Plane model (computer science)
A level model is used to assign the responsibilities of the relevant organizational areas to the individual subtasks in the security conception and implementation of web applications. The starting point is a subdivision into 6 levels (level 0 to level 5):
| level | Content (short version) | Responsible | Expertise | |
|---|---|---|---|---|
| 5 | semantics | Protection against deception and fraud | Headquarters | Corporate identity and corporate communication |
| 4th | logic | Securing processes and workflows as a whole | Client | Knowledge of business processes |
| 3 | implementation | Avoiding programming errors that lead to weak points | Developer (implementer) | Software development |
| 2 | technology | Correct choice and safe use of technology | Specialist developer, IT operations | General IT security |
| 1 | system | Securing the software used on the system platform | IT operations | Network and system administration |
| 0 | Network & host | Protection of host and network | ||
Levels
Level 0 - network and host
The level of network, server - hardware and running on the operating system is assigned here not directly the security of the web application. Rather, this level follows at the bottom. The implementation of basic security measures at this level is nevertheless regarded as a mandatory requirement for secure web applications.
Level 1 - system level
At the system level, all those programs are considered that are required for the functioning of the entire web application. This includes the web server and the application server , but also database and backend systems. These components must be included in the security design of a web application and set accordingly.
Level 2 - technology
This level of technology relates to the use of the right technology for the respective purpose and protection requirement, as well as its correct use. So z. B. a web application that transfers sensitive data unencrypted over the Internet is not using the right technology. A web application that encrypts passwords but uses a key that is too short may be using the right technology incorrectly.
Level 3 - implementation
The implementation level includes the area of unintentional program errors ( bugs ), but also nonexistent or inadequate checking of input data ( data validation ). This level also includes inadequate test procedures and the neglect of quality assurance, for example for reasons of cost.
Level 4 - logic
This level affects both the logic of the processes within a web application and the interaction with the user. If this is implemented too 'purposefully', there may be a possibility of abuse. If, for example, the corresponding user ID is blocked to prevent a password from being entered repeatedly after the fifth incorrect login attempt, this user could be specifically blocked out by a third party, provided no further measures are taken. This abusive practice is further facilitated if the user ID is easy to guess.
Level 5 - semantics
The semantic level includes content-related and communication-related aspects. It creates the context of trust for interacting with a user. If a great deal of care is not taken in this area, a web application can be misused by a third party in order to deceive a user. This area can rarely be limited to a single application. Rather, a cross-website or cross-company view is necessary. Abuse opportunities that make use of errors on the semantic level are social engineering , phishing , identity theft, etc.
See also
literature
- Hacking Exposed: Web Applications: Web Application Security Secrets and Solutions by Joel Scambray, Vincent Liu and Caleb Sima at Mcgraw-Hill Professional; 3. Edition. (November 1, 2010); ISBN 978-0071740647