4
1. Introduction There have been reports such as ‘there is high rate of web application vulnerability’ as well as a range of ways in which web hackers attack web applications. Since the discovery that web applications convey the best content to users, there have been attempts to determine ways in which these systems can be hacked into through defacing, damage and defrauding. As the culture of conveying information across the internet continues to gain ground, there are increasing cases of vulnerabilities of these sites to cyber criminals. It has also been found that a large number of businesses use web sites to deliver messages to their customers , communicate with their customers as well as sell products to them. They may also need to sell certain technologies that are designed to handle various types of functions of a web site. The use of content management systems such as Joomla and Drupal may find itself helpful in building strong web sites with products or services and related content. When businesses want to process blogs, applications such as Word press or forums functioning on the principle of phpBB that utilizes user generated information from the web assessors to allow customers communicate through comments and discussions. Other web applications such as magneto are frequently used in e-commerce by both large and small scale businesses that carry out their transactions directly on the web. There are also a number of proprietary applications that are used by web sites and this calls for making web applications a top priority for both small site as well as big site owners. There is also need to analyze the competence of web application software by carrying an online test development, administration and grading process which enables web site to carry out online tests of their web application software so that its functionality and reliability can be known. It also involves development of websites to incorporate more information such as news, papers and interface that allows adding and deletion of papers. It can also be use to know the competencies that exist in a web application. It is also used to show the mastery of the web site owner of some of the competencies in the domains of leadership, communication strength and reasoning and the ability to solve problems effectively. On the basis of Information technology IT, the domains in which competencies may be determined include software, networks, IT Management, security or databases. This paper explains the procedure of using capstone matrix to determine the competency of a web application and also recommend the precautions that are need to ensure that a web application is not hacked into by authorized users. This paper also tries to explain on how hack-resilient applications can be built. This is an application that meets certain requirements of the capstone matrix by reducing the possibility of attack and ensures that damage does not occur. This is an application that is found in the host server in a network that has been

web security

Embed Size (px)

Citation preview

Page 1: web security

1. Introduction

There have been reports such as ‘there is high rate of web application vulnerability’ as well as a range of

ways in which web hackers attack web applications. Since the discovery that web applications convey

the best content to users, there have been attempts to determine ways in which these systems can be

hacked into through defacing, damage and defrauding. As the culture of conveying information across

the internet continues to gain ground, there are increasing cases of vulnerabilities of these sites to cyber

criminals.

It has also been found that a large number of businesses use web sites to deliver messages to their

customers , communicate with their customers as well as sell products to them. They may also need to

sell certain technologies that are designed to handle various types of functions of a web site. The use of

content management systems such as Joomla and Drupal may find itself helpful in building strong web

sites with products or services and related content. When businesses want to process blogs, applications

such as Word press or forums functioning on the principle of phpBB that utilizes user generated

information from the web assessors to allow customers communicate through comments and

discussions. Other web applications such as magneto are frequently used in e-commerce by both large

and small scale businesses that carry out their transactions directly on the web. There are also a number

of proprietary applications that are used by web sites and this calls for making web applications a top

priority for both small site as well as big site owners.

There is also need to analyze the competence of web application software by carrying an online test

development, administration and grading process which enables web site to carry out online tests of

their web application software so that its functionality and reliability can be known. It also involves

development of websites to incorporate more information such as news, papers and interface that

allows adding and deletion of papers. It can also be use to know the competencies that exist in a web

application. It is also used to show the mastery of the web site owner of some of the competencies in

the domains of leadership, communication strength and reasoning and the ability to solve problems

effectively. On the basis of Information technology IT, the domains in which competencies may be

determined include software, networks, IT Management, security or databases.

This paper explains the procedure of using capstone matrix to determine the competency of a web

application and also recommend the precautions that are need to ensure that a web application is not

hacked into by authorized users.

This paper also tries to explain on how hack-resilient applications can be built. This is an application that

meets certain requirements of the capstone matrix by reducing the possibility of attack and ensures that

damage does not occur. This is an application that is found in the host server in a network that has been

Page 2: web security

developed using design and procedures that cannot be hacked as well. This paper explains that there is

need to secure an application by making sure that input is validated, authenticated, authorized and data

is made sensitive. By using capstone competency matrix, it shows the competency of the application and

the likelihood of its being hacked into by unauthorized users. This allows for remedial actions such as

securing the network, securing the host and also securing the application.

The results of the capstone matrix are also important in determining the level of security in the threes

physical tiers i.e. web server, remote application server and database server. The use of competence

matrix gives the information regarding security information that that are found in the host network and

the level of application vulnerabilities that can be used to structure application arrangements for

security purposes.

