In modern age it has become crucial to perform secure architecture review along with regular pentest practice. Application architecture review can be defined as reviewing the current security controls in the application architecture. This helps a user to identify potential security flaws at an early stage and mitigate them before starting the development stage.
2. #whoami – Hiren Shah
• 25 Years in Business & IT field
• President & Mentor of Net Square
• LinkedIn: hirens
• Twitter: @hiren_sh
Business & IT Leader Mixed into One
4. 1. Cross-Selling for Financial And Non-Financial Products
2. Deliver Experience based on Personalisation
3. Support customer segments with different web capabilities
4. Support innovation -agility to implement new features
5. Seamless Experience Across Channels
“To Provide state-of-the-art customized
seamless and uniform User Experience forall
customer segments across desktop & mobile
web”
Key Drivers and Considerations of today’s Global Banks
2
5. 1. Cross-Selling for Financial And Non-Financial Products
2. Deliver Experience based on Personalisation
3. Support customer segments with different web capabilities
4. Support innovation -agility to implement new features
5. Seamless Experience Across Channels
Key Drivers and Considerations of today’s Global Banks
“To Provide state-of-the-art customized
seamless and uniform User Experience forall
customer segments across desktop & mobile
web”
TYPICAL LOGICAL ARCHITECTURE
2
6. 1. Cross-Selling for Financial And Non-Financial Products
2. Deliver Experience based on Personalisation
3. Support customer segments with different web capabilities
4. Support innovation -agility to implement new features
5. Seamless Experience Across Channels
Key Drivers and Considerations of today’s Global Banks
“To Provide state-of-the-art customized
seamless and uniform User Experience forall
customer segments across desktop & mobile
web”
TYPICAL LOGICAL ARCHITECTURE
CLOUD ENABLED
MICROSERVICES DRIVEN
INTEGRATION APPROACH
PERSONALIZATION AND
CONTEXTUALIZATION
MULTILINGUAL SUPPORT
FUTURE PROOF
OMNI CHANNEL
POLYGLOT PERSISTENCE
2
ADVANTAGES
7. 1. Cross-Selling for Financial And Non-Financial Products
2. Deliver Experience based on Personalisation
3. Support customer segments with different web capabilities
4. Support innovation -agility to implement new features
5. Seamless Experience Across Channels
Key Drivers and Considerations of today’s Global Banks
“To Provide state-of-the-art customized
seamless and uniform User Experience forall
customer segments across desktop & mobile
web”
TYPICAL LOGICAL ARCHITECTURE
Stateless
Architecture
API Management
Infrastructure
Security
Data Security
CLOUD ENABLED
MICROSERVICES DRIVEN
INTEGRATION APPROACH
PERSONALIZATION AND
CONTEXTUALIZATION
MULTILINGUAL SUPPORT
FUTURE PROOF
OMNI CHANNEL
POLYGLOT PERSISTENCE
2
ADVANTAGES SECURITY
CHALLENGES
8. Netscaler (LB)
Nginx (Reverse Proxy / SLB) Active
Directory
ADFS
Client Browser
Nginx
Redis AngularJS
app
WAF
PCF Platform
mca
t
t
Http Http
MicroService A MicroService B
Embedded To Embedded Tomca
Https
Http
Http
Identifying security holes early on
MQ
Config-Server
Databases
Orchestrator
3
9. Netscaler (LB)
Nginx (Reverse Proxy / SLB) Active
Directory
ADFS
Client Browser
Nginx
Redis AngularJS
app
WAF
PCF Platform
mca
t
t
Http Http
MicroService A MicroService B
Embedded To Embedded Tomca
Https
Http
Http
Identifying security holes early on
Question the client on
Threat perception
MQ
Config-Server
Databases
Orchestrator
3
10. Netscaler (LB)
Nginx (Reverse Proxy / SLB) Active
Directory
ADFS
Client Browser
Nginx
Redis AngularJS
app
WAF
PCF Platform
mca
t
t
Http Http
MicroService A MicroService B
Embedded To Embedded Tomca
Https
Http
Http
Identifying security holes early on
Question the client on
Threat perception
Challenges in System
administration on new
platforms and
Technologies
MQ
Config-Server
Databases
Orchestrator
3
11. Config-Server
Netscaler (LB)
Nginx (Reverse Proxy / SLB) Active
Directory
ADFS
Client Browser
Nginx
Orchestrator
Databases
Redis
MQ
AngularJS
app
WAF
PCF Platform
mca
t
t
Http Http
MicroService A MicroService B
Embedded To Embedded Tomca
Https
Http
Http
Identifying security holes early on
Question the client on
Threat perception
Polyglot
persistence -How
data should be
stored?
Challenges in System
administration on new
platforms and
Technologies
3
12. Config-Server
Netscaler (LB)
Nginx (Reverse Proxy / SLB) Active
Directory
ADFS
Client Browser
Nginx
Orchestrator
Databases
Redis
MQ
AngularJS
app
WAF
mca
t
t
Http Http
MicroService A MicroService B
Embedded To Embedded Tomca
Https
Http
Http
Identifying security holes early on
Question the client on
Threat perception
Polyglot
persistence -How
data should be
stored?
