SlideShare a Scribd company logo

Unit 08: Security for Web Applications

DSBW 2011/2002 - Carles Farré - Barcelona Tech
DSBW 2011/2002 - Carles Farré - Barcelona Tech
Technology
1 of 28
Download to read offline
Unit 8: Security for Web Applications  Security is fundamentally about protecting assets (data, hardware, reputation, etc.). Therefore you should  Identify potential threats  Detect and fix vulnerabilities  Know how to react to an attack  A threat is any potential occurrence, malicious or otherwise, that could harm an asset.  A vulnerability is a weakness that makes a threat possible, due to poor design, configuration mistakes, and/or inappropriate and insecure coding techniques.  An attack is an action that exploits a vulnerability or enacts a threat. Examples:  sending malicious input to an application  flooding a network in an attempt to deny service. dsbw 2011/2012 q1 1
Foundations of Security  Authentication (who are you?): the process of uniquely identifying the clients of your applications and services.  Authorization (what can you do?): the process that governs the resources and operations that the authenticated client is permitted to access.  Non-repudiation: guarantees that a user cannot deny performing an operation or initiating a transaction.  Confidentiality: the process of making sure that data remains private and confidential, and that it cannot be viewed by unauthorized people.  Integrity: the guarantee that data is protected from accidental or deliberate (malicious) modification.  Availability: systems remain available for legitimate users. dsbw 2011/2012 q1 2
Main Threat Categories:  poofing: Attempting to gain access to a system by using a false identity, eg. using stolen user credentials or a false IP address.  ampering: Unauthorized modification of data, for example as it flows over a network between two computers.  epudiation: The ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. Without adequate auditing, repudiation attacks are difficult to prove  nformation disclosure: Unwanted exposure of private data.  enial of service: The process of making a system or application unavailable.  levation of privilege: Occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application. dsbw 2011/2012 q1 3
STRIDE Countermeasures Spoofing user identity Use strong authentication. Do not store secrets (eg., passwords) in plaintext. Do not pass credentials in plaintext over the wire. Protect authentication cookies with SSL. Tampering with data Use data hashing and signing. Use digital signatures. Use tamper-resistant protocols Use protocols that provide message integrity. Repudiation Create secure audit trails. Use digital signatures. Information disclosure Use strong authorization. Use strong encryption. Use protocols that provide message confidentiality. Do not store secrets in plaintext. Denial of service Use resource and bandwidth throttling techniques. Validate and filter input. Elevation of privilege The principle of least privilege: use least privileged accounts to run processes and access resources. dsbw 2011/2012 q1 4
Core Web Application Security Principles Compartmentalize Create different security boundaries, zones, with their own policies Use least privilege Run processes using accounts with minimal privileges and access rights Apply defense in depth Use multiple gatekeepers to keep attackers at bay, do not rely on a single layer of security Do not trust user input Assume all input is malicious until proven otherwise Check at the gate Authenticate and authorize callers early — at the first gate Fail securely If an application fails, do not leave sensitive data accessible. Return friendly errors to end users that do not expose internal system details. Secure the weakest Identify it, strengthen it, fix it link Create secure defaults Make default users/actions/authorizations set up with least privilege Reduce your attack Disable or remove unused services, protocols, and surface functionality. dsbw 2011/2012 q1 5
Web Application Security: The Three-Tiered Approach dsbw 2011/2012 q1 6
Integrating Security in the WebApp Process dsbw 2011/2012 q1 7
The RACI Chart (Responsible, Accountable, Consulted, Kept Informed) System Security Tasks Architect Developer Tester Administrator Professional Security Policies R A Threat Modeling A I I R Security Design Principles A I I C Security Architecture A C R Architecture and Design R A Review Code Development A R Technology Specific Threats A R Code Review R I A Security Testing C I A C Network Security C R A Host Security C A I R Application Security C I A R Deployment Review C R I I A dsbw 2011/2012 q1 8
Network Threats and Countermeasures Threat Description Countermeasure Information Port scanning and footprinting to Configure routers to restrict their Gathering detect device types and vulnerable responses to footprinting requests. operating systems and application Disable unused protocols and versions. unnecessary ports. Sniffing Monitoring traffic on the network for Use encrypted protocols (SSL, data such as plaintext passwords or IPSec) configuration information Spoofing Hiding one’s true identity on the Filter packets network by using fake source addresses Session Deceiving a server or a client into Use encrypted session negotiation Hijacking accepting the upstream host as the and communication channels. actual legitimate host Denial of Denying legitimate users access to a Increase the size of the TCP Service server or services, e.g by sending connection queue, decrease the more requests to a server than it can connection establishment period, handle (SYN flood attack) and employ dynamic backlog mechanisms. dsbw 2011/2012 q1 9
Host Threats and Countermeasures Threat Description Countermeasure Viruses, Trojan horses, Updated service packs and and worms software patches Footprinting port scans, ping sweeps, and Disable unnecessary NetBIOS enumeration to protocols and ports glean valuable system-level information Password Cracking Use strong passwords, limit the number of retry attempts, do not use default account names Denial of Service Deviate traffic to other hosts Arbitrary Code Execution Executing malicious code on Lock down system your server by using buffer commands and utilities overflow attacks. Unauthorized Access Unauthorized access to Lock down files and folders restricted information or with restricted permissions. operations dsbw 2011/2012 q1 10
Application Threats Category Threats Input validation Buffer overflow; cross-site scripting; SQL injection; canonicalization Authentication Network eavesdropping; brute force attacks; dictionary attacks; cookie replay; credential theft Authorization Elevation of privilege; disclosure of confidential data; data tampering; luring attacks Configuration Unauthorized access to administration interfaces; unauthorized access management to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts Sensitive data Access sensitive data in storage; network eavesdropping; data tampering Session management Session hijacking; session replay; man in the middle Cryptography Poor key generation or key management; weak or custom encryption Parameter manipulation Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation Exception management Information disclosure; denial of service Auditing and logging User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks dsbw 2011/2012 q1 11
