I am in the process of designing an application that users will be able to log on remotely and use - via a web interface.
Security is of paramount importance (think credit card and personal banking type information)- so I need to make sure that I get the security aspect nailed down - HARD.
I intend to provide the application functionality via traditional (stateful) web pages , as well as web services.
For what its worth, I am intending to use web2py as my web application framework.
Is there a list of guidelines I can follow to make sure that I have all areas covered?
One stop shopping: https://www.owasp.org/index.php/Main_Page
Read that and take every suggestion to heart.
you should consider at least the following:
authentication. getting users to log on in some manner. which authentication method they use depends on what you aim to provide
privacy. making sure the information they send is only visible to them and your application and not an eavesdropper.
in the simplest case SSL can take care of both of the above. it will always provide encryption but can also be used to authenticate or at least make some simple authentication mechanism more secure. one thing to look at is security of ssl. ssl is suceptible to a man in the middle attack particluarly when the users already have a trust relationship with, say, their employer - who can them proceed to install an ssl gateway which is effectively a mim.
authorisation. making sure users are only allowed to see what you want them to see and no more.
this really depends on technology you are using.
non reputidation. making sure the user cannot dispute the actions they perform
this is a very open ended question. legally this is seldom (never?) used so it depends... something like signed logs of user requested actions for example is probably enough.
Your biggest threat, by far, is writing server-side webapp code that introduces vulnerabilities in your web application layer. This is not something you can checklist. For a starter, make sure you are 100% comfortable with the items in the OWASP Top Ten and understand how to code safely against them. If you are not expert in web application vulnerabilities, strongly consider hiring someone who is to help review the web layer. At the least, i would consider contacting a security testing company to perform some form of penetration testing, preferably with a code review component.
If you ever do anything with credit card data, you will need to comply with the PCI DSS which will require at least quarterly remote-testing from an Approved Scanning Vendor.
Related
My client suggests that implementing a web service using WS-Policy entries inside the WSDL (using WS-SecurityPolicy standard, which seems to be the recommended way) might cause incompatibility issues with clients that call the web service. My first question is, are his concerns correct? If not, how can I prove to my client that it is safe to use WS? I could not find anything on the subject.
If compatibility issues can indeed occur, I need to find a different way to implement WS-Security requirements (like signing parts etc.) without Spring, using JavaEE APIs. I could not find anything on that subject either. The only thing I could find is about standalone web services but I do not want that, I want a web application and I need to use JavaEE APIs (so no Spring).
Any help will be appreciated.
If you have pre-existing clients already using this webservice, then yes it will break compatibility if you add WS-Security.
But if no one is using it, or it hasn't been developed yet, how will this cause compatibility issues?
Personally I see WS-Security as rather complex, particular in the area of signing and encryption, so if your client had said that some clients might not have the skills to implement the web service I would have been inclined to agree with him.
Me and some friends are going to develop a web site with playframework and a mobile application (android and iphone). So we need to make some webservices for the mobile application(CRUD). So we thought about using this web services in our playframework application instead of wasting time and creating the CRUD with anorm(writing all the sql requests).
Well, I'm here to ask for your opinion. Is this a good thing to do ? What's the best advised method here ?
Thank you.
PS: the web services are automatically generated with Netbeans from our database.
There are various reasons why I would advice against this approach.
A general design rule is not to expose your internal data model to the user. This rule comes in many flavors in which the layered architecture is probably the most known one.
In detail there will be issues like:
Tuning performance: This is hard to achieve because your have no, or not much control over the generated web services. When your application is really taking of your will suffer from this limitation
Access the service: I don't know whether you generate RESTful web services or WS-* ones. The latter will get you in trouble when accessing them via iphone.
Design Play vs. synchronous web services: Also somehow related to performance is the issue that the generated service is likely synchronous, blocking, which does not fit well with the non-blocking approach which the play framework is taking.
Abstraction level: Because your database is based on sets but your business model is likely not, you will have issues developing a decent client, tuning the performance, doing proper validation, security, etc.
