Year Of Security for Java – Week 34 – Separate Admin Functionality

No Gravatar

What is it and why should I care?
The idea of separating administrative functionality may strike some as odd. By administrative functionality, I’m just grouping those higher criticality functions (generally user/group/role management) that have the characteristic of affecting the application at large, generally through privilege escalation. The idea here is this:

– I have some critical functions that allow user management
– If these functions were exploited, privileges could be added to or removed from users
– I don’t trust that these functions are perfectly protected in all cases

You may disagree with that flow, particularly the last step, and you may feel you are perfectly secure. In my experience, most apps have holes, and exposing critical functionality *unnecessarily* can allow those latent vulnerabilities to have a much larger impact.

What should I do about it?

First, determine if this is even an issue in your application. If you don’t manage users in your app, you don’t need to think about this one. If your application is only internal-facing, maybe your risk profile means you don’t care about this issue in that circumstance.

Next, consider your options:

Status Quo
You could leave things as they are (assuming an existing app) and leave the admin functionality in place. Depending on the value of the protected resources, this may be a legitimate option, but for an important application, it likely isn’t.

Build another application
You could build a standalone app that is separate from the general application. This standalone app could have different authentication requirements (multi-factor), or it might only be deployed internally since all the admins are internal, or access to it might be restricted to certain IP addresses, etc. You have a lot of options in this scenario, but it does require a different codebase and/or deployment.

Subset the application
You could also build a specific subset of your application related to administrative tasks. This is probably the most common option across applications I’ve seen. The issue is that access to this functionality is treated the same way as the general application. You can improve this by having additional controls. Maybe you require client certificate authentication for this subsection, or maybe multi-factor authentication. You might also have additional source restrictions (IP addresses, browser, etc.) for this subsection of the application.

No matter which option you choose, make sure that you consider the issue as it applies to your environment, evaluate the alternatives, and make an informed decision based on the individual circumstances of the situation.

In conclusion, administrative functionality in an application is a high-priority target for exploitation by attackers given the valuable functionality it exposes. With some simple and straightforward changes to your application, you can greatly reduce the risk of this functionality being exploited.

Be Sociable, Share!

Technorati Tags: