A Client-Based Systems in this the distributed processing environment establishes and uses a client-server relationship across a communications infrastructure. Traditionally, client-server systems implement the application as a standalone program on the client, while newer client-server applications leverage a common browser, and the application is developed within that context. Both approaches remain in widespread use, but evaluating the security posture of applications in either environment requires different skills and techniques.
In a traditional Client-Based Systems system, client-related vulnerabilities can be grouped into two broad categories: those related to the client application itself, and those related to the system on which the client runs. It matters little how well implemented and configured the client software is if the underlying operating system is vulnerable.
Client software vulnerabilities fall into several categories:
- Vulnerabilities related to communications with the server, such as client software that connects to remote servers but does not take appropriate steps to do the following:
- Validate the identity of the server
- Validate or sanitize the data received from the server
- Prevent eavesdropping of data exchanged with the server
- Detect tampering with data exchanged with the server
- Validate commands or code received from the server before executing or taking action based on information received from the server
- Vulnerabilities related to the insecure operation of the client:
- Storing temporary data on the client system in a manner that is insecure (i.e. accessible to unauthorized users through, for example, direct access to the client device’s filesystem)
Related Product : EC-Council Security Analyst v10 | ECSA
To address these vulnerabilities, one can consider:
- Using a recognized secure protocol (e.g. TLS) to validate the identity of the server and to prevent eavesdropping of, and tampering with, data communicated with the server
- Using appropriate coding techniques to ensure that the data or commands received from the server are valid and consistent
- Using digital signing to verify executable code received from the server prior to execution
In many cases the client may use software libraries, applets, or applications to process data received from the server. For example, the client may rely upon image display components to permit the viewing of files. These components (e.g. Flash and PDF viewers) will typically be provided by third parties and, as such, will need to be part of a vulnerability management program so that vulnerabilities that are discovered later can be patched in a timely manner.
If the client is a browser, then the browser ought to be configured in accordance with hardening guidelines available for the major web browsers. Similarly, the appropriate steps to protect and patch the underlying system that runs the client software need to be taken. Excellent sources of such guidance for browsers and client operating systems include The Center for Internet Security (CIS) and the Defense Information Systems Agency’s Security Technical Implementation Guides.
The client system also needs to be protected from other threats as appropriate, based on the risk assessment and threat modeling. This could include firewalls, physical security controls, full-disk encryption, and so on. See the next section for guidance on operating system hardening.
If the software has been developed specifically for this application, then the appropriate secure software development process as described in Chapter 8 must be employed.
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
