How to know if a Redis in-memory data store should be trusted

Question

My application (or microservice, etc.) running in a container is reading from a Redis in-memory data store. How can I know if the data should be trusted?

Answer

Fortify views all data that comes from outside an application as a potential vector for an attack. It therefore marks all data coming into an application as potentially tainted and requires the data to be validated before it is used. This includes data coming in from Redis.

Best practice is that all data should be validated close to where it is used, including data that is read from Redis, to ensure all data is validated and that it is validated correctly for how it will be used. For example, it’s usually preferable to validate data for cross site scripting just before sending it to a web page instead of validating the data for cross site scripting before it is placed in the memory store.

The following are examples of additional criteria that are recommended:

  • Limit network access to the Redis instance to the application
  • Use Protected Mode
  • Enable the authentication layer to require password access
  • Enable TLS
  • Disable or rename administrative commands
  • Ensure there are no Redis injections (language dependent)

Additional Guidance

OIS Software Assurance recognizes that the above is not always feasible for all applications. To alternately show that a Redis in-memory data store can be trusted the following criteria must be met:

  • Requirement: The developer will need to provide documentation[1] that attests that:
    • The Redis data store was instantiated using authorized [2] infrastructure configuration files, DevSecOps tool configuration scripts, and/or application run-time configuration scripts, and
    • Required system security monitoring and system configuration monitoring is being performed to ensure that the Redis data store is protected from unauthorized access.
  • Requirement: All data inserted into the Redis data store must be validated appropriately before it is inserted[3]

[1] There are no specific presentation or content requirements for the above attestation documentation, aside from addressing the specific technical concerns.

[2] The VA office or organizational entity that provided the authorization must be identified in the attestation.

[3] Validations of the data inserted into the data store must be appropriate for how the data is used. For example, if a string retrieved from Redis is placed in a web page, it must be validated against cross-site scripting before it is inserted into Redis. The audit comments must include pointers to all places in the code where that data is put in Redis and where it is validated so the reviewer can confirm the correct validations are in place.

References