Challenges in System
administration on new
platforms and
Technologies
Limitation of
Tools e.g.
CoPnCtFaPilantfoermrisationof
Messaging layer?
3
14. Secured SPA Applications
JSON /HTTPS
CSS
Images
Fonts
Model
(JSON)
Angular Framework
View Controller
(HTML) +Service
(TypeScript)
Http Interceptor (AUTH)
Stateless Microservices
Spring Boot + Allied Frameworks
Protocol
Adaptor
(REST/JMS)
Application
Database
OIDC / OAuth Server
HTTPS
NotificationEngine
(SMS / Email)
JMS
Unstructured
Datastore
Caching
Http Interceptor (AUTH-FILTER)
RestController Message
Listener
Service
Model
(POJO)DAO
JDBC
Internal
Queues
JMS
TCP /IP
JDBC
4
Security Specs:
• jsrsasign v8.0.12 (Javascript library) on client ( https://
www.npmjs.com/package/jsrsasign );
• Java Cryptography Extension (JCE) implementation of
Java SE 8 (on server)
• Secret Key generation per sessionon
• Encryption of sensitive data on client using RSA (2048
bits) public key
• MAC computation using HmacSHA512 and secret-key
for every request/response
Build Security Design Patterns
TYPICAL
TECHNICAL
ARCHITECTURE
15. Secured SPA Applications
JSON /HTTPS
CSS
Images
Fonts
Model
(JSON)
Angular Framework
View Controller
(HTML) +Service
(TypeScript)
Http Interceptor (AUTH)
Stateless Microservices
Spring Boot + Allied Frameworks
Protocol
Adaptor
(REST/JMS)
Application
Database
OIDC / OAuth Server
HTTPS
NotificationEngine
(SMS / Email)
JMS
Unstructured
Datastore
Caching
Http Interceptor (AUTH-FILTER)
RestController Message
Listener
Service
Model
(POJO)DAO
JDBC
Internal
Queues
JMS
TCP /IP
JDBC
Security Specs:
• jsrsasign v8.0.12 (Javascript library) on client ( https://
www.npmjs.com/package/jsrsasign );
• Java Cryptography Extension (JCE) implementation of
Java SE 8 (on server)
• Secret Key generation per sessionon
• Encryption of sensitive data on client using RSA (2048
bits) public key
• MAC computation using HmacSHA512 and secret-key
for every request/response
Build Security Design Patterns
4
Validate design principlese.g.
Is the proposed solution tomaintain
state in stateless architecture
Build patterns of Security
Principles e.g. OTT
TYPICAL
TECHNICAL
ARCHITECTURE
16. The Devil is in the Detail!
5
this.clientSessionId = this.generateRandom();
function generateRandom() {
var asciiArray = new Uint32Array([0xFAFBA, 0xAFFBC, 0xFABBD,
0xFFFBA, 0xFAFFE, 0xFADBA, 0xFEFBB, 0xFAFBD]);
window.crypto.getRandomValues(asciiArray);
return this.padZero(asciiArray);
}
function padZero(randomNumberArray) {
return '0' + randomNumberArray[0] +
'0' + randomNumberArray[1] +
'0' + randomNumberArray[2] +
'0' + randomNumberArray[3] +
'0' + randomNumberArray[4] +
'0' + randomNumberArray[5] +
'0' + randomNumberArray[6] +
'0' + randomNumberArray[7];
}
New “nonce” header value sent on every Request and validated
against Response header value. Also acts as correlation-id to trace &
correlate user requests in logs across backend services.
Format: (16-digit random per session | 16-digit random per request)
var requestId = this.generateRandom();
RequestHeaders[‘nonce’] = this.clientSessionId + '|' + requestId;
“state” is unique server session id. Created for tracking conversation of Multi-Factor Login
Flow with max. idle/inactivity timeout of short duration (e.g. 5 mins).
Format: Base64.getUrlEncoder().withoutPadding().encode(
User-Agent | client_id | clientSessionId | UID | UUID.randomUUID().toString() )
LogonUI
(AngularClient)
Authentication
Service
End-User
1. InputUserId
[nonce]{state,authMethod}
CacheServer
(Redis)
POST/v1/idp/login
[nonce]{client_id, userId}
HTTP
Server
https://www.kotak.com/Signin/
generateNonce()
//Look-upUserIdand
CRN,
generateState()
validateNonce()
put(state,HashMap)
Display Fields
Relevant for
authMethod
//BustFrames
Reverse Proxy should add standard Security Headers to ALL Responses:
Strict-Transport-Security: max-age=599
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Access-Control-Allow-Origin: https://www.abcbank.com
FindUID authMethod
18. These you will get
a chance to test
thoroughly during
Appsec also
Controls Testing Goals
Authentication Authenticate users before allowing access to any
sensitive data or operations.