Application Countermeasures Category Countermesures Input Validation Do not trust input; consider centralized input validation. Do not rely on client-side validation. Be careful with canonicalization issues. Constrain. reject, and sanitize input. Validate for type, length, format, and range. Authentication Partition site by anonymous, identified, and authenticated area. Use strong passwords. Support password expiration periods and account disablement. Do not store credentials (use one-way hashes with salt). Encrypt communication channels to protect authentication tokens. Pass Forms authentication cookies only over HTTPS connections. Authorization Use least privileged accounts. Consider authorization granularity. Enforce separation of privileges. Restrict user access to system-level resources. Configuration Use least privileged process and service accounts. Do not store Management credentials in plaintext. Use strong authentication and authorization on administration interfaces. Do not use the LSA. Secure the communication channel for remote administration. Avoid storing sensitive data in the Web space. Sensitive Data Avoid storing secrets. Encrypt sensitive data over the wire. Secure the communication channel. Provide strong access controls on sensitive data stores. Do not store sensitive data in persistent cookies. Do not pass sensitive data using the HTTP-GET protocol. dsbw 2011/2012 q1 12
Application Countermeasures (cont.) Category Countermeasures Session Management Limit the session lifetime. Secure the channel. Encrypt the contents of authentication cookies. Protect session state from unauthorized access. Cryptography Do not develop your own. Use tried and tested platform features. Keep unencrypted data close to the algorithm. Use the right algorithm and key size. Avoid key management (use DPAPI). Cycle your keys periodically. Store keys in a restricted location. Parameter Manipulation Encrypt sensitive cookie state. Do not trust fields that the client can manipulate (query strings, form fields, cookies, or HTTP headers). Validate all values sent from the client. Exception Management Use structured exception handling. Do not reveal sensitive application implementation details. Do not log private data such as passwords. Consider a centralized exception management framework. Auditing and Logging Identify malicious behavior. Know what good traffic looks like. Audit and log activity through all of the application tiers. Secure access to log files. Back up and regularly analyze log files. dsbw 2011/2012 q1 13
Web Application Security: Summary dsbw 2011/2012 q1 14
Cryptography “  The coding of messages so as to render them unintelligible to other than authorized recipients. Many techniques are known for the conversion of the original message, known as plaintext, into its encrypted form, known as ciphertext, cipher, or code ” Dictionary of Computing. Oxford University Press, 2004 dsbw 2011/2012 q1 15
Roles for Cryptography  Authentication: Digital signatures can be used to identify a participant in a web transaction or the author of an email message  Authorization: Cryptographic techniques can be used to distribute a list of authorized users that is all but impossible to falsify.  Confidentiality: Encryption is used to scramble information sent over networks and stored on servers so that eavesdroppers cannot access the data's content  Integrity: Methods that are used to verify that a message has not been modified while in transit. Often, this is done with digitally signed message digest codes.  Nonrepudiation: Cryptographic receipts are created so that an author of a message cannot realistically deny sending a message dsbw 2011/2012 q1 16
Symmetric Key Cryptography dsbw 2011/2012 q1 17
Public Key (aka Asymmetric) Cryptography dsbw 2011/2012 q1 18
Authentication with Public Key Cryptography dsbw 2011/2012 q1 19
Digital envelope dsbw 2011/2012 q1 20
Cryptography-based Internet Protocols  Virtual Private Networks (VPN)  Internet Protocol Security (IPSEC)  Point-to-Point Tunneling Protocol (PPTP)  Layer Two Forwarding (L2F)  Layer Two Tunneling Protocol (L2TP)  E-mail Encryption  Secure Multipurpose Internet Mail Extensions (S/MIME)  Pretty Good Privacy  WWW i e-commerce  SSL/TSL  Secure Electronic Transaction (SET) dsbw 2011/2012 q1 21
SSL/TSL  SSL – Secure Socket Layer  TLS – Transport Layer Security  Both provide a secure transport connection between clients and servers:  Authentication of the server, using digital signatures  Authentication of the client, using digital signatures  Data confidentiality through the use of encryption  Data integrity through the use of message authentication codes  History:  SSL was developed by Netscape  SSL version 3.0 has been widely used on the Internet  SSL evolved into TLS (RFC 2246)  TLS can be viewed as SSL v3.1 dsbw 2011/2012 q1 22
SSL architecture SSL SSL Change SSL applications Handshake Cipher Spec Alert (e.g., HTTP) Protocol Protocol Protocol SSL Record Protocol TCP IP dsbw 2011/2012 q1 23
SSL Components  SSL Record Protocol  fragmentation  compression  message authentication and integrity protection  encryption  SSL Handshake Protocol  negotiation of security algorithms and parameters  key exchange  server authentication and optionally client authentication  SSL Alert Protocol  error messages (fatal alerts and warnings)  SSL Change Cipher Spec Protocol  a single message that indicates the end of the SSL handshake dsbw 2011/2012 q1 24
SSL sessions and connections  An SSL session is an association between a client and a server  SSL sessions are stateful: the session state includes security algorithms and parameters  A SSL session may include multiple secure connections between the same client and server  SSL sessions are used to avoid expensive negotiation of new security parameters for each connection dsbw 2011/2012 q1 25
SSL Record Protocol: Processing application data fragmentation SSLPlaintext type version length compression SSLCompressed type version length msg authentication and encryption (with padding if necessary) SSLCiphertext type version length MAC padding dsbw 2011/2012 q1 26
SSL Handshake Protocol client server client_hello Phase 1: Negotiation of the session ID, key exchange server_hello algorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers certificate Phase 2: Server may send its certificate and key server_key_exchange exchange message, and it may request the client certificate_request to send a certificate. Server signals end of hello phase. server_hello_done certificate Phase 3: Client sends certificate if requested and may client_key_exchange send an explicit certificate verification message. certificate_verify Client always sends its key exchange message. change_cipher_spec finished Phase 4: Change cipher spec and finish handshake change_cipher_spec finished dsbw 2011/2012 q1 27
References  http://www.w3.org/Security/Faq/www-security-faq.html  Web Security, Privacy & Commerce, 2nd Edition, by Simson Garfinkle with Gene Spafford, O'Reilly, 2001.  Improving Web Application Security: Threats and Countermeasures, by Microsoft Corporation, Microsoft Press, 2003 dsbw 2011/2012 q1 28

