<<Information Security Checklist.docx>> Hi,
I work at Northrop Grumman. I want to be able to use the Glassfish server version 2 or version 3 on a project that we are working on, but have been told that it needs to pass the Northrop Grumman security assessment and INFOSEC requirements before it can be used on the Northrop Grumman intranet.
Do you know where I can get answers to the following questions, or if you know the answers, can you provide them to me by answering these questions from the attached document? Note that the questions do not pertain to the application running on the Glassfish server but the Glassfish server itself, so some questions may not apply:
PURPOSE:
This checklist will function as the formal checklist for InfoSec approval of Open Source code to be introduced into the IT Solutions controlled Northrop Grumman computing environment. This list will functional alongside Open Source checklists produced by Infrastructure Engineering and Legal. The output of this assessment will be a InfoSec recommendation to the Open Source Council as to Approval, Disapproval or additional steps/testing that must be accomplished prior the OS code introduction into the environment or execution steps that must be accomplished to address Information Security concerns or risks associated with the output or products created from Open Source code use in our environment. (As of March 2007 this document is DRAFT until formal ratification from Information Security is declared.Vance Field has action to obtain ratification from InfoSec.)
GUIDANCE:
This checklist is not necessarily intended to result in a binary decision about the introduction of the Open Source code into the environment. The output of this document will be used by the Open Source Council InfoSec member to adjudicate the disposition of the OS Council InfoSec vote. This document is subject to change an may not require InfoSec ratification following change. The InfoSec Open Source Council member will determine if ratification is required.
1 Public Open Source community website review
Summarize an assessment from of a minimum of two websites (such as Owasp, SecurityFocus, BugTraq) that discuss the open source code, its development life cycle. This assessment will be subjective in nature and enhanced with more explicit judgment criteria over time. This assessment will be combined with the below assessment of the code functionality for a recommendation from Information Security.
2 Security Architecture
2.1 Provide a high-level architecture diagram showing all servers, network components, etc required to host the application. Describe OS, application software, database software, etc (including versions/release levels) hosted on each server or network component.
2.2 Provide a full data flowchart (network communication) showing all network protocols and ports between all servers and network components. Include whether the communication is uni-directional or bi-directional.
2.3 Provide information on supported client OS, versions/release levels and hardware requirements. Provide details on software and versions/release levels required on the clients that is not part of a standard operating system installation (i.e. SQL client, Oracle client, etc). If the application is web-based, which web browsers and versions are supported?
3 Authentication
3.1 Does the application support native (built into application) username and password for authentication? What other authentication methods does the application support?
3.2 Does the application automatically force a user to enter a new password the first time the user logs in?
3.3 Does the application provide a means for Security Administrators/Help Desk to "reset" passwords for authorized users who have forgotten their password? If the password has been reset and the user logs in, does the application force the user to change their password?
3.4 Does the application provide a means for users to self-administer (change) their password during subsequent access?
3.5 Does the application mask passwords during input on the screen, when the password field is displayed on screen and do not embed passwords in clear text within emails, logs or documents?
3.6 Does the application support customer configurable parameters for minimum/maximum password length, password complexity, and number of reiterations before a password can be reused?
3.7 Does the application support password expiration on a definable time cycle? Is the time cycle customer configurable?
3.8 Does the application provide a reminder to the users to change their password prior to their passwords expiring? Is the reminder period customer configurable to multiple reminders?
3.9 Does the application support minimum password aging? Is the aging period customer configurable?
3.10 Does the application automatically lockout the account for a period of time after a set number of failed login attempts? Is the lockout period and number of failed attempts customer configurable?
3.11 Does the application automatically disable (requires administrator intervention to reactivate the account) an account after a set number of failed login attempts? Is the number of failed attempts customer configurable?
3.12 Does the application indicate (error message) which part of the log on data is correct or incorrect?
3.13 Does the application automatically disable an account after a defined period of inactivity? Is the time period customer configurable?
3.14 Does the application have the ability to report on accounts that have been disabled for a defined period? Automatically remove accounts that have been disabled for a defined period? Is the time period customer configurable?
3.15 Does the application allow for one user defined question and answer to be captured from a new user during the account creation process for security purposes?
3.16 Does the application have default, maintenance or guest accounts? Can these accounts be deleted, disabled or password protected with a strong, complex password?
3.17 Does the application automatically log off users after a pre-set idle time? Is the pre-set idle time customer configurable?
3.18 Does the application schedule jobs to be run at a defined time (batch) and is successful authentication required prior to the job running?
3.19 Are the batch (i.e., scheduled jobs, machine-to-machine) passwords at least 10 characters in length and not embedded in a machine-readable file in clear text?
3.20 Does all electronic transmissions of passwords utilize 128 bit strength symmetric encryption or higher?
3.21 Explain how passwords are protected at rest (stored).
3.22 Does the application have the ability to store authentication credentials within a LDAP repository? If so, is the communication secured/encrypted?