Authentication, authorization and accounting: Hard to do because the database only knows the db system users
Change: What if you change your database model? Will the generated services continue to work? Do your have do adopt them event if you just add a column?
...
Some of those reasons do overlap, but I think the general problem should be clear.
Instead of this approach I would recommend the following. Develop a RESTfull endpoint for your app, which is not that hard to to. This is the external contract against which the clients should be developing. play-mini for example has a very need, Unfiltered based, API to do this. While doing this, focus on the operations your app really needs. CRUD in general is a bad model when thinking about production ready software.
How you access your database is another decision your have to make but probably it is not that important because it is not your external contract so your can change it when your have the need for doing so.
My team and me are currently working on quite a large project. We are working on an online game, which will be accessible (for the moment), in two ways:
-Via a web browser, an application full JavaScript(client-side), full Ajax (basically meaning that the UI will be managed in JS client side).
-Via an iPhone application (the UI will be managed by the application itself).
Between the two different applications, the core logic remains the same, so I believe (I could be wrong), that the best solution would be to create a web service (if possible using standards such as RESTful or Rest) capable of perming all necessary operations.
Following this logic, I have encountered a problem: the authentication and identity management of the user. This poses problem as the applications users need to be authenticated to preform certain operations.
I’ve looked into WS-security, but this obviously requires passwords to be stored, unencrypted on the server, which is not acceptable!
I then looked into Oauth, but at first glance this seemed like a lot of work to set up and not particularly suited to my needs (the way that applications have to be accepted does not please me since it will be my application and my application only using the web service, not any external application).
I’ve read and heard about a lot of other ways to do what I want, but to be honest, I’m a little confused and I don’t know what information is reliable and what isn’t.
I would like to note that I’m using symfony2 for the backend and jquery for the client side JavaScript.
Furthermore, I would like a detailed, step-by-step response, because I really am confused with all that I have read and heard.
Thank you for your time, and I hope someone can help me as it’s quite urgent.
Good evening
I'm not entirely sure if this answers your request, but since the UI will always be handled on the client side, I think you could use stateless HTTP authentication:
This is the firewall in security.yml:
security:
firewalls:
api:
pattern: ^/api/ # or whatever path you want
http_basic: ~
stateless: true
And then the idea basically is that on the server, you use your normal user providers, encoders and whatnot to achieve maximal security, and on the client, you send the HTTP authentication headers, for example, in jQuery:
$.ajax("...", {
username: "Foo",
password: "bar"
});
Please note that since the authentication is stateless (no cookie is ever created), the headers have to be sent with every request, but, I figure, since the application is almost entirely client-side, this isn't a problem.
You can also check the Symfony2 security manual for further information on how to setup HTTP authentication. Also be sure to force HTTPS access in your ACL, so the requests containing the credentials are secured (requires_channel: https in your ACL definitions).
We'll be developing mobile applications (for both iOS and Android platforms) that will be using web services. I'll be the one implementing the web services part and I plan on using Apache CXF.
It would be the first time I'm using CXF but I'm highly considering it because of its integration with Spring.
What are the potential issues (if any) with using CXF for mobile apps? If there are, is there supposed to be a better alternative to CXF? If there are none, any best practices I should also be considering?
Thanks!
I've been through the mobile ringer... WAP, J2ME, Brew, embedded languages, etc. Mobile development is exciting and also a bit scary...
Spring Integration: There is a big difference between * and **... be careful when setting up filters. It's easy to get out of hand securing end-points.
Authentication: How will your mobile devices authenticate and what is their role in Authentication, Authorization, and Access? Session management on occasionally connected devices - can get interesting. If a session goes stale how are you going to handle challenge / response?
App Security: Does your solution require SSL? Managing self-signed certificates is painful and time consuming. Do yourself and your mobile devs a favor and get a CA certificate in place up-front. You will save time (money) and a great deal of headache.