Recommended

Unit 04: From Requirements to the UX Model
Unit 04: From Requirements to the UX ModelUnit 04: From Requirements to the UX Model
Unit 04: From Requirements to the UX ModelDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Unit03: Process and Business Models
Unit03: Process and Business ModelsUnit03: Process and Business Models
Unit03: Process and Business ModelsDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Unit 07: Design Patterns and Frameworks (2/3)
Unit 07: Design Patterns and Frameworks (2/3)Unit 07: Design Patterns and Frameworks (2/3)
Unit 07: Design Patterns and Frameworks (2/3)DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Unit 01 - Introduction
Unit 01 - IntroductionUnit 01 - Introduction
Unit 01 - IntroductionDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Unit 07: Design Patterns and Frameworks (1/3)
Unit 07: Design Patterns and Frameworks (1/3)Unit 07: Design Patterns and Frameworks (1/3)
Unit 07: Design Patterns and Frameworks (1/3)DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Unit 05: Physical Architecture Design
Unit 05: Physical Architecture DesignUnit 05: Physical Architecture Design
Unit 05: Physical Architecture DesignDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Physical Architecture Layer Design
Physical Architecture Layer DesignPhysical Architecture Layer Design
Physical Architecture Layer DesignPriyadarshini Dasarathan
 
Unit 02: Web Technologies (1/2)
Unit 02: Web Technologies (1/2)Unit 02: Web Technologies (1/2)
Unit 02: Web Technologies (1/2)DSBW 2011/2002 - Carles Farré - Barcelona Tech
 

Recommended

Unit 04: From Requirements to the UX Model
Unit 04: From Requirements to the UX ModelUnit 04: From Requirements to the UX Model
Unit 04: From Requirements to the UX ModelDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Unit03: Process and Business Models
Unit03: Process and Business ModelsUnit03: Process and Business Models
Unit03: Process and Business ModelsDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Unit 07: Design Patterns and Frameworks (2/3)
Unit 07: Design Patterns and Frameworks (2/3)Unit 07: Design Patterns and Frameworks (2/3)
Unit 07: Design Patterns and Frameworks (2/3)DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Unit 01 - Introduction
Unit 01 - IntroductionUnit 01 - Introduction
Unit 01 - IntroductionDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Unit 07: Design Patterns and Frameworks (1/3)
Unit 07: Design Patterns and Frameworks (1/3)Unit 07: Design Patterns and Frameworks (1/3)
Unit 07: Design Patterns and Frameworks (1/3)DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Unit 05: Physical Architecture Design
Unit 05: Physical Architecture DesignUnit 05: Physical Architecture Design
Unit 05: Physical Architecture DesignDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Physical Architecture Layer Design
Physical Architecture Layer DesignPhysical Architecture Layer Design
Physical Architecture Layer DesignPriyadarshini Dasarathan
 
