How to know if zero trust principles are followed in my application
Question
How do I know if zero trust principles have been followed with regards to mitigating vulnerabilities in source code?
Answer
Zero trust principles require that an application (e.g., a RESTful web service or a microservice) always:
- Assume the network is always hostile
- Accept that external and internal threats are always on the network
- Know that the environment of a network locality is not enough to decide to trust a network
- Authenticate and authorize every device, user, and network flow
- Implement policies that are dynamic and calculated from as many data sources as possible
Looking at potential vulnerabilities in source code scanned with Fortify does not necessarily determine whether an overall Zero Trust Architecture (ZTA) has been implemented.
However, it is possible to determine whether zero trust principles have been followed by examining the mitigation approach described for specific findings reported by Fortify. Mitigations which are implemented within the application itself generally are following zero trust principles. Mitigations that rely on external components such as a firewall, API gateway, or trusted clients and servers generally are not following zero trust principles.
The following table illustrates some differences between a ZTA mitigation and a mitigation that does not use zero trust principles:
| Non-ZTA Mitigation | ZTA Mitigation |
|---|---|
| Data does not need to be protected because it is only transmitted on an internal network | Data is always encrypted when transmitting it over the internal network |
| RESTful API access does not need authentication nor access control checks because it is behind an API Gateway. | All RESTful API calls are checked that they come from an authenticated client that is permitted access to the web service. |
| Microservice is trusted so data does not need to be validated. | All data is validated before it is used, regardless of the source. |
OIS Software Assurance evaluates mitigations based on zero trust principles. However, OIS Software Assurance recognizes that implementing a ZTA is not always feasible for all applications. Please see the following technical notes for additional guidance when ZTA cannot be met:
- How to know if my application’s network should be trusted
- How to know if configuration files should be trusted
- How to know if a database should be trusted
- How to know if external input should be trusted
- How to know if it is safe to log sensitive information to a file
- How to know if a database in a container environment should be trusted
- How to know if a Redis in-memory data store should be trusted
- How to know if container configuration data should be trusted
- How to know if it is safe to log sensitive information to a log aggregator
References
- Zero Trust Architecture NIST Special Publication 800-207