3.23 If Single Sign On authentication is used, is it as strong as the authentication mechanisms for each of the individual services?
3.24 Does the application utilize session cookies for session authentication? Are the sessions validated on the server side?
3.25 Does the application have unauthenticated sessions? If so, please explain.
3.26 In situations where browser cookies are utilized as a component of SSO or access control, are the cookies non-persistent?
3.27 Does the application encrypt cookies that contain sensitive data, in situations where browser cookies are utilized as a component of SSO or access control (e.g. When malicious modification could result in unapproved access by an individual with a valid account)?
3.28 When certificate based authentication is used within the application, is it based upon an agreed upon root authority(s)?
3.29 When utilized for client authentication, does the application store the certificates securely and protect them as described in the client certificate user obligation documentation?
3.30 Does the application have clear mechanisms for the granting, revocation, and suspension of certificate? The certificates should be checked every time a certificate is presented.
3.31 Does the application use FTP, Telnet, e-mail or any other services that involve authentication in the clear as part of the package?
4 Authorization and Access Control
4.1 Does the application provide role based authorization enforcement capabilities?
4.2 Does the application provide rule based authorization enforcement capabilities?
4.3 Does the application provide the ability to define a custom role for an individual?
4.4 Does the application allow for multiple classes of users?
4.5 Does the application provide the ability to define read-only roles to view security and non-security configurations and audit trails (i.e. auditors)?
4.6 Does the application provide the ability to define a security administration role that can view and configure security parameters?
4.7 Does the application provide the ability to define non-security administrative roles that can view and configure application specific parameters but not security parameters?
4.8 Does the application restrict access control on a need to know basis (e.g., customer service)?
4.9 Does the application have mechanisms to enable the data owner to manage access to data items?
4.10 Does the application have mechanisms to enable the data owner to manage access to data repositories (e.g., folders)?
4.11 Does the application have access control highly granular with ability to easily manage access control rights to individual data objects and collections of data objects?
4.12 Does the application have flexible options for controlling who can add/remove members to team lists?
4.13 Does the application have check-in and check-out capabilities of data objects?
4.14 Does the application have iteration control of data objects?
4.15 Does the application have file locking of data objects?
5 Audit Trials
5.1 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: A user successfully logs on to the application
5.2 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: Every time a user fails to authenticate to the application
5.3 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: The disabling/locking out/enabling of an account
5.4 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: A user initiated data object modification (read, modify, create, delete object) event occurs
5.5 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: Team membership changes are made
5.6 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: Privilege changes are made
5.7 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: Role base changes are made
5.8 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: Rule base changes are made
5.9 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: Workflow changes are made
5.10 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: Illegal system access attempts (e.g., modifying the URL).
5.11 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: There is a failed file or object access
5.12 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: There is a failed use of user rights
5.13 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: There is a successful or failed change of security configurations/parameters/policies
5.14 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: There is a failed user/group configuration/parameter/policy change
5.15 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: A user utilizes a particular service or application
5.16 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events: Access to the scripts and bin folders
5.17 Does the application create audit trails containing at a minimum the User ID, the source IP address and a secure timestamp and include the following events for: Access to the directories that contain files that are published as part of your web site?
5.18 Does the application have tamper resistant audit trail files?
5.19 Does the application log at a record level where databases are involved?
5.20 Does the application log at a field level where databases are involved?
5.21 Does the application ensure that read access to the audit trail file be restricted to specific security administrators?
5.22 Does the application ensure write and modify access to audit trail files be limited to only those accounts creating the audit trail files?
5.23 Does the application provide a means for audit trails to be archived/rolled over via a definable time cycle?
5.24 Does the application ensure that when a log file/disk is full, the system will backup the file to another electronic medium?
5.25 Does the application include an audit trail that captures changes to the underlying operating system (e.g., use of a tripwire)?
5.26 Does the application ensure that failure to backup audit trails when they are completely filled will stop the system from functioning?
5.27 Does the application ensure that all server operating systems on which audit trail files are generated from, have their clocks synchronized to a common standard (Time stamps must be recorded in GMT)?
5.28 Does the application provides the ability to read the audit trails using standard tools such as text editors, XML viewers or Web browsers?
5.29 Does the application provide the ability to filter logging based on event type and level of events?
5.30 Does the application provide the ability to configure alerts to be sent for security violation events?
6 Information Security
6.1 Does the application, upon receiving an unencrypted document and before placing documents in a vault, subject the document to anti-virus scanning?
6.2 Does the application perform virus-checking capability for all data objects entering/leaving the service?
6.3 If virus checking is reliant on signature-based methods, signatures/engines, does the application enable updated daily or specified period signatures?