Unit 02: Web Technologies (1/2)
Unit 02: Web Technologies (1/2)Unit 02: Web Technologies (1/2)
Unit 02: Web Technologies (1/2)DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Unit 07: Design Patterns and Frameworks (3/3)
Unit 07: Design Patterns and Frameworks (3/3)Unit 07: Design Patterns and Frameworks (3/3)
Unit 07: Design Patterns and Frameworks (3/3)DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (2/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (2/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (2/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (2/3)Carles Farré
 
Unit 02: Web Technologies (2/2)
Unit 02: Web Technologies (2/2)Unit 02: Web Technologies (2/2)
Unit 02: Web Technologies (2/2)DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Unit 10: XML and Beyond (Sematic Web, Web Services, ...)
Unit 10: XML and Beyond (Sematic Web, Web Services, ...)Unit 10: XML and Beyond (Sematic Web, Web Services, ...)
Unit 10: XML and Beyond (Sematic Web, Web Services, ...)DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Nwdi Overview And Features
Nwdi Overview And FeaturesNwdi Overview And Features
Nwdi Overview And Featuresakrishnanr
 
Subhadra Banerjee_latest
Subhadra Banerjee_latestSubhadra Banerjee_latest
Subhadra Banerjee_latestSubhadra Banerjee
 
Real world java_ee_patterns
Real world java_ee_patternsReal world java_ee_patterns
Real world java_ee_patternsAlassane Diallo
 
Agile in Action - Act 2: Development
Agile in Action - Act 2: DevelopmentAgile in Action - Act 2: Development
Agile in Action - Act 2: DevelopmentSpiffy
 
Summer training java
Summer training javaSummer training java
Summer training javaArshit Rai
 
Summer training java
Summer training javaSummer training java
Summer training javaArshit Rai
 
InterConnect 2016 Java EE 7 Overview (PEJ-5296)
InterConnect 2016 Java EE 7 Overview (PEJ-5296)InterConnect 2016 Java EE 7 Overview (PEJ-5296)
InterConnect 2016 Java EE 7 Overview (PEJ-5296)Kevin Sutter
 
Lead Allocation System's Attribute Driven Design (ADD)
Lead Allocation System's Attribute Driven Design (ADD)Lead Allocation System's Attribute Driven Design (ADD)
Lead Allocation System's Attribute Driven Design (ADD)Amin Bandeali
 
Nuno Godinho
Nuno GodinhoNuno Godinho
Nuno Godinhojoaogoncalves
 
J2ee
J2eeJ2ee
J2eePrince Soni
 
Chapter2 j2ee
Chapter2 j2eeChapter2 j2ee
Chapter2 j2eeJafar Nesargi
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworksukdpe
 
SathishKumar Natarajan
SathishKumar NatarajanSathishKumar Natarajan
SathishKumar NatarajanSathish Kumar
 
Imaginea Performance Engineering
Imaginea Performance EngineeringImaginea Performance Engineering
Imaginea Performance EngineeringRajaneeshChandra
 
Codendi Datasheet
Codendi DatasheetCodendi Datasheet
Codendi DatasheetCodendi
 
Connect Webinar24
Connect Webinar24Connect Webinar24
Connect Webinar24Brian Ahier
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 

More Related Content

What's hot

[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (2/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (2/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (2/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (2/3)Carles Farré
 
Nwdi Overview And Features
Nwdi Overview And FeaturesNwdi Overview And Features
Nwdi Overview And Featuresakrishnanr
 
Real world java_ee_patterns
Real world java_ee_patternsReal world java_ee_patterns
Real world java_ee_patternsAlassane Diallo
 
Agile in Action - Act 2: Development
Agile in Action - Act 2: DevelopmentAgile in Action - Act 2: Development
Agile in Action - Act 2: DevelopmentSpiffy
 
Summer training java
Summer training javaSummer training java
Summer training javaArshit Rai
 
Summer training java
Summer training javaSummer training java
Summer training javaArshit Rai
 
InterConnect 2016 Java EE 7 Overview (PEJ-5296)
InterConnect 2016 Java EE 7 Overview (PEJ-5296)InterConnect 2016 Java EE 7 Overview (PEJ-5296)
InterConnect 2016 Java EE 7 Overview (PEJ-5296)Kevin Sutter
 
Lead Allocation System's Attribute Driven Design (ADD)
Lead Allocation System's Attribute Driven Design (ADD)Lead Allocation System's Attribute Driven Design (ADD)
Lead Allocation System's Attribute Driven Design (ADD)Amin Bandeali
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworksukdpe
 
SathishKumar Natarajan
SathishKumar NatarajanSathishKumar Natarajan
SathishKumar NatarajanSathish Kumar
 
Imaginea Performance Engineering
Imaginea Performance EngineeringImaginea Performance Engineering
Imaginea Performance EngineeringRajaneeshChandra
 
Codendi Datasheet
Codendi DatasheetCodendi Datasheet
Codendi DatasheetCodendi
 

What's hot (20)

Unit 07: Design Patterns and Frameworks (3/3)
Unit 07: Design Patterns and Frameworks (3/3)Unit 07: Design Patterns and Frameworks (3/3)
Unit 07: Design Patterns and Frameworks (3/3)
 
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (2/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (2/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (2/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (2/3)
 
Unit 02: Web Technologies (2/2)
Unit 02: Web Technologies (2/2)Unit 02: Web Technologies (2/2)
Unit 02: Web Technologies (2/2)
 
Unit 10: XML and Beyond (Sematic Web, Web Services, ...)
Unit 10: XML and Beyond (Sematic Web, Web Services, ...)Unit 10: XML and Beyond (Sematic Web, Web Services, ...)
Unit 10: XML and Beyond (Sematic Web, Web Services, ...)
 
