Hello and welcome to the side. Very secure coding. Course my name miss anywhere. And this is Boa's top 10 for 2013
a five security, Miss configuration, Mitigations, countermeasures and defenses.
So our defenses overview. We're gonna talk about
how to make a more secure configuration
in either our Web server configuration settings or programmatic settings. I'm going to talk about each detail,
basically for the Web server configuration settings these congee done at two different levels. You can have the disabling, for example, off directory indexing or directory browsing
at the actual Web server configuration files themselves along with actual secure settings in your Web application configuration files. And these might be web dot xml Or, in the case of IBM, WebSphere. It's known as the IBM Web
extension. Got XML file.
Now programmatically. We can also do
some similar settings where we can ensure that we're using
parse her settings that disallow for entity injection,
and we're going to look at some sample code for these. But basically we don't want to have the parcels support de TDs.
We want to disallow external entities. We wanna disallow external parameter entities
we want to disallow ex include a wears, and we also want to disallow expand density references so we'll look att these in detail in our code sample. So first, let's talk about the Web server configurations. As I mentioned thes ca NBI done at two different levels,
we can actually set thes within our Web server itself.
Whether you're running I, I s Apache or some other Web server,
there's usually a main configuration file where you can specify at a complete server level
the viewing of directories, and you definitely want to do this.
So for Apache, for example,
the name of the configuration file list http de comp. And there's a directory tag where you would add the options with the minus index is this is going to
turn off any viewing of the directories across the entire Web server to basically prevent the directory diverse oh, attacks that we spoke of.
Now, at the next level, where there's more of a program or influence, we have secure settings in the Web application configuration file.
Normally, this is web dot XML or IBM Web extension dot x amount.
So for Apache and Tomcat, what you would do is look for the unit parameter. That's entitled listings. Now, this is gonna be Web application wide.
If you want to specify it
only for a particular instance of a Web app, then you would need to do that separately in a separate configuration.
But basically you want to set this listing to be false so that the directories are not viewable.
So in IBM WebSphere the setting would be the enabled directory browsing value, and you would just sit that to fault.
So these are just a couple of examples of how could be done
now. Programmatic settings.
There are actually two different vulnerability areas that need to be addressed, particularly when it comes to ex Mel Parsons.
So first we're gonna look at the security small part sir settings and how we basically don't want to allow anything from the outside or anything locally to be accessing our Web service.
that's the reason for a lot of these disallows
the second area, and we saw this as well in some of the demos and you'll see it in the lab
is where there's a lack of access control. We may need to actually also put authorization in place.
Now this could be done a number of different ways. Probably the most common way is using role based access control. And so whatever the action is, you basically ensure that a particular role
is authorized to perform that action
another way that it could be done. Another implementation option would be using the access controller dot do privilege wrapped around. And so let's take a look at some of that sample code.
So first we are looking at the secure part, sir. Sample code.
Now, the example provided here is in Java,
but the same thing could apply to other languages. If you
take a look at the text book that accompanies wth e this course,
um, you should be able to find your language available there. And so in our tribe lock as we build our Parsa through the document builder factory. In this particular example, we need to make sure that we set validation to true
that we do not allow D two D's that we certainly don't allow external entities or parameters from those entities
that we set the secure processing feature on,
and also that we include some other, uh,
some other settings for put the prevention of XML scheme attacks, which includes the X, include aware and expand entity references.
Now, if we move on to the Axis Control
or authorization Check area here, we have the parse method for an XML file using the document builder.
However, we have the action actually wrapped around
a an access controller do privilege method.
And so this basically is going to reach out to the in this case, the job of security policy but could be done in dot net us well
and validates that particular entity,
to actually perform this action.
It could also be used. The policy could be used to
ensure that the entity is only accessing
the Web service or the Web XML file from particular directory.
And so there's a lot of granularity that can be added
to those policy files
and can basic basically be enforced using the access control of class.
So there are other Web application secure settings that can be done.
You can disable any debug information, particularly as you go into the production environment. You can see the example done here for dot net application and C sharp.
Make sure you don't have excessive timeout settings
have the HDP on Lee Flying set on your cookies.
The session cookie should be sent over over T l s.
If you use in. Q. Siri's make sure that the anonymous transport client is disabled.
Have a message. Credential on message Security enabled Foreign Cube
and have service authorizations specified. Of course, this goes back to the access controls that we've already talked about
and finally make sure that you've got certificate replication checking enabled. This is just a sampling of some of the many
secure settings that might be available for your Web application, so please consult your documentation.
So now we'll move on to the lab portion of our module.