Attributes of secure web application architecture

Basic secure web application architecture

Figure 1 illustrates a simple web application architecture. The application’s web server and database server share the same host machine. This architecture is very simple and useful for early stages of project development. However, it is not good enough for production applications as it introduces a single point of failure.

Multi-tier (N-tier) architecture

Multi-tier architecture separates different components of the application into multiple tiers/layers according to their functions. Each tier generally runs on a different system. This provides compartmentalization and avoids a single point of failure.

Multi-tier applications (e.g., Figure 3) enhance application security in comparison to single-tier (e.g., Figure 1) or two-tier applications (e.g., Figure 2).

Inter-tier authentication

Multi-tier architecture results in different tiers/components of an application interacting with each other to achieve seamless functionality. Before initiating communication or data transfer with other tiers, application tiers should authenticate with each other. This ensures that an attacker cannot impersonate the identity of other communicating tiers/components. Secure inter-tier authentication can be achieved using following mechanisms:

• Kerberos
• Mutual SSL
• IP validation

Username and password-based inter-tier authentication should be avoided as the security of usernames and passwords used for inter-tier authentication becomes critical.

Server-side validation

Data validation can occur on the client side (web browser) and the server side (web server). Client-side validation provides a seamless experience to end users as all user-provided input is validated quickly at the browser-level. Client-side validation does not require a data round trip to the server. Thus, it reduces the server load and helps improve its performance.

However, implementation of only client-side validation is not enough to protect against malicious users. In many cases, client-side validation can easily be bypassed by an attacker. This is possible since an attacker can create their own requests. Or, modify existing requests to send to the server independently from the web browser client. For example, an attacker may utilize a web proxy to intercept HTTP traffic between a web browser and the server. By intercepting the traffic an attacker can alter parameters after client-side validation is performed.

To protect the application from user-provided malicious data, implement server-side validation along with client-side validation. The implementation of server-side validation prevents attackers from accessing the application through alternate means (e.g., proxy) to bypass client-side validation.

Server-side validation should also perform strict input validation in the form of an inclusion list.

Secure communication

Applications should use HTTPS to encrypt traffic over the network. HTTPS provides an end-to-end secure connection between the client application (browser) and the server. Communication via HTTPS helps protect data in transit. TLS and SSL are the two common protocols used to protect the confidentiality and integrity of the communication over HTTPS. At a high level, a server uses valid SSL certificates provided by a Certificate Authority to identify itself to a browser. The browser and server then generate a shared secret which is used to encrypt all network communications.

If HTTPS is not enabled on the application server, the traffic between the browser and server flows over a non-encrypted connection. This helps an attacker retrieve sensitive information.

Even if the application server supports HTTPS, there are common considerations for all HTTPS implementations:

• Utilize TLS v1.2 or v1.1. If possible, avoid SSL v2, SSL v3, and TLS v1.0 as these protocols have known security vulnerabilities.
• Support only strong cryptographic ciphers. Avoid any cipher with a key size less than 128 bits.
• Disable TLS compression on an application server.
• Disable client-initiated renegotiation.
• Enforce HTTPS. If any user tries to access an application over an HTTP connection, the application should redirect the user to the HTTPS version of the application.    

Data at rest

Protect any data stored at rest within a back-end database server. After all, an attacker’s goal is to steal sensitive data. This data could exist in many formats, such as: financial information, personally identifiable information (PII), and personal health records. This makes the protection of data stored at rest critically important.

There are common considerations when protecting data at rest. These include:

• Use strong encryption algorithms (e.g., AES) to protect data. Avoid old or insecure encryption algorithms (e.g., RC4, DES).
• Do not create your own cryptographic algorithm or its implementation. Instead, use and implement algorithms widely accepted by the cryptographic community.
• Along with strong encryption algorithms, it is also necessary to use a strong (128 bit or higher) encryption key. Avoid using encryption keys that are derived in a predictable manner. A cryptographically secure pseudo random number generator (CSPRNG) can also be used to generate keys (e.g., Java’s SecureRandom). It is also necessary to rotate the key periodically (every 1-2 years depending on data sensitivity level).
• Avoid storage of sensitive data within configuration files.
• If it is necessary to store the data within temporary files during data transmission or the extract-transform-load (ETL) process, store data temporarily and clear it from the temporary location. Any sensitive information that needs to be stored within temporary files should be encrypted by the application.

Summing it up

It is important to remember that there are many universally acceptable “insecure” architectures. On the other hand, it is difficult to find a universally acceptable “secure” architecture. Web application security varies from application to application based on its business and performance needs. The attributes discussed should help the system architect design a stable and secure web application architecture to protect against common attacks.