I. Literature review

As the number of web applications used increases, so are the number of security risks associated with

them. Currently web application security is a concern everywhere and there is need to determine how

competent a web application is towards certain threats such as hacking and security of information.

There are a number of technical and business applications of web applications

a. Areas of application of web applications

a) Network and application levels merging

In the older days, vulnerability detection was mainly focused on network or operating system of a

hardware component. These involved the use of traditional manual hacking testing and also automatic

testing using security tools. The trends have currently focused on the need to scan for the competency

of a network as well as the vulnerability of an application. Presently, interest has been focused on

combining the ability of network scanners with tool kits used in web application security space. The

purpose of merging network and application competency analysis is to locate the information found in

one level and use the same approach towards determining the competency of the next level. Another

area that has attracted interest in vulnerability testing is the network management consoles. The

present consoles are geared towards finding network device data such as firewall. Focus is made on

incorporating applications from a number of tools such as firewalls. However, there is no likelihood of

integration taking place in patch management methods. Furthermore, consoles have the ability to

attach patch management solutions to data conveying information regarding the existence of problems.

The challenge is that a number of web applications are proprietary and therefore recognized by only

certain customers and departments within a large organization.

b) QA testing and Developer Awareness

In the olden days, quality assurance teams were not working in partnership with information security

work force, however, there are trends towards a change in this culture. For instance, mercury

interactive, an entity involved in automated testing tools, proposed that they would enter into

partnership with some of the most successful application security testing companies that provide a

reliable solution to mercury’s testing goods and the applications used by to determine vulnerability of

tools.

QA testing is also expected to move from basic testing of functions to compliance testing. These include

compliance with certain federal laws concerning privacy. They could also be used to determine the types

Page 3: web security

of web pages that are not likely to refer to web page privacy information or the web pages that are like

to result into leakage of information in the site of form information. It is also speculated that the

developers are also likely to benefit from the wide range of a web application vulnerability detection

tools that are currently being developed. The purpose of detection tools is to track defective or insecure

lines of information that might be the sources of vulnerabilities. This is speculated to take place during

development tool process such as a writing of a code. A number of vendors have developed tools that

improve code security despite the fact that up to date there have been low sales of these tools.

Furthermore, number of these code scanning tools is not able to provide complete awareness of an

application and focuses on only specific modules of code. This is likely to result into more complex

problems such as between a UI module and database module, scanners have been successful in their

use in the same purpose. It is also speculated that there might be integration with bug detecting

systems to allow developers to only follow the present defect detecting process and make the

corrections regarding vulnerability as a simple defect of function in their code.

c) Attack detection Sophistication Increases

There have been tremendous improvements in development of web application vulnerability detection

technology. Tools have gone beyond the normal buffer overflow attacks and have the detection abilities

that can only be attained by few strings. These tools are mainly geared towards online detection. The

use XSS attack detection methods are currently shifting from the conventional inline string injection

method to a multi-faceted attack and detection process that needs persistence of state. Other areas

that have not been tackled include performance of a large form of information from the web application

and user information that needs to be kept and referenced with accuracy without false information.

For instance, a number of large financial institutions had problems with cross-frame scripting (XSS), and

example of a phishing attack that affects a frame in a web page.

There has also been increasing focus on web services. Despite the slow rates of their adoption by the

masses, a number of users own sites and web applications that are dependent on web services and

require knowing how competent those web services are. For instance, vendors involved in this area used

simple detection methods such as XML based detection and applying common web competency in a non

–xml applications.

b. Some of the threats and counter measures

This part of the article explains some of the treats that are likely to be faced by a network, host or

application layers. It determines how a web application can be regarded as competent enough to

withstand threats that hinder its application

When security features have been incorporated into application design, implementation is helpful in

understanding the manner in which attackers would like to hack into the application.

Designing a secure web application

c. Building secure web applications

d. Assessing your security

II. Rationale and systems Analysis for the Project

In this stage of assessing the competency of web application software, a number of considerations have

been identified. They are explained in this section.

a. Access control

Page 4: web security

The paper explains that there is need to determine a criterion for mandatory data access control and

understanding different factors that can be helpful in implementation of access control and coming up

with a better access control plan. The paper also explains that there is need to implement and manage

access control plan in compliance with principles that control access control systems that are supposed

to be known. It is also important to identify other access control plans such as ID cards and getting

proper knowledge concerning warning banners that are used in implementing access rules.

b. Social engineering, phishing and identity theft

There is also need to understand a number of social engineering concepts and their function in insider

attacks and coming up with better practices that can hinder social engineering. There is also need to

develop plans that prevent phishing attacks.

c. Physical security

It has also been found that there is need to determine the standards, directives, processes and policies

that guarantee the physical safety of web application software. There is also need to value the

importance of the web application software and the impact it is likely to bring.