Nwdi Overview And Features
Nwdi Overview And FeaturesNwdi Overview And Features
Nwdi Overview And Features
 
Subhadra Banerjee_latest
Subhadra Banerjee_latestSubhadra Banerjee_latest
Subhadra Banerjee_latest
 
Real world java_ee_patterns
Real world java_ee_patternsReal world java_ee_patterns
Real world java_ee_patterns
 
Agile in Action - Act 2: Development
Agile in Action - Act 2: DevelopmentAgile in Action - Act 2: Development
Agile in Action - Act 2: Development
 
Summer training java
Summer training javaSummer training java
Summer training java
 
Summer training java
Summer training javaSummer training java
Summer training java
 
InterConnect 2016 Java EE 7 Overview (PEJ-5296)
InterConnect 2016 Java EE 7 Overview (PEJ-5296)InterConnect 2016 Java EE 7 Overview (PEJ-5296)
InterConnect 2016 Java EE 7 Overview (PEJ-5296)
 
Lead Allocation System's Attribute Driven Design (ADD)
Lead Allocation System's Attribute Driven Design (ADD)Lead Allocation System's Attribute Driven Design (ADD)
Lead Allocation System's Attribute Driven Design (ADD)
 
Nuno Godinho
Nuno GodinhoNuno Godinho
Nuno Godinho
 
J2ee
J2eeJ2ee
J2ee
 
Chapter2 j2ee
Chapter2 j2eeChapter2 j2ee
Chapter2 j2ee
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
 
SathishKumar Natarajan
SathishKumar NatarajanSathishKumar Natarajan
SathishKumar Natarajan
 
Imaginea Performance Engineering
Imaginea Performance EngineeringImaginea Performance Engineering
Imaginea Performance Engineering
 
Codendi Datasheet
Codendi DatasheetCodendi Datasheet
Codendi Datasheet
 
Connect Webinar24
Connect Webinar24Connect Webinar24
Connect Webinar24
 

Viewers also liked

New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
987 - 5 Year Anniversary
987 - 5 Year Anniversary987 - 5 Year Anniversary
987 - 5 Year Anniversaryrickyriv9
 
Building Your PLN
Building Your PLNBuilding Your PLN
Building Your PLNGallit Zvi
 
Stephanie neri final_presentation
Stephanie neri final_presentationStephanie neri final_presentation
Stephanie neri final_presentationStephanie Neri
 
ใบงานที่ 11
ใบงานที่ 11ใบงานที่ 11
ใบงานที่ 11Moo Mild
 
ใบงานที่ 11
ใบงานที่ 11ใบงานที่ 11
ใบงานที่ 11Moo Mild
 
Rscon4 presentation on Genius Hour
Rscon4 presentation on Genius HourRscon4 presentation on Genius Hour
Rscon4 presentation on Genius HourGallit Zvi
 
Extra survey celebrations
Extra survey celebrationsExtra survey celebrations
Extra survey celebrationsCornStik
 
21st century learning
21st century learning21st century learning
21st century learningGallit Zvi
 
Tarun Kumar Thesis 2
Tarun Kumar Thesis 2Tarun Kumar Thesis 2
Tarun Kumar Thesis 2Tarun_Kumar85
 
加速器と素粒子物理での超?低レイヤー
加速器と素粒子物理での超?低レイヤー加速器と素粒子物理での超?低レイヤー
加速器と素粒子物理での超?低レイヤーRyo Ichimiya
 
ใบงานที่ 11
ใบงานที่ 11ใบงานที่ 11
ใบงานที่ 11Moo Mild
 
แบบเสนอโครงร่างโครงงานคอมพิวเตอร1
แบบเสนอโครงร่างโครงงานคอมพิวเตอร1แบบเสนอโครงร่างโครงงานคอมพิวเตอร1
แบบเสนอโครงร่างโครงงานคอมพิวเตอร1Moo Mild
 

Viewers also liked (20)

New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
 
Scapy talk
Scapy talkScapy talk
Scapy talk
 
987 - 5 Year Anniversary
987 - 5 Year Anniversary987 - 5 Year Anniversary
987 - 5 Year Anniversary
 
Presentation1
Presentation1Presentation1
Presentation1
 
Building Your PLN
Building Your PLNBuilding Your PLN
Building Your PLN
 
Stephanie neri final_presentation
Stephanie neri final_presentationStephanie neri final_presentation
Stephanie neri final_presentation
 