6.4 In a development activity where Active-X is used, does the development include putting a mechanism in place covering the digital signing of Controls and the quality/performance/behavior standards confirmed by the digital signature?
6.5 In a development activity where JAVA Applets are used, does the development include putting a mechanism in place covering the digital signing of Applets and the quality/performance/behavior standards confirmed by the digital signature?
6.6 In a development activity where JAVA is used, does the development include Java security sandbox when Java is used on the client?
6.7 Within the application, for applets that require file I/O and/or any other local/network permissions, do they require digitally signature, which by default will grant permissions per Sun's default security policy?
6.8 In situations where plug-ins are used within the application, is the distribution from a validated source (preferably NG) with NG performed quality checks?
6.9 In the application, are all session time outs set to occur after 20 minutes of inactivity for a standard user?
6.10 In the application, are all session time outs set to occur after 12 minutes of inactivity for a privileged user (one who has access to privileged or higher classifications of information)?
6.11 In the application, are connections waiting for connection acknowledgement or connection activity from non-responsive subjects automatically terminated after the connection timeout period expires? Is the connection timeout period customer configurable?
6.12 Does the application disallow simultaneous sessions from the same subject?
7 Security Assessment
7.1 Has an independent security review (code review) been conducted on the application for the explicit purposes of finding and remediating security vulnerabilities? If so, who did the review, what were the results, and what remediation activity has taken place? If not, when is such an activity planned?
7.2 Has an internal code review been conducted on the application? If so, what tool(s) was used, what were the results and what remediation activity has taken place?
7.3 Describe the process to immediately disable all or part of the functionality of the application should a security issue be identified.
7.4 Provide documentation on whether, and where the application uses Java, Javascript, ActiveX, PHP, or ASP (active server page) technology.
7.5 Provide documentation on what language the application back-end is written in (C, Perl, Python, VBScript, etc)
7.6 Describe the quality assurance process for detecting common security issues such as cross-site scripting, buffer overflow, command injection, numeric range overflow/underflow, etc within the application. What tools are used to detect?
7.7 Is the application scanned for vulnerabilities, mis-configured services or ports?
7.8 How often are major versions, minor versions and patches released for the application?
7.9 What is a typical timeframe for releasing a remediation patch when a critical vulnerability is discovered?
7.10 Are the patches/releases scanned with anti-virus or anti-malware tools to ensure it is free of malware before being released?
7.11 Are digital fingerprints published with software/patch releases to verify the integrity of the software?
7.12 Describe the quality assurance process in testing security patches for the application as well as 3rd party security patches (OS, database, etc) for software and hardware required to support the application.
7.13 Is the application tested in a hardened environment including OS, database and other required components with industry standard hardening guidelines applied for each component as well as latest, applicable patches?
7.14 Describe supplier's involvement in troubleshooting/remediating issues that may arise when the application breaks or is non-operational due to the customer applying a 3rd party critical security patch (i.e. OS patch, SQL patch, etc).
7.15 Describe what application security enhancements/patches have been released in the last 6 months.
7.16 Describe what application security enhancements/patches will be release in the next 6 months.
8 Cryptography
8.1 Does the application use symmetric cryptography? Explain encryption algorithm(s), key length(s) and where it is used. Does the application provide the ability to change symmetric keys on a definable time cycle? Is this time cycle customer configurable?
8.2 Does the application use asymmetric cryptography? Explain encryption algorithm(s) and key length(s) and where it is used.
8.3 Does the application require Public Key Infrastructure (PKI) services? If so, explain.
8.4 Does the application use random number generation to generate keys for symmetric and asymmetric cryptographic operations? Explain when it is used.
8.5 Does the application use hashes or digital signatures? Explain the hashing algorithm(s) and where it is used.
8.6 If the application stores/transmits sensitive (i.e. passwords, personally identifiable information, company-sensitive/proprietary information) information, does the application support end-to-end document encryption? Explain encryption algorithm and key length.
8.7 Does the application provide the ability to encrypt sensitive data at the field level? Explain encryption algorithm and key length.
8.8 If and when sensitive data is extracted from a database of the application and displayed to a user's screen, does the application display/label the sensitivity of the data prominently on the user's display?
8.9 When cryptography is used within the application, are the encryption keys universal for all customers or are the encryption keys specific for each customer?
8.10 If the encryption keys are universal, what has been solution for customers desiring to produce their own internal reports on sensitive data that is encrypted?
8.11 Are there tools within the application to perform multiple overwrite (DoD 5220.22M) of stored sensitive data?
John DeNinno
Sr. Software Engineer
High Altitude, Long Endurance (HALE) Unmanned Systems
Global Hawk Ground Segment
Northrop Grumman Aerospace Systems Sector
Work (858) 618-4581
john.deninno_at_ngc.com
http://www.operationcaregiver.org/
Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2521 and is legally privileged.
This message contains information which may be confidential and privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message. Thank you very much.