46) Defer to Kernel
The intent of this pattern is to clearly separate functionality that requires elevated privileges from functionality that does not require elevated privileges and to take advantage of existing user veri- fication functionality available at the kernel level. Using existing user verification kernel functio- nality leverages the kernel’s established role in arbitrating security decisions rather than reinvent- ing the means to arbitrate security decisions at the user level.
Any organization conducting e-commerce or publishing information over Web technologies must make their service easily accessible to their users. However, any form of Web site or e-commerce system is a potential target for attack, especially those on the Internet. A Demilitarized Zone (DMZ) separates the business functionality and information from the Web servers that deliver it, and places the Web servers in a secure area. This reduces the ‘surface area’ of the system that is open to attack.
The Demilitarized Zone pattern introduces a region of the system that is separated from both the external users and the internal data and functionality. This region will contain the servers, such as Web servers, that expose the functionality of the Web-based application. Restrict access to this region from the outside by limiting network traffic flow to certain physical servers. Use the same techniques to restrict access from servers in the DMZ to the internal systems.
A client needs to access a Web service. The Web service requires the client to present credentials for authentication so that additional controls such as authorization and auditing can be implemented.
50) Directed Session
The Directed Session pattern ensures that users will not be able to skip around within a series of Web pages. The system will not expose multiple URLs but instead will maintain the current page on the server. By guaranteeing the order in which pages are visited, the developer can have confidence that users will not undermine or circumvent security checkpoints.
In order to apply certain security mechanisms such as encryption, the distribution of secrets is necessary. It is the problem to communicate matching secrets to those subjects who are privileged to receive them.
Distrustful Decomposition secure design pattern is to move separate functions into mutually untrusting programs, thereby reducing the: attack surface of the individual programs that make up the system, functionality and data exposed to an attacker if one of the mutually untrusting programs is compromised
In order for developers to make consistent, intelligent development choices regarding security, they have to understand the overall system goals and the business case behind them. If the security goals are not documented and disseminated, individual interpretation could lead to inconsistent policies and inappropriate mechanisms.
Web servers and application servers are extremely complex, and complexity is a major impediment to security. In order to help manage the complexity of Web server and application configurations, developers and administrators must document the initial configuration and all modifications to Web servers and applications.