ใบงานที่ 11
ใบงานที่ 11ใบงานที่ 11
ใบงานที่ 11
 
ใบงานที่ 11
ใบงานที่ 11ใบงานที่ 11
ใบงานที่ 11
 
Rscon4 presentation on Genius Hour
Rscon4 presentation on Genius HourRscon4 presentation on Genius Hour
Rscon4 presentation on Genius Hour
 
Extra survey celebrations
Extra survey celebrationsExtra survey celebrations
Extra survey celebrations
 
21st century learning
21st century learning21st century learning
21st century learning
 
Tarun Kumar Thesis 2
Tarun Kumar Thesis 2Tarun Kumar Thesis 2
Tarun Kumar Thesis 2
 
加速器と素粒子物理での超?低レイヤー
加速器と素粒子物理での超?低レイヤー加速器と素粒子物理での超?低レイヤー
加速器と素粒子物理での超?低レイヤー
 
ใบงานที่ 11
ใบงานที่ 11ใบงานที่ 11
ใบงานที่ 11
 
Ameratex energy
Ameratex energyAmeratex energy
Ameratex energy
 
Blog
BlogBlog
Blog
 
Blog
BlogBlog
Blog
 
แบบเสนอโครงร่างโครงงานคอมพิวเตอร1
แบบเสนอโครงร่างโครงงานคอมพิวเตอร1แบบเสนอโครงร่างโครงงานคอมพิวเตอร1
แบบเสนอโครงร่างโครงงานคอมพิวเตอร1
 
Tomas tirolesas
Tomas tirolesasTomas tirolesas
Tomas tirolesas
 

Similar to Unit 08: Security for Web Applications

[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Enterprise Security in Cloud
Enterprise Security in CloudEnterprise Security in Cloud
Enterprise Security in CloudLenin Aboagye
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Cloud Security Checklist and Planning Guide Summary
Cloud Security Checklist and Planning Guide Summary Cloud Security Checklist and Planning Guide Summary
Cloud Security Checklist and Planning Guide Summary Intel IT Center
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
IEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network SecurityIEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network SecuritySBGC
 
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoDesafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoCristian Garcia G.
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web SystemsInnoTech
 
Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...
Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...
Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...SBGC
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Blue Slate Solutions
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
A Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyA Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyCloudflare
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story42Crunch
 

Similar to Unit 08: Security for Web Applications (20)

[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Enterprise Security in Cloud
Enterprise Security in CloudEnterprise Security in Cloud
Enterprise Security in Cloud
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Cloud Security Checklist and Planning Guide Summary
Cloud Security Checklist and Planning Guide Summary Cloud Security Checklist and Planning Guide Summary
Cloud Security Checklist and Planning Guide Summary
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
IEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network SecurityIEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network Security
 
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoDesafíos de la Ciberseguridad en un ecosistema digitalmente transformado
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformado
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web Systems
 
Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...
Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...
Network security java ieee projects 2012 @ Seabirds ( Trichy, Pudukkottai, Ta...
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
A Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyA Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud Journey
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
 

