Deployment

From OWASP
Revision as of 06:05, 2 August 2006 by Adamj (Talk | contribs)

Jump to: navigation, search
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.Guide Table of Contents

Contents


Deployment is the first and sometimes the only experience system administrators will have with your application. Customers who buy or use your application appreciate the lower costs of securely deployed software – if their system administrators do not have to spend hours or days securing your software, they are far more likely to choose your software over an insecure competitor.

Ease of deployment is a key consideration for many highly available or highly changeable systems. Systems have a special knack of buying the farm at 3 am Monday morning before the busiest day of the year. If your application can be trivially installed at 3 am by tired and emotional system administrators, they will remember you fondly when the time comes for new software or the next version. The worst case alternative is that your customers may not be around if your software takes three days to install.

Secure deployment is essential for high value systems. High value systems require controls in excess of basic software. This chapter guides you through packaging and deployment issues.

Objective

To ensure that the application is deployed as easily and as securely as possible.

Platforms Affected

All.

Best Practices

  • Software should have automated installers and provide automated uninstallers
  • Software should deploy using a least privilege security model
  • Software should not expose any secrets once installed
  • Documentation should not contain any default accounts, nor should the installer contain any pre-chosen or default accounts

Release Management

Release management is a formal process designed to ensure that applications are released in a tested and controlled fashion.

How to identify if you are vulnerable

Is there release management in place? If so, does it cover?

  • Deployment testing
  • Acceptance testing

How to protect yourself

  • Read software quality assurance references
  • Write deployment instructions
  • Eliminate all steps that can be automated
  • Implement a deployment acceptance test

Secure delivery of code

Attackers have been known to send malicious code to end users, so it is vital that your users and customers can obtain your software in a secure fashion.

How to identify if you are vulnerable

Secure delivery of code is relatively simple to test, and even easier to rectify.

  • Pretend to be a normal customer. Obtain your software in the usual fashion.
  • Was it obtained from a retailer or other distributor in hard format? If so, does the software contain instructions on how to validate it against legitimate deliveries?
  • Does the media contain any viruses or harmful code?
  • Was it obtained from a third party download site? If so, does it contain an accurate link back to your


How to protect yourself

Secure


Code signing

How to identify if you are vulnerable

How to protect yourself

Permissions are set to least privilege

How to identify if you are vulnerable

How to protect yourself

Automated packaging

How to identify if you are vulnerable

How to protect yourself

Automated deployment

How to identify if you are vulnerable

How to protect yourself

Automated removal

How to identify if you are vulnerable

How to protect yourself

No backup or old files

How to identify if you are vulnerable

How to protect yourself

Unnecessary features are off by default

How to identify if you are vulnerable

How to protect yourself

Setup log files are clean

How to identify if you are vulnerable

How to protect yourself

No default accounts

How to identify if you are vulnerable

How to protect yourself

Easter eggs

Easter eggs are mostly small (but sometimes not) hidden features. Often they will contain the developer’s names or activate hidden advanced or developer features, but occasionally, they are more like mini-applications. For the most part, they have no business function.


Figure 7 Adobe InDesign CS SVG Easter Egg

Easter eggs are fairly popular with developers, but they are problematic from a software engineering and legal view point. Unless easter eggs have been sufficiently designed and tested, easter eggs can cause the application to crash or misbehave. For example, Word 97 contained a pinball game and Excel 97 contained a small flight simulator. If these crashed with unsaved data, the application is not acting within design parameters, opening up liability.

However, there is a case for including debug functionality, as long as it is tested, not enabled by default, and is documented within the user or administration manual.

How to identify if you are vulnerable

It’s almost impossible to prevent clever

How to protect yourself

Malicious software

The delivery of software is littered with examples of software delivered with something more than the users bargained for.

Examples include:

  • Sony’s XCP root kit is delivered on millions of audio disks, infecting at least half a million PCs. Major legal problems have ensued, and set copy prohibition technologies back at least five years
  • Microsoft through a lack of a quality assured distribution process (now resolved), distributed viruses on multiple occasions, such as Concept and Wazzu

These examples are highly embarrassing, extremely expensive (in Sony’s case, hundreds of millions of dollars) to resolve, and truly trivial to prevent.

In most countries, it is now illegal to create, distribute, and use software that acts in a surreptitious and devious manner. Users will remember any vendor attempting such criminal sabotage and never buy from such vendors again. In Australia, such criminal acts are punishable with fines of up to $250,000 per infected computer, and up to 10 years imprisonment. Similar statutes and punishments exist in most countries.

OWASP is not a source of legal advice; if you think your software flies close to the wind, you must seek competent legal opinion. Even better, do not create or distribute such software. Karma will bite you on the flip side.

How to identify if you are vulnerable

Does your software contain any malicious code, which performs unauthorized or damaging activity? This could be code like Sony’s root kit. If so remove it.

Did you check your final software image for known:

  • viruses using at least one up to date virus scanner?
  • spyware using at least one up to date spyware scanner?

Be aware that there are many free spyware scanners available which are not to be trusted. They may surreptitiously install spyware, then when they 'find' it, advise that you need to buy the commercial version to be able to remove it. This situation will hopefully improve now that more antivirus and security software companies are building integrated solutions that detect spyware as well as viruses and worms. In the meantime, stick with the more well-known spyware detection software.

Is it possible for an auditor to determine when this scan took place?

How to protect yourself

Do not create or distribute malicious software – it is illegal in most countries.

Scan your final distribution images and media with at least one up to date virus scanner and at least one spyware checker. Document in your manual the date of this scan and the software used.

Further Reading

Deploying applications

  • (PHP) Deploying PHP web applications with Ant:

http://www.onlamp.com/pub/a/php/2005/12/20/php_ant.html

  • (J2EE) Deploying for the web using Ant:

http://www.onjava.com/pub/a/onjava/excerpt/AntTDG_chap8/index.html

http://www.onjava.com/pub/a/onjava/excerpt/AntTDG_chap8/index1.html

  • (Apple MacOS X) Package Maker

http://developer.apple.com/tools/installerpolicy.html

  • (Many Linux distros) Redhat Package Manager (RPM)

http://www.rpm.org/

  • (Debian, and MacOS X using Fink) Advanced Packaging Tool

http://www.debian.org/doc/manuals/apt-howto/index.en.html

  • (Solaris) Application Packaging Developer’s Guide

http://docs.sun.com/app/docs/doc/806-7008/

  • (Win32, .NET, any framework where xcopy works as a deployment tool)

Microsoft Windows Installer XML (wix), a free Windows installer creator

http://sourceforge.net/projects/wix

Examples of bad deployment practices

Sony’s root kit settlement will cost Sony more than $150 million and seriously set back their anti-consumer copy prohibition agenda

  • Sony, Rootkits and Digital Rights Management Gone Too Far:

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

  • Sony has a voluntary recall program for XCP infected disks:

http://cp.sonybmg.com/xcp/

  • Settlement details of at least ten class action lawsuits against Sony:

http://www.eff.org/IP/DRM/Sony-BMG/

  • Microsoft distributes macro viruses on CD

http://www.f-secure.com/v-descs/wazzu.shtml

Links

Guide Table of Contents