SP-008: Public Web Server Pattern

Diagram:

Your browser does not support SVG files! We recommend you upgrade to the latest version of Firefox, Safari orOpera so you receive patterns with hyper-linked controls.


Assumptions:

  • RIA web application can built with any front end technology like AJAX, Java, Silverlight or FLEX/FLASH
  • End user authentication can be strong (with physical token based OTP, SMS based OTP, or iTAN list) or just UID/PW (enhanced with SRP, or Digest)
  • Web application state should not be stored on the client but only a pointer to the server side stored storage should be passed (encrypted) out to the client, for example as a cookie or as POST parameter
  • All input validation that is done on the client needs to be redone on the server

Typical Challenges:

  • Malicious entities try to exploit software bugs in the Web server
  • Denial of service (DoS) attacks may be directed to the Web server
  • Compromises through command injection attacks
  • The server may be used as a distribution point for attack tools, pornography, or illegally copied software.
  • Man in the browser attacks
  • Phising attacks
  • Misconfigurations

Resistance against threats:

  • Compromises through command injection attacks
  • Compromises through XSS attacks
  • Compromises through buffer overflow attacks
  • Compromises through access control violations

References

Classification: Pattern

Release: 08.07

Authors: Aurelius

Reviewer: tbd

Control details

AC-01 Access Control Policies and Procedures
AC-03 Access Enforcement
AC-07 Unsuccessful Login Attempts
AC-09 Previous Logon Notification
AC-10 Concurrent Session Control
AC-11 Session Lock
AC-12 Session Termination
AU-03 Content Of Audit Records
AU-07 Audit Reduction And Report Generation
CA-02 Security Assessments
CA-04 Security Certification
CM-02 Baseline Configuration
CM-03 Configuration Change Control
CM-05 Access Restrictions For Change
CM-07 Least Functionality
CP-02 Contingency Plan
CP-03 Contingency Training
CP-06 Alternate Storage Site
CP-07 Alternate Processing Site
CP-09 Information System Backup
CP-10 Information System Recovery And Reconstitution
IA-01 Identification And Authentication Policy And Procedures
IR-02 Incident Response Training
IR-04 Incident Handling
MA-02 Controlled Maintenance
MA-04 Remote Maintenance
MA-06 Timely Maintenance
PL-02 System Security Plan
RA-03 Risk Assessment
RA-05 Vulnerability Scanning
SA-03 Life Cycle Support
SA-08 Security Engineering Principles
SA-10 Developer Configuration Management
SC-05 Denial Of Service Protection
SC-08 Transmission Integrity
SC-09 Transmission Confidentiality
SC-11 Trusted Path
SC-20 Secure Name / Address Resolution Service (Authoritative Source)