Last Tuesday evening a colleague and me attended an OWASP meeting of the Belgium chapter. The topics were:
-The Thinking Person's Guide to the Cloud. HOWTO: Keep your head in the clouds and your feet on the ground (by Gunnar Peterson, Arctec Group).
-Threat modeling (by John Steven, Cigital).
Especially the presentation of Gunnar Peterson was magnificent. He was funny, to the point and also explained the basic stuff, so you didn't have to be an expert to understand everything. He especially explained that a general mistake often made by non-security people, is to think that SSL secures your entire application. SSL is great, but there is a lot more to think about than just this one aspect.
There are a lot of methodologies to make your security vulnerabilities visible. This is called 'Threat modeling'. A simple and common used methodology is 'STRIDE', which stands for Spoofing, Tampering, Repudiation,Information Disclosure, Denial of Service and Elevation of privilege. These are the things you want to counter. The following table gives possible security solutions targeted at each specific problem.
Spoofing - Authentication
Tampering - Digital Signature
Repudiation - Audit Logging
Information Disclosure - Encryption
Denial of Service - Availability
Elevation of privilege - Authorization,Input validation
For each of the 6 items we have 3 categories where we could implement a security solution. You can implement it on the data level, method level and channel level. An example of the different levels:
• Data: XML
• Method: SOAP, URI
• Channel: HTTP
This means that you have 18 possibilities for implementing security. SSL however only is a solution for information disclosure, because you encryt the data on the channel level. Mostly that's not enough and you should for example encrypt parts of the xml message too.
SSL alone is not enough to secure your application!