Recently uploaded

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 

Recently uploaded (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 

Unit 08: Security for Web Applications

  • 1. Unit 8: Security for Web Applications  Security is fundamentally about protecting assets (data, hardware, reputation, etc.). Therefore you should  Identify potential threats  Detect and fix vulnerabilities  Know how to react to an attack  A threat is any potential occurrence, malicious or otherwise, that could harm an asset.  A vulnerability is a weakness that makes a threat possible, due to poor design, configuration mistakes, and/or inappropriate and insecure coding techniques.  An attack is an action that exploits a vulnerability or enacts a threat. Examples:  sending malicious input to an application  flooding a network in an attempt to deny service. dsbw 2011/2012 q1 1
  • 2. Foundations of Security  Authentication (who are you?): the process of uniquely identifying the clients of your applications and services.  Authorization (what can you do?): the process that governs the resources and operations that the authenticated client is permitted to access.  Non-repudiation: guarantees that a user cannot deny performing an operation or initiating a transaction.  Confidentiality: the process of making sure that data remains private and confidential, and that it cannot be viewed by unauthorized people.  Integrity: the guarantee that data is protected from accidental or deliberate (malicious) modification.  Availability: systems remain available for legitimate users. dsbw 2011/2012 q1 2
  • 3. Main Threat Categories:  poofing: Attempting to gain access to a system by using a false identity, eg. using stolen user credentials or a false IP address.  ampering: Unauthorized modification of data, for example as it flows over a network between two computers.  epudiation: The ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. Without adequate auditing, repudiation attacks are difficult to prove  nformation disclosure: Unwanted exposure of private data.  enial of service: The process of making a system or application unavailable.  levation of privilege: Occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application. dsbw 2011/2012 q1 3
  • 4. STRIDE Countermeasures Spoofing user identity Use strong authentication. Do not store secrets (eg., passwords) in plaintext. Do not pass credentials in plaintext over the wire. Protect authentication cookies with SSL. Tampering with data Use data hashing and signing. Use digital signatures. Use tamper-resistant protocols Use protocols that provide message integrity. Repudiation Create secure audit trails. Use digital signatures. Information disclosure Use strong authorization. Use strong encryption. Use protocols that provide message confidentiality. Do not store secrets in plaintext. Denial of service Use resource and bandwidth throttling techniques. Validate and filter input. Elevation of privilege The principle of least privilege: use least privileged accounts to run processes and access resources. dsbw 2011/2012 q1 4
  • 5. Core Web Application Security Principles Compartmentalize Create different security boundaries, zones, with their own policies Use least privilege Run processes using accounts with minimal privileges and access rights Apply defense in depth Use multiple gatekeepers to keep attackers at bay, do not rely on a single layer of security Do not trust user input Assume all input is malicious until proven otherwise Check at the gate Authenticate and authorize callers early — at the first gate Fail securely If an application fails, do not leave sensitive data accessible. Return friendly errors to end users that do not expose internal system details. Secure the weakest Identify it, strengthen it, fix it link Create secure defaults Make default users/actions/authorizations set up with least privilege Reduce your attack Disable or remove unused services, protocols, and surface functionality. dsbw 2011/2012 q1 5
  • 6. Web Application Security: The Three-Tiered Approach dsbw 2011/2012 q1 6
  • 7. Integrating Security in the WebApp Process dsbw 2011/2012 q1 7
  • 8. The RACI Chart (Responsible, Accountable, Consulted, Kept Informed) System Security Tasks Architect Developer Tester Administrator Professional Security Policies R A Threat Modeling A I I R Security Design Principles A I I C Security Architecture A C R Architecture and Design R A Review Code Development A R Technology Specific Threats A R Code Review R I A Security Testing C I A C Network Security C R A Host Security C A I R Application Security C I A R Deployment Review C R I I A dsbw 2011/2012 q1 8
  • 9. Network Threats and Countermeasures Threat Description Countermeasure Information Port scanning and footprinting to Configure routers to restrict their Gathering detect device types and vulnerable responses to footprinting requests. operating systems and application Disable unused protocols and versions. unnecessary ports. Sniffing Monitoring traffic on the network for Use encrypted protocols (SSL, data such as plaintext passwords or IPSec) configuration information Spoofing Hiding one’s true identity on the Filter packets network by using fake source addresses Session Deceiving a server or a client into Use encrypted session negotiation Hijacking accepting the upstream host as the and communication channels. actual legitimate host Denial of Denying legitimate users access to a Increase the size of the TCP Service server or services, e.g by sending connection queue, decrease the more requests to a server than it can connection establishment period, handle (SYN flood attack) and employ dynamic backlog mechanisms. dsbw 2011/2012 q1 9
  • 10. Host Threats and Countermeasures Threat Description Countermeasure Viruses, Trojan horses, Updated service packs and and worms software patches Footprinting port scans, ping sweeps, and Disable unnecessary NetBIOS enumeration to protocols and ports glean valuable system-level information Password Cracking Use strong passwords, limit the number of retry attempts, do not use default account names Denial of Service Deviate traffic to other hosts Arbitrary Code Execution Executing malicious code on Lock down system your server by using buffer commands and utilities overflow attacks. Unauthorized Access Unauthorized access to Lock down files and folders restricted information or with restricted permissions. operations dsbw 2011/2012 q1 10
  • 11. Application Threats Category Threats Input validation Buffer overflow; cross-site scripting; SQL injection; canonicalization Authentication Network eavesdropping; brute force attacks; dictionary attacks; cookie replay; credential theft Authorization Elevation of privilege; disclosure of confidential data; data tampering; luring attacks Configuration Unauthorized access to administration interfaces; unauthorized access management to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts Sensitive data Access sensitive data in storage; network eavesdropping; data tampering Session management Session hijacking; session replay; man in the middle Cryptography Poor key generation or key management; weak or custom encryption Parameter manipulation Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation Exception management Information disclosure; denial of service Auditing and logging User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks dsbw 2011/2012 q1 11