Safeguard user accounts from misuse or unauthorized
use.
Protect authentication credentials when stored or in
transit.
Authorization Prevent user access to resources outside their assigned
privileges.
Restrict functionality to only those resources required
to fulfil the task.
Input Validation All client side input must be regarded asuntrusted.
All input must be validated before being passed to the
application logic.
Only good and expected input should be allowed.
Session
Management
Protect against session hijacking.
Protect against brute forcing.
Well-defined login and logout points.
Expired sessions cannot be re-used later.
Client Protection Assume an untrusted endpoint environment.
Assist in application layer endpoint security.
Prohibit sensitive data to be stored on the client.
Assist in preventing data leaks from the endpoint.
Prioritise review of some controls over theothers
19. a chance totest
Controls Testing Goals
Authentication Authenticate users before allowing access to any
sensitive data or operations.
Safeguard user accounts from misuse or unauthorized
i
Authorizatio
use.
Protect authenticat
transit.
Prevent user access
privileges.
Restrict functionalit y
n credentials when stored or in
o resources outside their assigned
These you will get
to only those resources required
Session
Managemen
n
t
i
to fulfil the task.
on All client side input
All input must be va
application logic.
Only good and expe
Protect against sess
Protect against brut
Well-defined login a
Expired sessions can
o
t
m
li
c
o
e
n
n
ust be regarded as untrusted.
thoroughly duringdated before being passed to the
ted input should be allowed. Appsec also
n hijacking.
forcing.
d logout points.
ot be re-used later.
Client Protection Assume an untrusted endpoint environment.
Assist in application layer endpoint security.
Prohibit sensitive data to be stored on the client.
Assist in preventing data leaks from the endpoint.
Cryptography Appropriate choice and justification of cryptographic
algorithms.
Well-known and tested cryptography.
Detect inadvertent use of cryptography.
Logging
Input Validati Auditing capabilities independent of any other system
audit trails.
Events should be labelled appropriately within the log
data.
Log review.
Protected from unauthorized access and tampering.
Prioritise review of some controls over theothers
23. Technical
Vulnerability in
funds transfer
allows
unauthorized
funds transfer
Policy
User id for
customer
identification
is a sequential
number
Process
Transfer
money to a
beneficiary
without
registration
Process & Policy are not“out-of-scope”!
Serious security breaches typically manifest because of weakness in process and
policy design along with Technicalvulnerabilities
8
24. 9
# Activity
1 Documents Review (Network, Data Flow, etc.)
Understand the network and data flow of application with all components part of its ecosystem or any other
applications it is trying to connect
2 Inter-Tier Authentication
Functionality of the interfaces, encryption used (SSL, TLS, etc.)
3 User Authentication & Authorization
Authentication – AD/local authentication; Role based access, master maintenance (maker/checker for important
functions)
Dormant accounts, how are they managed; Service accounts and related security (interactivelogin disabled)
Multifactor authentication – known vulnerabilities
Check if software component used for authentication has knownvulnerabilities.
4 Data at Rest
Identify how sensitive data stored indatabase
5 Data intransit
Reviewing how sensitive data transmitting over communicationchannel
6 Security Review API and Web Services associated with integrations (If applicable)
Review the technology (OAuth, JWT, etc.) used for API or Web Service and identify any known vulnerability present or
not e.g. no validation of session tokens
7 User Access Management (Provisioning / De-provisioning / Modification)
Review how users are provisioned and removed. What is frequency of user access review, is there any documented
procedure for the same. Dormant account handling.
8 Password Policy
Review the password of application, if not integrated with AD then is it as per Kotak defined password policy.
Sometimes, “what client wants”
25. 10
# Activity
9 Multifactor Authentication
Review multifactor authentication (Google Authenticator) used in and check for any known vulnerabilities and
whether implementation is secure or not.
10 Cryptography Management
Review encryption /hashing algorithm used in application, are they as per Kotak defined cryptographicstandard
11 Audit Logging
Review logging of sensitive information, identify logging various components (OS, App, DB, etc.)
12 Application deployment process
How final compiled code is getting deployed, is there any defined process for the same or app owner can directly
push the binaries to production.
13 Backend (Database/ MQ) Tampering for initiating a transaction / updating balances
Actually tampering request /files which is used for processing the transaction and review whether it getting executed
successfully. Trying to update the same values directly in the backend database and reviewing the execution.
14 Financial transaction flow (STP / Manual)
Review the transaction flow and check the controls around it, like checking if there is File Integrity solution for file
based transaction system.
15 Identify and Configuration review controls (e.g. WAF, IDS / IPS responsible for application)
Identify the technologies used as compensating controls for known vulnerabilities and review configuration /
implementation.
16 Data Integrity
As a security measure request payload or file is sent with checksum to provide assurance on integrity of the data.
Reviewing the same whether it is implemented securely (algorithms used for generating checksum is obsolete ornot).
Sometimes, “what client wants”