security considerations in nosql data access - owasp appsec
TRANSCRIPT
![Page 1: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/1.jpg)
MESSAGING SECURITY USING
GLASSFISH AND OPEN MESSAGE
QUEUE
OWASP AppSec USA 2011 Conference (@appsecusa / hashtag: #appsecusa)
Srini Penchikala (@srinip)
09.23.11
![Page 2: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/2.jpg)
GOALS AND SCOPE
Goals: Messaging security architecture & design considerations and best practices
How to use NoSQL Databases for some messaging security use cases
Is Not: Security vulnerabilities talk
Is: Focus on application security in messaging:
Authentication & authorization
Message encryption
Logging and monitoring
Code examples on messaging security aspects (Java based)
Target Audience: Architects, Application Developers, and Security Ops
Format: 45 min presentation + 5 min Q&A
Demo Application (Java) 2
![Page 3: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/3.jpg)
ABOUT THE SPEAKER
Security Architect
Certified Scrum Master
Author, Editor (InfoQ)
IASA Austin Chapter Leader
Detroit Java User Group Leader (past)
Working with Java since 1996, JEE (2000), SOA (2006), Security (2007) & PPT since 03/2011
Current: Agile Security Architectures, NoSQL Security, Domain-Driven Security Design, Security Architecture Enforcement, Model Driven Development
Future: Role of DSL in Architecture Enforcement, NoSQL Security Tools and Frameworks
3
![Page 4: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/4.jpg)
BEFORE WE START
How many are currently using messaging in their
applications?
How many are currently working in security
architecture or development?
Any regulatory compliance requirements (Federal,
State, Local, or Finance related)?
4
![Page 5: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/5.jpg)
BACKGROUND
Financial services
J2EE security model
Agile software development
Regulatory compliance and its impact on IT
Software architecture
5
![Page 6: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/6.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
6
![Page 7: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/7.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
7
![Page 8: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/8.jpg)
MESSAGING ARCHITECTURE
Asynchronous Communication
Message-Oriented Middleware (MOM) pattern
Java Message Service (JMS)
Architecture Components:
Broker
Connection
Destination (Queue or Topic)
Transactions
Message
Enterprise Integration Patterns* 8
*Source: http://www.eaipatterns.com/toc.html
![Page 9: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/9.jpg)
MESSAGING SECURITY CONSIDERATIONS
Current state: Not enough focus on the middleware
Authentication
Role Based Access Control
Message Encryption
Transport Layer Security
Message Persistence
Secure Logging and Auditing
Secure Message Monitoring Standards based administration (JMX)
Availability Broker clustering
Automatic reconnect
Connection event notification
9
![Page 10: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/10.jpg)
TECHNOLOGIES
GlassFish (v3.1)
Java EE 6 compliant application server
Open source and commercial versions
Open Message Queue (v4.5)
Implements JMS standard
Stand-alone service or deployed in an application server
Standard JMS Provider in GlassFish Server
Supports messaging security at various levels
Broker clusters (conventional and enhanced clusters)
Spring Integration Framework
Secure message channel (role based access) 10
![Page 11: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/11.jpg)
SAMPLE DEMO APPLICATION
Technologies:
GlassFish 3.1 Application Server
Open MessageQueue
Neo4J (authentication and authorization)
MongoDB (persistence and logging)
Spring Data Framework
Spring Integration
Aspect-oriented Programming
Tools:
JDK 1.6
Eclipse 11
![Page 12: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/12.jpg)
SAMPLE APPLICATION ARCHITECTURE
12
Client
SOAP
Client
OpenMQ
Server
Neo4J
DB
AuthN/ AuthZ
JMX
Client
Mongo
DB
Msg Persistence
in DB
Logging
Mongo
DB
![Page 13: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/13.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
13
![Page 14: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/14.jpg)
AUTHENTICATION
Authentication
Flat file repository
LDAP authentication
JAAS-based authentication
Per broker repository
NoSQL database for storing user profiles
Graph databases (Neo4J)
14
![Page 15: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/15.jpg)
JAAS AND MESSAGE QUEUE
15
Source: OpenMessage Queue 4.5 Administration Guide
![Page 16: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/16.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
16
![Page 17: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/17.jpg)
AUTHORIZATION
Users and groups
Pre-defined groups
admin
user
anonymous
Access control events
Connecting to a broker
Creating a message producer or consumer
Auto-creating or browsing a queue destination
Configuration based
accesscontrol.properties 17
![Page 18: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/18.jpg)
AUTHENTICATION AND AUTHORIZATION
18
Source: OpenMessage Queue 4.5 Administration Guide
![Page 19: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/19.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
19
![Page 20: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/20.jpg)
MESSAGING SECURITY
Broker Level (Connection)
Destination Level
Message Level
20
![Page 21: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/21.jpg)
ENCRYPTION
Encrypted client-broker communication
SSL based connection service
