11 Securing a real-world application

 

This chapter covers

  • Identifying potential threats against an application based on the architecture and data flow
  • Evaluating proposed mitigations based on business risk and level of coverage
  • Implementing safeguards for common threats against web applications
  • Implementing an authentication and authorization flow using Amazon Cognito

In this chapter we’re going to take what we’ve learned throughout this book and see how we can apply it in a realistic scenario. We’ll start by introducing a sample application and identifying the key areas where we need to apply better security practices. This involves examining the architecture, identifying potential threats, and coming up with potential mitigations for the highest-risk threats. We’ll also see how to implement some of those mitigations. At the end we’ll dive deeper into one of the trickiest parts, application access control, and implement that end to end.

11.1 A sample application

Imagine this: With all the AWS security knowledge you’ve built up, you’re now in charge of security for a new social media company. The company has a photo sharing application like Instagram, hosted on AWS, and they want you to beef up their security. Where do you start?

First, it’s probably best to dive into the application to see how it works. There are a few things you’re going to need so you can understand what you’re working with, starting with the following:

11.1.1 Diving into the application

11.1.2 Threat modeling

11.2 Strong authentication and access controls

11.2.1 Credential stuffing

11.2.2 Brute forcing

11.2.3 Overly permissive policies and incorrect authorization settings

11.2.4 Inadvertent admin or root access

11.3 Protecting data

11.3.1 Data classification

11.3.2 Highly sensitive data