This paper also indicates that we need to design, apply and manage an organized and coordinated

physical security measures that ensures total safety of web application software. We also need to

determine the objectives that ensure that the personnel in charge of the web applications are also

secure to attain the overall objective of making the entire organization secure. There is also need to

determine a method of determining physical security level so that corrective measures can be put in

place.

d. Risk management

There is need to determine risks and risk management processes and understands the level of allowable

risk to ensure the hacking into the web application system lies within a level that cannot be harmful to

the web site owner. We also need to identify resource requirement for risk management to ensure that

the web application is well managed and the problem of lack of resources is dealt with.

There is also need to determine a systematic risk measuring process on the based on consultation with

IT experts and IT risk management processes that comply with the standards and procedures to ensure

the organizational goals and objectives are pursued. In order to ensure total avoidance of risks, we need

to know the level of relationship between incidence response group and other groups both within the

organization and outside the organization such as between the legal department and law enforcement

agencies as well as public relations officers.

We also need to identify the areas where risks to our web application system are likely to come from

and continuously update our web application security settings. We also need to determine policies that

guide risk management and update risk management programs according to the likelihood of threats in

the environment and also according to the goals and objectives of the organization.


Deployment Guide - Web Security, Email Security, Data Security

Deployment Guide - Web Security, Email Security, Data Security

Documents
FDA Security Awareness Web Site - NIST · 2018-09-27 · FDA Security Awareness Web Site . The Security Awareness Web Site provides ongoing security awareness including useful security

FDA Security Awareness Web Site - NIST · 2018-09-27 · FDA Security Awareness Web Site . The Security Awareness Web Site provides ongoing security awareness including useful security

Documents
Testing web security security of web sites and applications

Testing web security security of web sites and applications

Technology
Web Security and Network Security

Web Security and Network Security

Technology
Network World QuickPulse Web Security Challenges How to Overcome Web Security ... · 2015. 9. 17. · Network World QuickPulse * Web Security Challenges How to Overcome Web Security

Network World QuickPulse Web Security Challenges How to Overcome Web Security ... · 2015. 9. 17. · Network World QuickPulse * Web Security Challenges How to Overcome Web Security

Documents
Remote Filtering - Web Security, Email Security, Data Security

Remote Filtering - Web Security, Email Security, Data Security

Documents
Upgrading Websense Web Security Software (Websense Web Security

Upgrading Websense Web Security Software (Websense Web Security

Documents
cWatch Web Security - Quick Start Guide · Comodo cWatch Web Security - Quick Start Guide Comodo cWatch Web Security - Quick Start Guide • cWatch Web Security is a cloud-based security

cWatch Web Security - Quick Start Guide · Comodo cWatch Web Security - Quick Start Guide Comodo cWatch Web Security - Quick Start Guide • cWatch Web Security is a cloud-based security

Documents
Web Services Security (WS-Security)

Web Services Security (WS-Security)

Documents
Getting Started - Web Security, Email Security, Data Security

Getting Started - Web Security, Email Security, Data Security

Documents
Web - Web security

Web - Web security

Technology
Web security

Web security

Internet
Web Security: Web Application Security [continued]courses.cs.washington.edu/courses/cse484/17sp/slides/cse484-lect… · Web Security: Web Application Security [continued] Spring

Web Security: Web Application Security [continued]courses.cs.washington.edu/courses/cse484/17sp/slides/cse484-lect… · Web Security: Web Application Security [continued] Spring

Documents
Web Filter and Web Security Web Security Gateway Web ... · Web Filter, Web Security, or Web Security Gateway • Windows Server 2003 R2 32- bit • Windows Server 2008 32- bit •

Web Filter and Web Security Web Security Gateway Web ... · Web Filter, Web Security, or Web Security Gateway • Windows Server 2003 R2 32- bit • Windows Server 2008 32- bit •

Documents
Web$Security: Web$Application$Security...CSE$484$/$CSE$M$584:$Computer$Security$and$Privacy$ $ Web$Security: Web$Application$Security $ Spring2015 ’ Franziska’(Franzi)Roesner’’

Web$Security: Web$Application$Security...CSE$484$/$CSE$M$584:$Computer$Security$and$Privacy$ $ Web$Security: Web$Application$Security $ Spring2015 ’ Franziska’(Franzi)Roesner’’

Documents
Cisco IronPort Email & Web Security€¦ · Security Gateway. Application-Specific Security Gateways. SECURITY MANAGEMENT. Appliance. Internet. WEB. Security Gateway. SensorBase (The

Cisco IronPort Email & Web Security€¦ · Security Gateway. Application-Specific Security Gateways. SECURITY MANAGEMENT. Appliance. Internet. WEB. Security Gateway. SensorBase (The

Documents