Propelled Technologies(PT) Subject Matter Experts (SME) provide services that support cloud solutions that have Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or similar environments, and thus inherit existing network security controls, application security assurance as required at the Application layer of the TCP/IP DoD Model. PT SME ensure all application deliverables adhere to Public Law 111-383 , which states the general need for software assurance. Specifically, PT SMEs ensure that all application comply with Defense Information Systems Agency (DISA) Application Security & Development Security Technical Implementation Guide (SITG), which includes the need for source code scanning, the DISA Database STIG, and a Web Penetration Test to mitigate vulnerabilities associated with SQL injections, cross-site scripting, and buffer overflows.
Systems supporting DoD operations include a wide range of new technologies that include both new capabilities and new vulnerabilities. The infrastructure services used by these new applications must be secured just as the OSs and networks. Security configuration guidance that is available for some of the infrastructure services supporting typical application developments is described in the following sections.
Internet Applications (Web Servers)
Web servers may need to be publicly available, but that very availability exposes them to less than honorable intentions. Common security devices such as firewalls, IDSs, and code integrity checkers do not fully address a web server’s particular security needs.
Over the past few decades, the Internet has rapidly become a necessary tool for all organizations. Owing to the easy access users have to web sites, web servers have become a focus for those individuals who wish to steal, damage, or deny access to an organization’s information and information systems. This is consistent with a trend in malicious user behavior, which focuses on attacking applications accessible via the Internet, as opposed to attacking at the operating system of the host platform. An improperly implemented or configured web server can be attacked directly or be used as a launch point to attack an organization’s internal network or other services.
There are many functional areas of Internet and Intranet web technology that must be secured, including the following:
Host operating system
Web server software
The application running via the Web server (to include associated scripts and data, the database server, and associated applications
Information (e.g., account logon data that is transmitted between client and server)
The client’s computer system, most notably the web browser