  • 12. Application Countermeasures Category Countermesures Input Validation Do not trust input; consider centralized input validation. Do not rely on client-side validation. Be careful with canonicalization issues. Constrain. reject, and sanitize input. Validate for type, length, format, and range. Authentication Partition site by anonymous, identified, and authenticated area. Use strong passwords. Support password expiration periods and account disablement. Do not store credentials (use one-way hashes with salt). Encrypt communication channels to protect authentication tokens. Pass Forms authentication cookies only over HTTPS connections. Authorization Use least privileged accounts. Consider authorization granularity. Enforce separation of privileges. Restrict user access to system-level resources. Configuration Use least privileged process and service accounts. Do not store Management credentials in plaintext. Use strong authentication and authorization on administration interfaces. Do not use the LSA. Secure the communication channel for remote administration. Avoid storing sensitive data in the Web space. Sensitive Data Avoid storing secrets. Encrypt sensitive data over the wire. Secure the communication channel. Provide strong access controls on sensitive data stores. Do not store sensitive data in persistent cookies. Do not pass sensitive data using the HTTP-GET protocol. dsbw 2011/2012 q1 12
  • 13. Application Countermeasures (cont.) Category Countermeasures Session Management Limit the session lifetime. Secure the channel. Encrypt the contents of authentication cookies. Protect session state from unauthorized access. Cryptography Do not develop your own. Use tried and tested platform features. Keep unencrypted data close to the algorithm. Use the right algorithm and key size. Avoid key management (use DPAPI). Cycle your keys periodically. Store keys in a restricted location. Parameter Manipulation Encrypt sensitive cookie state. Do not trust fields that the client can manipulate (query strings, form fields, cookies, or HTTP headers). Validate all values sent from the client. Exception Management Use structured exception handling. Do not reveal sensitive application implementation details. Do not log private data such as passwords. Consider a centralized exception management framework. Auditing and Logging Identify malicious behavior. Know what good traffic looks like. Audit and log activity through all of the application tiers. Secure access to log files. Back up and regularly analyze log files. dsbw 2011/2012 q1 13
  • 14. Web Application Security: Summary dsbw 2011/2012 q1 14
  • 15. Cryptography “  The coding of messages so as to render them unintelligible to other than authorized recipients. Many techniques are known for the conversion of the original message, known as plaintext, into its encrypted form, known as ciphertext, cipher, or code ” Dictionary of Computing. Oxford University Press, 2004 dsbw 2011/2012 q1 15
  • 16. Roles for Cryptography  Authentication: Digital signatures can be used to identify a participant in a web transaction or the author of an email message  Authorization: Cryptographic techniques can be used to distribute a list of authorized users that is all but impossible to falsify.  Confidentiality: Encryption is used to scramble information sent over networks and stored on servers so that eavesdroppers cannot access the data's content  Integrity: Methods that are used to verify that a message has not been modified while in transit. Often, this is done with digitally signed message digest codes.  Nonrepudiation: Cryptographic receipts are created so that an author of a message cannot realistically deny sending a message dsbw 2011/2012 q1 16
  • 18. Public Key (aka Asymmetric) Cryptography dsbw 2011/2012 q1 18
  • 19. Authentication with Public Key Cryptography dsbw 2011/2012 q1 19
  • 21. Cryptography-based Internet Protocols  Virtual Private Networks (VPN)  Internet Protocol Security (IPSEC)  Point-to-Point Tunneling Protocol (PPTP)  Layer Two Forwarding (L2F)  Layer Two Tunneling Protocol (L2TP)  E-mail Encryption  Secure Multipurpose Internet Mail Extensions (S/MIME)  Pretty Good Privacy  WWW i e-commerce  SSL/TSL  Secure Electronic Transaction (SET) dsbw 2011/2012 q1 21
  • 22. SSL/TSL  SSL – Secure Socket Layer  TLS – Transport Layer Security  Both provide a secure transport connection between clients and servers:  Authentication of the server, using digital signatures  Authentication of the client, using digital signatures  Data confidentiality through the use of encryption  Data integrity through the use of message authentication codes  History:  SSL was developed by Netscape  SSL version 3.0 has been widely used on the Internet  SSL evolved into TLS (RFC 2246)  TLS can be viewed as SSL v3.1 dsbw 2011/2012 q1 22
  • 23. SSL architecture SSL SSL Change SSL applications Handshake Cipher Spec Alert (e.g., HTTP) Protocol Protocol Protocol SSL Record Protocol TCP IP dsbw 2011/2012 q1 23
  • 24. SSL Components  SSL Record Protocol  fragmentation  compression  message authentication and integrity protection  encryption  SSL Handshake Protocol  negotiation of security algorithms and parameters  key exchange  server authentication and optionally client authentication  SSL Alert Protocol  error messages (fatal alerts and warnings)  SSL Change Cipher Spec Protocol  a single message that indicates the end of the SSL handshake dsbw 2011/2012 q1 24
  • 25. SSL sessions and connections  An SSL session is an association between a client and a server  SSL sessions are stateful: the session state includes security algorithms and parameters  A SSL session may include multiple secure connections between the same client and server  SSL sessions are used to avoid expensive negotiation of new security parameters for each connection dsbw 2011/2012 q1 25
  • 26. SSL Record Protocol: Processing application data fragmentation SSLPlaintext type version length compression SSLCompressed type version length msg authentication and encryption (with padding if necessary) SSLCiphertext type version length MAC padding dsbw 2011/2012 q1 26
  • 27. SSL Handshake Protocol client server client_hello Phase 1: Negotiation of the session ID, key exchange server_hello algorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers certificate Phase 2: Server may send its certificate and key server_key_exchange exchange message, and it may request the client certificate_request to send a certificate. Server signals end of hello phase. server_hello_done certificate Phase 3: Client sends certificate if requested and may client_key_exchange send an explicit certificate verification message. certificate_verify Client always sends its key exchange message. change_cipher_spec finished Phase 4: Change cipher spec and finish handshake change_cipher_spec finished dsbw 2011/2012 q1 27
  • 28. References  http://www.w3.org/Security/Faq/www-security-faq.html  Web Security, Privacy & Commerce, 2nd Edition, by Simson Garfinkle with Gene Spafford, O'Reilly, 2001.  Improving Web Application Security: Threats and Countermeasures, by Microsoft Corporation, Microsoft Press, 2003 dsbw 2011/2012 q1 28