This project is read-only.

Web Application Security Scenarios

- J.D. Meier, Prashant Bansode, Paul Enfield.

We organize our scenarios for key problem areas into a frame. We use the scenarios to figure out where customers need more help, and to test how well the guidance, tools, and platform address the problems.

Hot Spots

  • Auditing
  • Logging
  • Authentication
  • Authorization
  • Code Access Security
  • Communication
  • Data Access
  • Deployment Considerations
  • Exception Management
  • Sensitive Data
  • Session Mgmt
  • Validation


Hot Spot Key Decisions
Auditing * How to identify the sink for auditing.
* How to identify the operations and events to be logged.
* How to identify the content or information to be logged.
* How to secure to audit files / store.
* How to archive audit information.
* How to handle audit failures.
* How to avoid storing sensitive information in audit files.
Logging * How to provide the necessary information for debugging cloud applications.
* How to use platform features to log debugging information without impacting application performance.
* How to handle sensitive information in debug logs.
* How to ascertain and send health status information.
Authentication * How to identify trust boundaries within Web application layers for authentication.
* How to authenticate your users and pass authenticated identities across the layers.
* How to use windows authentication in a web app.
* How to use forms authentication in a web app.
* How to authenticate with Live ID.
* How to authenticate mobile users.
* How to prevent brute force attacks
* How to use an foreign identity provider logon page (i.e., How to redirect to an STS from a browser.)
Authorization * How to identify trust boundaries within the Web application layers for authorization.
* How to decide granularity of authorization settings.
* How to federate claims.
* How to use resource authorization.
* How to use URL authorization.
* How to use roles authorization.
* How to ensure Least Privileged implementation.
* How to use Azure tables as a roles store.
* How to authorize access to Azure tables, queues, and blobs.
* How to prevent your application from relying on administrative privileges it will not have in the cloud.
Code Access Security * How to create custom trust policy for your web application.
* Under what circumstances should Worker and Web roles run under partial trust (default).
* Under what circumstances should Worker and Web roles run under full trust.
Communication * How to choose protocol, security and communication-style for communication between web application layers.
* How to secure any sensitive data that is sent across the network.
* How to choose between message security and transport security.
* How to secure inter-role (IPC) comm.
* How to handle interruptions in access to cloud applications.
* How to interact with non cloud applications that require fixed IP address.
Data Access * How to connect to a non cloud DB via integrated security.
* How to connect to a non cloud DB via Standard SQL security,
* How to secure Azure SQL db login (AuthN).
* How to secure Azure SQL db access (AuthZ).
* How to secure your application from SQL injection.
* How to encrypt your connection strings.
* How to use least-privileged accounts for database access.
* How to choose authentication option for data access.
* How to validate un-trusted input passed to your data access methods.
* How to connect to Azure blobs and tables.
Exception Management * How to choose exception management strategy.
* How to scrub exception message for secure exception handling.
* How to deal with sensitive information when handling the exception.
* How to deal with unhandled exceptions.
Sensitive Data * How to store sensitive data in the cloud.
* How to secure sensitive data sent to a cloud app.
Session Mgmt * How to choose a state store.
* How to identify the data to be stored in session store.
* How to handle session state in a single Web server scenario.
* How to handle session state in web farm scenario.
* How to secure your session store.
Validation * How to identify trust boundaries within Web application layers for validation.
* How to design your validation strategy to constrain, reject, and sanitize malicious input.
* How to efficiently and securely validate input data.
* How to secure Ajax validation.

Last edited Aug 22, 2009 at 12:58 AM by paulenfield, version 2


No comments yet.