Threats
The following sections describe some of the possible threats to PingGateway, which you can mitigate by following the instructions in this guide.
Out-of-date software
Prevent the exploitation of security vulnerabilities by using up-to-date versions of PingGateway and third-party software.
Review and follow the Ping Identity security advisories.
Follow similar lists from all of your vendors.
Reconnaissance
The initial phase of an attack sequence is often reconnaissance. Limit the amount of information available to attackers during reconnaissance, as follows:
-
Avoid using words that help to identify PingGateway in error messages, such as those produced by the entity in a StaticResponseHandler. For information, see StaticResponseHandler.
-
Use the lowest level of logging necessary. For example, consider logging at the
ERROR
orWARNING
level, instead ofTRACE
orMESSAGE
. For information, refer to Changing the global log level.
Cross-site scripting
When using a StaticResponseHandler, secure responses from cross-site scripting attacks, as follows:
-
Sanitize any external input, such as the request, before incorporating it in the response.
-
Specify
Content-Type
in theheaders
property of StaticResponseHandler when an entity is used. (Required by default, from PingGateway 7.) -
Set the response header
X-Content-Type-Options: nosniff
to prevent the user agent from interpreting the response entity as a different content type. (Set by default, from PingGateway 7.) -
Set a restrictive value in the
Cache-Control
response header. For example, settingCache-Control: private
indicates that all or part of the response message is intended for a single user and MUST NOT be cached by a shared cache.
Compromised passwords
Despite efforts to improve how people manage passwords, users have more passwords than ever before, and many use weak passwords. You are strongly encouraged to use a password manager to generate secure passwords. You can use identity and access management services to avoid password proliferation, and you can ensure the safety of passwords that you cannot eliminate.
Manage passwords for server administration securely. Passwords supplied to PingGateway can be provided in files, through environment variables, or as system property values. Choose the approach that is most appropriate and secure for your deployment.
Misconfiguration
Misconfiguration can arise from bad or mistaken configuration decisions, and from poor change management. Depending on the configuration error, features can stop working in obvious or subtle ways, and potentially introduce security vulnerabilities.
The following behaviour can be caused by misconfiguration:
-
Routes fail to load, or succeed in loading but cause unexpected behaviour.
For example, if a configuration change prevents the server from making HTTPS connections, many applications can no longer connect, and the problem is detected immediately. However, if a configuration change allows insecure TLS protocol versions or cipher suites for HTTPS connections, some applications negotiate insecure TLS, but appear to continue to work properly.
-
Access policy is not correctly enforced.
Incorrect parameters for secure connections and incorrect Access Control Instructions (ACI) can lead to overly permissive access to data, and potentially to a security breach.
-
The server fails to restart.
Although failure to start a server is not directly a threat to security, it can affect service availability.
To guard against bad configuration decisions, implement good change management:
-
For all enabled features, document why they are enabled and what your configuration choices mean. This implies a review of configuration settings, including default settings that you accept.
-
Validate configuration decisions with thorough testing.
-
Maintain a record of your configurations and the changes applied.
For example, use a filtered audit log. Use version control software for any configuration scripts and to record changes to configuration files.
-
Maintain a record of external changes to the system, such as changes to operating system configuration, and updates to software, such as the JVM that introduces security changes.
Unauthorized access
Data theft can occur when access policies are too permissive, and when the credentials to gain access are too easily cracked. It can also occur when the data is not protected, when administrative roles are too permissive, and when administrative credentials are poorly managed.
Poor risk management
Threats can arise when plans fail to account for outside risks. To mitigate risk, develop appropriate answers to at least the following questions:
-
What happens when a server or an entire data center becomes unavailable?
-
How do you remedy a serious security issue in the service, either in the PingGateway software or the connected systems?
-
How do you validate mitigation plans and remedial actions?
-
How do client applications work when the PingGateway offline?
If client applications require always-on services, how do your operations ensure high availability, even when a server goes offline?
For critical services, test expected operation and disaster recovery operation.