Security Best Practices for Azure App Service Web Apps, Part 3

This post was written by Piyush Mittal.

Microsoft’s Azure App Service is a fully managed Platform as a Service for developers that provides features and frameworks to quickly and easily build apps for any platform and any device. In spite of its ease of use, developers still need to keep security in mind because Azure will not take care of every aspect of security. In our first post on this topic, we learned how to configure custom domain names and certificates for web applications developed using Microsoft’s Azure App Service. In our second post, we learned how to enforce HTTPS for web applications developed using Azure App Service.

In today’s post, we will see different application settings available with Azure that can be used to increase the security and availability of the web application.

Recommended application settings

  • Always On: By default Azure unloads the web application if it is idle for some time to save system resources. When a request is received, the web application is loaded again. This increases application response time and may lead to timeouts in some cases. To ensure the application is not unloaded, use the Always On feature, which is included with Basic, Standard, and premium pricing plans.
  • Web Sockets: Enable this only if your application uses the WebSocket protocol. For safety, this protocol is disabled by default.
  • Auto Swap: For standard or premium pricing plans, Azure provides separate deployment slots, “live web apps with their own hostnames,” according to the documentation. An organization can have multiple deployment slots, such as development, staging, and production. Swapping code between two deployment slots can be automated by configuring the Auto Swap This eliminates downtime when deploying a web application.
  • Remote debugging: When enabled, the remote debugger in Visual Studio can be used to connect directly to the web application. By default, remote debugging is disabled. Remember to disable it immediately after troubleshooting is done, or else it will remain enabled for 48 hours. After 48 hours, Azure will automatically disable it.

To configure the preceding settings, follow these steps:

  • Log in to the Azure portal.
  • Navigate to App Services in left navigation pane.
  • Select your web application.
  • Click on Settings and select Application Settings.
  • Enable Always On. Ensure remote debugging is disabled. Decide whether to use Web Sockets and Auto Swap.

Follow this path to the Application Settings section in the Azure portal.

20160517 Azure 3-2

Cross-Origin Resource Sharing (CORS)

CORS allows applications from different domains to interact with your web application.

  • If Allowed Origins is blank, the setting is safe. No other domain can interact with your application. In other words, CORS is not required by your application.
  • If Allowed Origins is set to particular domains, review whether these domains really require access to your application.
  • If Allowed Origins is set to *, it is unsafe. All other domains can interact with your application. Hence, an attacker-controlled domain can also interact with your application.

CORS can be easily configured through the Azure portal. To configure CORS for your web application, follow these steps:

  • Log in to the Azure portal.
  • Navigate to App Services in left navigation pane.
  • Select your web application.
  • Click on Settings and select CORS.
  • Ensure “*” is not mentioned under Allowed Origins. Either blank or required domains should be specified under Allowed Origins.

Follow this path to the CORS settings in the Azure portal.

20160517 Azure 3-2

For more details on application settings for your web application, follow this link from Microsoft.

 

The post Security Best Practices for Azure App Service Web Apps, Part 3 appeared first on McAfee.

Can Zealous Security Cause Harm?

Security Balance

Good security requires balancing risks, costs, and usability. Too much or too little of each can be unhealthy and lead to unintended consequences. We are entering an era where the risks of connected technology can exceed the inconveniences of interrupted online services or the release of sensitive data. Failures can create life-safety issues and major economic impacts. The modernization of healthcare, critical infrastructure, transportation, and defense industries is beginning to push boundaries and directly impact people’s safety and prosperity. Lives hang in the balance; it is up to technology providers, users, and organizations to ensure the necessary balance of security is present.

We are all cognizant of the risks in situations where insufficient security opens the door to exposure and the compromise of systems. Vulnerabilities allow threats to undermine the availability of systems, confidentiality of data, and integrity of transactions. On the other hand, however, too much security can also cause serious issues.

A recent incident described how a piece of medical equipment crashed during a heart procedure due to an overly aggressive antivirus scan setting. The device, Merge Hemo, is used to supervise heart catheterization procedures, while doctors insert a catheter inside blood vessels to diagnose various types of heart diseases. The module is connected to a PC that runs software to record and display data. During this procedure, the application crashed when the security software began scanning for potential threats. The patient remained sedated while the system was rebooted, before the procedure could be completed. Although the patient was not harmed, the misconfiguration of the PC security software caused an interruption during an invasive medical procedure.

Security is not an absolute. There is a direct correlation between the increasing integration of highly connected and empowered devices, and the risks of an elevated frequency of attacks with a greater severity of impacts. The outcome of this particular situation was fortunate, but we should recognize the emerging risks and prepare to adapt as technology rapidly advances.

Striking a balance is important. It may not seem intuitive but, yes, too much security can be a problem as well. Protection is not free. Benefits come with a cost. Security functions can create overhead to performance, reduce productivity, and ruin users’ experiences. Security can also increase the overall cost of products and services. These and other factors can create ripples in complex systems and result in unintended consequences. We all agree security must be present, but there must be an appropriate balance. The key is to achieve an optimal level, by tuning the risk management, costs, and usability aspects for any given environment and usage.

 

Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

The post Can Zealous Security Cause Harm? appeared first on McAfee.

RunKeeper acknowledges location data leak to ad service, pushes updates

(credit: RunKeeper)

RunKeeper announced Tuesday that it had found a bug in its Android code that resulted in the leaking of users’ location data to an unnamed third-party advertising service. The blog post came four days after the Norwegian Consumer Council filed a complaint against the Boston company.

In the blog post, CEO Jason Jacobs wrote:

Like other Android apps, when the Runkeeper app is in the background, it can be awakened by the device when certain events occur (like when the device receives a Runkeeper push notification). When such events awakened the app, the bug inadvertently caused the app to send location data to the third-party service.

Today we are releasing a new version of our app that eliminates this bug and removes the third-party service involved. Although the bug affected only our Android app, we have decided to remove this service from our iOS product too out of an abundance of caution. The iOS release will be made available once approved by Apple.

We take our responsibility for the privacy of user data very seriously, and we are thankful to the Runkeeper user community for your continued trust and support.

In an e-mail sent to Ars, Jacobs declined further questions, noting the statement "will be our only comment at this time."

Read 2 remaining paragraphs | Comments

At the cost of security everywhere, Google dorking is still a thing

(credit: anutkak43)

Some people never seem to learn. A recent investigation by security firm Compaas trawled Google Docs and Dropbox and found thousands of sensitive documents belonging to hospitals, schools, and corporations. In many cases, the spreadsheets caused the organizations to run afoul of consumer privacy laws.

"We found a couple hospitals that had breaches in HIPPA compliance," Compaas COO Doran David said. "There was patient information, what types of surgeries they had, social security numbers. Anything that you would think of that you would consider personal is the type of thing we've come across."

In most cases, the documents are uploaded by employees who don't understand the privacy implications of what they're doing. They simply know that Google Docs and similar services are a much easier way to exchange documents than official methods provided by their employer. In other cases, they use misconfigured third-party apps to swap documents with co-workers. The end result is documents that never should have been made public but can in fact be downloaded by anyone.

Read 6 remaining paragraphs | Comments