Proxy Power: Ideally, the people writing the front-end should be using an IDE that supports some kind of tethering for realtime debugging. Being able to add a breakpoint and introspect what's going on in the code... is mint. However, I haven't seen an IDE yet that gives front-end mobile devs the same experience as back-end devs. My guess is that your mobile devs are going all goo-goo eyes over jQuery. Understandably so! WebStorm and Aptana are good in the JS arena - but they're still evolving.
This is a problem front-end mobile devs need to work out... right? Yes... and no. Without proper tools everyone in the dev-chain will have to cook-up their own ways of answering questions like:
What did the mobile app send?
Was the request formed correctly?
What was the response?
Again, save yourself some time and finger-pointing and just sit down together (front and back-end devs) and work out a tech-stack that provides everyone optimal access to all app communications. Configurable logging on the server is a good idea to have in place from inception. Are you familiar with Firebug or Charles Proxy? A proxy can greatly simplify the debugging equation - just sayin'
Exceptions: Oh... and beware HTTP response codes. Exceptions on the server-side should be gracefully handled to prevent mobile consumers from choking on responses. Yikes - that's all I can say is YIKES!
Service / Life Cycle: Have you calculated the duration of the service and / or life cycle of your application? Knowing this can greatly impact architectural decisions.
Web Services: My knee-jerk reaction - is this the best technology for your product? Why Web Services? Can you come up with three concrete reasons why WS is the best option? From my experience, the most compact protocol will usually lead to the best user experience.
Food for thought... ASP.NET and JSon make a good pair.
http://encosia.com/using-jquery-to-consume-aspnet-json-web-services/
SOAP-XML is cumbersome. :-(
http://openlandscape.net/2009/09/25/call-soap-xm-web-services-with-jquery-ajax/
Have you considered RESTful Web Services? If you're using CXF... there are three different ways to build RESTful Web Services.
JAX-RS (CXF has an implementation of JSR-311 baked-in)
JAX-WS (more complicated - meh)
HTTP Binding (deprecated... may be removed from CXF in the future - fair warning)
More at: http://cxf.apache.org/docs/restful-services.html
Examples: http://solutionsfit.com/blog/2010/04/21/enterprise-mashups-with-restful-web-services-and-jquery-part-1/
Alternatives: There are so many great projects out there... Axis2 and Shiro come to mind. Without knowing more about your solution - it's difficult to recommend anything.
Final Thoughts: As a back-end dev, I would recommend getting familiar with the entire app tech stack and kick-off development with a series of small but functional samples that light the way through the obstacles mentioned above. Hold-on to the samples! They may prove useful in zeroing in on regression.
Mobile devices are getting faster and faster every day... it's true, but any dev worth their salt will know that they need to code to a common denominator if they want a mobile product to be widely consumed, adopted, and embraced.
I'm beginning a project right now that will require a pretty extensive web back end. Of the different calling conventions, we have found that the easier and more cost effective approach is to build a standard SOAP web service.
So now, we are in the process of looking at the different web service frameworks in order to determine which will meet the business needs:
Security
Cost
Time
I've only worked with WCF, which I was fairly content with, but I would like to explore all other options before I make a definite decision. In your experience, what do you feel is the best web service framework?
Web Services Interoperability Technology (Java)?
WCF (.NET)?
ActionWebService (Ruby)?
On a side note, we need a framework that can securely be accessed via iPhones, Windows Mobile Devices, and Blackberries.
Thanks in advance for your help.
Chris
WCF can be used to make both SOAP and RESTful Web Services. Interoperability is guaranteed as long as you stick to standards. But the more standards you put on it, less platform can catch up. In that sense REST on Basic Auth over https would be very light weight. Also see WS-I Basic Profile. Java vs .NET would be matter of taste, I think. WCF is not perfect, but it mostly seems to do the job.
One thing to consider about WCF is that it has a very rich extensibility model. Anything it doesn't do out of the box, you can teach it to do, with little or no change to your basic service.