Connection service types
ssljmsservice (TCP/IP)
httpsjms (HTTPS Tunnel Servlet with HTTP protocol)
ssladmin (TCP/IP)
Cluster connection service
JMX connector (RMI over TCP)
21
![Page 22: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/22.jpg)
ENCRYPTION BEST PRACTICES
Symmetric Key Algorithms: AES with minimum 128 bit key length
Hash Functions: SHA-256
Always use a salt value (salted SHA, SSHA) especially for passwords to defend against rainbow table attacks
Asymmetric or Public Key Algorithms: rDSA with 1024 bit minimum key length
Data Integrity: Data Integrity/Data Signature or Message Authentication Code – HMAC
(hash function-based message authentication code)
Use any underlying hashing algorithm since HMACs are substantially less affected by the potential for collisions that the related hashing functions alone
Secure Network Communication: SSLv3 or TLS to ensure the encrypted transmission of data between systems
Security Standards Java API: OWASP’s ESAPI libraries
22
![Page 23: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/23.jpg)
MESSAGE PERSISTENCE
23
Configurable persistence
File or JDBC-based data store
Securing a JDBC persistence store
NoSQL DB for persistence (MongoDB)
![Page 24: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/24.jpg)
PERSISTENCE OPTIONS
24
Source: OpenMessage Queue 4.5 Administration Guide
![Page 25: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/25.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
25
![Page 26: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/26.jpg)
SECURITY LOGGING AND AUDITING
Event management (SIEM) and forensics
Critical for regulatory compliance (SOX, HIPAA, PCI, FISMA)
Log events
Startup, shutdown, restart, and removal of broker
User authentication and authorization
Reset of a persistent store
Creation, purge, and destruction of destinations
Administrative destruction of durable subscribers
Message Queue audit logging
JAAS based audit logging
Performance:
MongoDB Logger 26
![Page 27: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/27.jpg)
SECURITY LOGGING CONSIDERATIONS
What data needs to be logged for security analytics
purposes?
What should be the log format for business v. security
logs?
Do we need to store the security logs in a different file
(a new log4j appender) so only authorized users
(admin) will have access to it?
How would the logs work with SIEM tool (if
applicable)?
27
![Page 28: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/28.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
28
![Page 29: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/29.jpg)
MONITORING
Standards:
JMX
Remote JMX
Secure JMX
Tools:
JConsole/VisualVM
29
![Page 30: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/30.jpg)
MONITORING MESSAGING COMPONENTS
Messaging components
Broker
Connections
Destinations
Producers
Consumers
Messages
Monitoring Tools:
VisualVM
Open MQ Administration Console
Any standards based monitoring tool (e.g. JMX for Java) 30
![Page 31: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/31.jpg)
MONITORING SERVICES
31
Source: OpenMessage Queue 4.5 Administration Guide
![Page 32: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/32.jpg)
DEMO
32
![Page 33: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/33.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
33
![Page 34: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/34.jpg)
BEST PRACTICES
Separation of messaging logic from application & business logic
Messaging code should be agnostic to MQ container
Declarative v. Programmatic message security
Emerging trends in messaging architecture
Light-weight and Agile message brokers
Embedded brokers (for unit testing)
Built-in security, monitoring and clustering
“Build in” security logging and monitoring capabilities into the product as a feature
Involve Dev & Ops from early phases of project lifecycle 34
![Page 35: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/35.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
35
![Page 36: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/36.jpg)
CONCLUSIONS
Messaging security is critical
Message at rest, in transit and in use
Messaging security considerations
Authentication, Role Based Access, Encryption
Logging and Monitoring
Messaging security support in Open MQ container
Role of NoSQL DBs in messaging security use cases
“One Size Fits All” fits nothing
36
![Page 37: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/37.jpg)
RESOURCES
Messaging Patterns
Java Message Service (JMS)
Open Message Queue
Java Management Extensions (JMX) Technology
Open Message Queue 4.5 Administration Guide
Glassfish Samples
GlassFish Server Open Source Edition 3.1 Security
Guide
GlassFish Server Open Source Edition 3.1
Administration Guide
37
![Page 38: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/38.jpg)
THANK YOU
Thank you
Contact Information
http://www.infoq.com/author/Srini-Penchikala
@srinip
http://srinip2007.blogspot.com
Questions?
38
![Page 39: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/39.jpg)
BONUS SLIDES
![Page 40: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/40.jpg)
SECURITY IMPLEMENTATION AND
ENFORCEMENT USING AOP
Implement messaging security using Aspects
Architecture:
Separate security event logic from application and business
logic
Tools & Technologies:
ActiveMQ
MongoDB
Esper
AspectJ and SpringAOP
Demo
40
![Page 41: Security Considerations in NoSQL Data Access - OWASP AppSec](https://reader031.vdocuments.us/reader031/viewer/2022021210/62064a798c2f7b1730065070/html5/thumbnails/41.jpg)
INTEGRATING SOAP AND MESSAGEQUEUE
41