Chapter 6 DXp SeCurity Robust Security Infrastructure Layer Web Layer Application Layer Database Layer Services Layer Planning •Denial of service •Information •Injection attacks • Data integrity •Information Security assessment •Security Disclosure •Direct object •Weak password disclosure configuration • Elevation of reference •Elevated privilege • Absence of Threat profiling •Elevation of privilege and •Insecure entropy for database security privilege Cross-site users enforcement scripting (XSS) Static and Runtime Testing Black box and white box testing Security Measures Security Measures Security Measures Security Measures Security Measures at Infrastructure at Web Layer at Application at Database Layer at Services Layer Security code scanning Layer Layer • Firewalls •Least privilege •Input validation • Data integrity •Message level Vulnerability • Monitoring access • Auditing and • Data backup and security penetration testing •Secure transport • Custom error logging recovery •Secure layer pages •Fine grained procedures transmission layer •Network traffic authorization • Data audits Continuous Security analysis • Data encryption • Data recovery Testing •Robust • Error handling processes authentication • Escaping and Early and continuous, •Robust server encoding special iterative testing configuration characters •Server hardening Continuous security •Virus scanners monitoring •Intrusion detection Figure 6-2. DXP layer-wise security vulnerabilities and security measures The following list details various security measures and best practices that can be taken at each of the layers: • Infrastructure layer security: The main security vulnerabilities at this layer are denial of service attack, incorrect security configuration, and elevation of privilege. In order to address the security vulnerabilities, the appropriate security measures include firewalls, robust monitoring, and usage of SSL (Secure Sockets Layer)/TLS (Transport Layer Security), providing robust server configuration, server hardening (disabling of all unnecessary ports, services, and protocols at the server machines), and installing virus scanners and intrusion detection systems. • Web server layer security: The main vulnerabilities at this layer are accidental information disclosure in the stacktraces and error messages, and elevation of privilege. In order to address this, we need to use custom messages that hide the system and framework details. Enforce a least privilege policy for all resources to prevent accidental information leakage, minimizing the risk of escalation of privileges. 185