Cloud-10 Infrastructure Security

From OWASP
Revision as of 08:22, 17 May 2010 by Ove Hansen (Talk | contribs)

Jump to: navigation, search

R9:Infrastructure Security

Security Risks


  1. Default configurations of systems and network devices
  2. All services, even active, unused ones, may contain security related bugs that potentially can be exploited.
  3. Compromised services may be used as "hop-off" points to other services, unless they are contained. For example, a compromised web service may lead to a compromised backend database, if the database can be reached directly from the web tier.
  4. Active network protocols, and open ports, may be exploited even if they are not used in the solution architecture
  5. Administrative access may be abused, either deliberately by the administrators, or through compromised administrative accounts. Furthermore administrative access can cause disruption through accidents
  6. All code (application, OS, network) will contain security related bugs, and configurations may contain configuration mistakes, that can be exploited.



Countermeasures


    1. Hardening of operating systems, applications and configurations
  1. Tiering of the solution architecture
  2. Containment
  3. Role-based administrative access, restricted administrative privileges
  4. Regular vulnerability assessments