Diagram:
Assumptions:
- RIA web application can built with any front end technology like AJAX, Java, Silverlight or FLEX/FLASH
- End user authentication can be strong (with physical token based OTP, SMS based OTP, or iTAN list) or just UID/PW (enhanced with SRP, or Digest)
- Web application state should not be stored on the client but only a pointer to the server side stored storage should be passed (encrypted) out to the client, for example as a cookie or as POST parameter
- All input validation that is done on the client needs to be redone on the server
Typical Challenges:
- Malicious entities try to exploit software bugs in the Web server
- Denial of service (DoS) attacks may be directed to the Web server
- Compromises through command injection attacks
- The server may be used as a distribution point for attack tools, pornography, or illegally copied software.
- Man in the browser attacks
- Phising attacks
- Misconfigurations
Resistance against threats:
- Compromises through command injection attacks
- Compromises through XSS attacks
- Compromises through buffer overflow attacks
- Compromises through access control violations
References
- NIST 800-44 Securing Public Web Server
- OWASP Guide Project
- Microsoft's guide on "Best Security Practices for Web Applications"
Classification: Pattern
Release: 08.07
Authors: Aurelius
Reviewer: tbd
Control details
AC-01 Access Control Policies and Procedures
AC-03 Access Enforcement
AC-07 Unsuccessful Login Attempts
AC-09 Previous Logon Notification
AC-10 Concurrent Session Control
AC-11 Session Lock
AC-12 Session Termination
AU-03 Content Of Audit Records
AU-07 Audit Reduction And Report Generation
CA-02 Security Assessments
CA-04 Security Certification
CM-02 Baseline Configuration
CM-03 Configuration Change Control
CM-05 Access Restrictions For Change
CM-07 Least Functionality
CP-02 Contingency Plan
CP-03 Contingency Training
CP-06 Alternate Storage Site
CP-07 Alternate Processing Site
CP-09 Information System Backup
CP-10 Information System Recovery And Reconstitution
IA-01 Identification And Authentication Policy And Procedures
IR-02 Incident Response Training
IR-04 Incident Handling
MA-02 Controlled Maintenance
MA-04 Remote Maintenance
MA-06 Timely Maintenance
PL-02 System Security Plan
RA-03 Risk Assessment
RA-05 Vulnerability Scanning
SA-03 Life Cycle Support
SA-08 Security Engineering Principles
SA-10 Developer Configuration Management
SC-05 Denial Of Service Protection
SC-08 Transmission Integrity
SC-09 Transmission Confidentiality
SC-11 Trusted Path
SC-20 Secure Name / Address Resolution Service (Authoritative Source)