storing descriptive system history in
shared log locations.
Application
Middleware
Java
OS Platform
Client
Interface
Database
Risks of inadvertently disclosing through system tools and behavior information that is
protected by the application.
Examples
CWE-532: Information Exposure Through Log Files
While logging all information may be helpful during development stages, it is important
that logging levels be set appropriately before a product ships so that sensitive user
data and system information are not accidentally exposed to potential attackers.
CWE-208: Information Exposure Through Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a
way that is observable to an actor and reveals security-relevant information about the
state of the product, such as whether a particular operation was successful or not.
CWE-530: Exposure of Backup File to an Unauthorized Control Sphere
A backup file is stored in a directory that is accessible to actors outside of the
intended control sphere.
27. Summary – securing Java in the server room
Planning
risk assessment for type of application
define integrity and confidentiality goals
identify applicable policies
assurances about the computing platform
Development
secure engineering practices
mitigation and avoidance of known risks
security testing and review
user and administrator guidance
Operations
configuration management control and auditing
intrusion detection and monitoring
action plan for dealing with security incidents
contingency planning