22-12-2012, 11:55 AM
Examples of Applications and their different Security Requirements
Examples of Applications.pptx (Size: 243.45 KB / Downloads: 25)
Why Is Application Security Important?
New threats emerge every day
Some hackers are not satisfied with penetrating your network; they seek information that resides in your applications/databases
Applications are often plagued by poor designs, software bugs, and poor programming practices
Applications may be a fast and easy entry point into a secure network
Applications contain and process your most critical (important and sensitive) information
Securing the Application
Authentication & Identification
Authorization & Access Control
Logging & Auditing Procedures
Managing User Sessions
Encryption Routines
And More…
Web Applications
Hypertext Transfer Protocol
“Hypertext Transfer Protocol (HTTP) is a communications protocol for the transfer of information on intranets and the World Wide Web. Its original purpose was to provide a way to publish and retrieve hypertext pages over the Internet.”
HTTP Request - GET
Form data encoded in the URL
Most common HTTP method used on the web
Should be used to retrieve information, not for actions that have side-effects
Validate Input and Output
All data input and output should be checked very carefully for appropriateness. This check should be to see if the data is what is expected (length, characters).
Keep it Simple
1.if a security system is too complex for its user base, it will either not be used or users will try to find measures to bypass it.
2. Do not expect users to enter 12 passwords and let the system ask for a random number password for instance.
Web Application Vulnerabilities
Platform:
Known vulnerabilities can be exploited immediately with a minimum amount of skill or experience – “script kiddies”
Most easily defendable of all web vulnerabilities
MUST have streamlined patching procedures
Administration:
Less easily corrected than known issues
Require increased awareness
More than just configuration, must be aware of security flaws in actual content
Remnant files can reveal applications and versions in use
Backup files can reveal source code and database connection strings
Application Programming:
Common coding techniques do not necessarily include security
Input is assumed to be valid, but not tested
Unexamined input from a browser can inject scripts into page for replay against later visitors
Unhandled error messages reveal application and database structures
Unchecked database calls can be ‘piggybacked’ with a hacker’s own database call, giving direct access to business data through a web browser
How to Secure Web Applications
Incorporate security into the lifecycle
Apply information security principles to all software development efforts
Educate
Issue awareness, Training, etc…
Access Protection, User Accounts, and Database Audits
The database system must also keep track of all operations on the database that are applied by a certain user throughout each login session.
Any tampering with the database is suspected, a database audit is performed