Tuesday, June 16, 2020

Web API security as foundation for #FHIR

I am a standards geek, and as such I am a strong advocate for standards developed and maintained by experts in their field. HL7 and IHE are where I focus my personal standards development. In the space of things that are special in Health IT. 

I resist when projects are brought to IHE or HL7 that want a standard developed or a profile developed in a technology space that is foundational to Healthcare, but where the specialization for healthcare is not needed. The following are some pointers to "Standards" that healthcare should use as is. This is not to say that there could be no specialization for healthcare, but rather that the fundamentals of these standards need to be followed first before anything special for healthcare is ever needed.

Web API Security -- OWASP Top 10 Web Application Security Risks

  1. Injection. Injection flaws
  2. Broken Authentication. 
  3. Sensitive Data Exposure. 
  4. XML External Entities (XXE). 
  5. Broken Access Control. 
  6. Security Misconfiguration. 
  7. Cross-Site Scripting XSS.
  8. Insecure Deserialization. 
  9. Using Components with Known Vulnerabilities. 
  10. Insufficient Logging & Monitoring. 

OAuth 2.0 Security Best Current Practice

This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0.

IETF Best Current Practice in security

  • BCP038 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
  • BCP046 Recommended Internet Service Provider Security Services and Procedures
  • BCP061 Strong Security Requirements for Internet Engineering Task Force Standard Protocols
  • BCP072 Guidelines for Writing RFC Text on Security Considerations
  • BCP106 Randomness Requirements for Security
  • BCP136 Secure Connectivity and Mobility Using Mobile IPv4 and IKEv2 Mobility and Multihoming (MOBIKE)
  • BCP140 Preventing Use of Recursive Nameservers in Reflector Attacks
  • BCP188 Pervasive Monitoring Is an Attack
  • BCP194 BGP Operations and Security
  • BCP195 Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
  • BCP199 DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers


No comments:

Post a Comment