Part 4 Defenses

00:04

Hello and welcome to the cyber very secure coding course my name miss anywhere, and this is a loss. Top 10 for 2013

00:13

a seven missing function level access controls, mitigations, countermeasures and defenses. Now, first, an overview of the defenses available.

00:25

They fall into two main areas. Designing access controls and then, of course, implementing those access controls.

00:34

Now, when designing them, you really need to create a role based access control matrix

00:42

in the example that we're going to take a look at. We are focused on people but realize that role based access control and the building of a matrix could also extend into classes that you would load at runtime. So please consider that in your design as well.

01:02

Now implementing access controls can basically fall within two areas. There would be the policies and the policies air going to define who can access what And then, Of course, there's the application code, which really adds the enforcement of those policies.

01:23

Now policies can be set at a file system level. For example, if you want to restrict ah, particular account to Onley access, a particular directory

01:34

policies can also be set at a database or data set level. This is commonly done in racket for a CF two on mainframe systems.

01:45

And then, of course, there are policies that are set inside of the security policy file of a programming language itself. We see this in the C sharp in job of languages.

01:59

Now in our application code, one of the ways that access controls are implemented is through our back that role based access control were basically inside of each function or each operation. The application programmer will perform some sort of check to ensure that

02:17

an operation is only performed by a particular role.

02:22

I'm also going to show you how you can use something called the Axis controller. Check inside of your code, and this is, of course, applicable. Four c sharp in Java.

02:34

Now, when designing access controls, you want to build some kind of matrix that identifies on the left hand side all of the roles that are going to be inside of your application.

02:46

Then at the top. You want to identify all of those operations that are available for the entire application,

02:53

and then you want to restrict which rolls can perform. Which actions

03:00

now. This provides two applications of security principles

03:06

the principle of least privilege and this and ensures that users only have enough power that they need in order to perform their job,

03:15

as well as a separation of duties, which I had mentioned previously. And this is what we want to restrict, for example, the application administrator from being allowed to do anything else in the application.

03:28

Now I realize that this is not commonly done, but this is something that should be done in situations where system is already designed and you're trying to retrofit access controls in.

03:39

You should probably implement monitoring

03:43

to ensure that no one user over extends their privilege. Now implementing access controls,

03:52

as I mentioned on the overview slide can be done at different levels. The file system, the database, the data set.

04:00

Some languages actually offer a security policy that can identify the accessing of maybe directories or even classes. And Java is one example. And so you're actually looking at the policy

04:18

tool that's being used to read the job

04:23

security policy file.

04:25

What I have here is a restriction of the temp directory to read and write, and it can only be done by classes that are permitted to do so

04:34

now. The enforcement of these custom rules added to the policy file

04:42

are actually done by a special class called the Axis Controller. So the access controller class

04:48

basically has tthe e. J VM performed these runtime checks against the job of security policy Farm.

04:58

Now the security policy file is going to have some default rules in there. Depending upon the application server that you're running,

05:08

you may or may not have to actually turn on the security manager.

05:13

Some application servers already have it on by default, for example, IBM WebSphere.

05:18

But if you want to add custom rules to that, you would have to actually use the policy tool to do so

05:26

and then to enforce that rule,

05:29

you need to add something like the axis controller dot do privileged method,

05:34

uh, in wrap that around the sensitive operation. In order to ensure that the J B. M does perform this permissions check,

05:45

there's a similar class and security policy available for C Sharp

05:50

now in addressing the forced browsing or failure to restrict you are real vulnerability.

05:56

What we could do and say our dot net application is actually

06:01

modify the web dot config file

06:04

to deny all users the ability to see any other pages and on Lee, allow specific users or specific role

06:15

to to see certain pages

06:18

via you are well on our website. Of course, this needs to be refined even more. You need to make sure that your sequel statements are not open ended, that they have that additional level of restriction inside of your wear clause

06:32

to ensure that only the account owner's heir seeing their own information, etcetera.