Objective. Service-oriented architecture and its microservice-based approach increase an attack surface of applications. Exposed microservices become a pivot point for advanced persistent threats and completely change the threat landscape. Correctly implemented authentication and authorization architecture patterns are basis of any software maturity program. The aim of this study is to provide a helpful resource to application security architect and developers on existing architecture patterns to implement authentication and authorization in microservices-based systems. Method. In this paper, we conduct a systematic review of major electronic databases and libraries as well as security standards and presentations at the major security conferences. Results and practical relevance. In this work based on research papers and major security conferences presentations analysis, we identified industry best practices in authentication and authorization patterns and its applicability depending on environment characteristic. For each described patterns we reviewed its advantages and disadvantages that could be used as decision-making criteria for application security architects during architecture design phase.
Objective. Insecure Direct Object Reference (IDOR) or Broken Object Level Authorization (BOLA) are one of the critical type of access control vulnerabilities for modern applications. As a result, an attacker can bypass authorization checks leading to information leakage, account takeover. Our main research goal was to help an application security architect to optimize security design and testing process by giving an algorithm and tool that allows to automatically analyze system API specifications and generate list of possible vulnerabilities and attack vector ready to be used as security non-functional requirements. Method. We conducted a multivocal review of research and conference papers, bug bounty program reports and other grey sources of literature to outline patterns of attacks against IDOR vulnerability. These attacks are collected in groups proceeding with further analysis common attributes between these groups and what features compose the group. Endpoint properties and attack techniques comprise a group of attacks. Mapping between group features and existing OpenAPI specifications is performed to implement a tool for automatic discovery of potentially vulnerable endpoints. Results and practical relevance. In this work, we provide systematization of IDOR/BOLA attack techniques based on literature review, real cases analysis and derive IDOR/BOLA attack groups. We proposed an approach to describe IDOR/BOLA attacks based on OpenAPI specifications properties. We develop an algorithm of potential IDOR/BOLA vulnerabilities detection based on OpenAPI specification processing. We implemented our novel algorithm using Python and evaluated it. The results show that algorithm is resilient and can be used in practice to detect potential IDOR/BOLA vulnerabilities.
Objective. Service-oriented architecture increases technical abilities for attacker to move laterally and maintain multiple pivot points inside of compromised environment. Microservice-based infrastructure brings more challenges for security architect related to internal event visibility and monitoring. Properly implemented logging and audit approach is a baseline for security operations and incident management. The aim of this study is to provide helpful resource to application and product security architects, software and operation engineers on existing architecture patterns to implement trustworthy logging and audit process in microservice-based environments. Method. In this paper, we conduct information security threats modeling and a systematic review of major electronic databases and libraries, security standards and presentations at the major security conferences as well as architecture whitepapers of industry vendors with relevant products. Results and practical relevance. In this work based on research papers and major security conferences presentations analysis, we identified industry best practices in logging audit patterns and its applicability depending on environment characteristic. We provided threat modeling for typical architecture pattern of logging system and identified 8 information security threats. We provided security threat mitigation and as a result of 11 high-level security requirements for audit logging system were identified. High-level security requirements can be used by application security architect in order to secure their products
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.