This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cloud-10 Infrastructure Security"
From OWASP
Ove Hansen (talk | contribs) (→R9:Infrastructure Security) |
Ove Hansen (talk | contribs) |
||
| Line 1: | Line 1: | ||
| − | == R9:Infrastructure Security == | + | == R9:Infrastructure Security == |
| + | |||
| + | The security of the data hosted within an application is totally dependent upon the security of the infrastructure components that make up the platform for the application. Failure to take "best practices" into account can lead to a loss of data, reputation, or availability, and may even have regulatory/legal ramifications. | ||
| + | |||
| + | <br> | ||
Security Risks | Security Risks | ||
| Line 6: | Line 10: | ||
#Default configurations of systems and network devices | #Default configurations of systems and network devices | ||
| − | #All services, even active, unused ones, may contain security related bugs that potentially can be exploited. | + | #All services, even active, unused ones, may contain security related bugs that potentially can be exploited. |
| − | #Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier. | + | #Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier. |
| − | #Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture | + | #Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture |
| − | #Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents | + | #Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents |
| − | #All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited. | + | #All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited. |
| + | <br> | ||
| + | <br> | ||
| + | Countermeasures | ||
| + | <br> | ||
| − | + | # | |
| + | #Hardening of operating systems, applications and configurations | ||
| + | #Tiering of the solution architecture | ||
| + | #Isolation of infrastructure components, for example through the use of network ACLs, to reduce the <br> | ||
| + | #Role-based administrative access, restricted administrative privileges | ||
| + | #Regular vulnerability assessments | ||
| + | <br> | ||
| + | References | ||
| − | # | + | #Center for Internet Security (CISecurity) |
| − | |||
| − | |||
| − | |||
| − | |||
Revision as of 14:31, 17 May 2010
R9:Infrastructure Security
The security of the data hosted within an application is totally dependent upon the security of the infrastructure components that make up the platform for the application. Failure to take "best practices" into account can lead to a loss of data, reputation, or availability, and may even have regulatory/legal ramifications.
Security Risks
- Default configurations of systems and network devices
- All services, even active, unused ones, may contain security related bugs that potentially can be exploited.
- Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier.
- Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture
- Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents
- All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited.
Countermeasures
- Hardening of operating systems, applications and configurations
- Tiering of the solution architecture
- Isolation of infrastructure components, for example through the use of network ACLs, to reduce the
- Role-based administrative access, restricted administrative privileges
- Regular vulnerability assessments
References
- Center for Internet Security (CISecurity)
