Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Issues With Web Based Systems. Security Issues Web Based Systems  Security can not be considered an add-on or afterthought  Security must be.

Published byDella Leonard Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Issues With Web Based Systems. Security Issues Web Based Systems  Security can not be considered an add-on or afterthought  Security must be."— Presentation transcript:

1 Security Issues With Web Based Systems

2 Security Issues Web Based Systems  Security can not be considered an add-on or afterthought  Security must be integrated into the design  Security should use an algorithm based on a “denied unless specifically allowed” concept

3 Security Issues Web Based Systems  Depending on security being applied outside of the application is insufficient  Any browser based system with a URL is public  Data in a URL is not secured  Hidden data may still be exposed with a limited search

4 Security Issues Web Based Systems  Security should be applied to anything with value  Security should be viewed from a “thief’s” perspective  Security is limited to the “weakest link”  No security system is impregnable  Copyrights and other legal restrictions are weak restrictions

5 Security Issues Web Based Systems  Security must be considered in all areas of a data stream  SSL and Web Security  Physical security of hardware must be considered

6 Security Issues Web Based Systems  SQL Injection What is it? Malicious method to replace values sent to a SQL statement with values that cause another action. Why does it Happen? A value sent to a SQL statement is not tested for proper type or format No test is applied to verify the proper result from an action

7 Security Issues Web Based Systems  SQL Injection Example A user name is sent to a page as userName=joe The page has a statement like statement = “SELECT * FROM users WHERE userName = ‘”+userName+’’’;” An injection might send a value like userName = a’ OR ‘t’=‘t This gives a statement of statement = “SELECT * FROM users WHERE userName = ‘a’ OR ‘t’=‘t’; Instead of a specific record, it gives all records A test for the number of records returned would cause the injection to fail

8 Security Issues Web Based Systems  SQL Injection Example An injection might send a value like userName = a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't This gives a statement of statement = “SELECT * FROM users WHERE userName = ‘a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't ’; Instead of a specific record, it drops the user table entirely and shows all values from the ‘data’ table A test for the proper format of ‘userName’ would have prevented the injection.

9 Security Issues Web Based Systems  SQL Injection Prevention Use arguments to pass values UPDATE dbo.Insurance SET Zipcode = :new.Zipcode, Phone = :new.Phone WHERE IdInsurance = :old.IdInsurance :new.Zipcode, :new.Phone and :old.IdInsurance are Alpha arguments The method to set arguments will test for proper value type and format The actual SQL statement is fixed to use only the specified arguments Test the value type and format of any value sent to a statement If the value should just be a text string, reject any text containing any specific unexpected characters Test for the proper return values and actions

10 Alpha Five Web Security System

11  Alpha Five Web Security is an access control system Deny Unless authorized at the file (page) level Checks every file request It is not a data filtering system, although it can be used to create filters based on user roles  Security can be applied to a single file in the web project, any folder, or by file extension How Does it Work?

12 Alpha Five Web Security System  Security can be applied to component elements and actions  Security is integrated into the server technology  The Alpha Five Web Security is highly configurable How Does it Work?

13 Alpha Five Web Security System  Security data is saved in isolated data tables Tables are published to the same folder as the web pages The tables are not placed in the same location as other data tables The server prevents direct access to the tables The data in the tables on the server is not the same as the data shown in the desktop Users and Groups dialog How Does it Work?

14 Alpha Five Web Security System  Security data can be linked to other user tables The “ulink” field The security session variable  All login processes and authorization processes are integrated into the system code and never exposed to the user How Does it Work?

15 Alpha Five Web Security System  Configuring the Web Security  Entering initial values for users and groups  Setting permissions  Publishing the web security  Maintaining web security data From the desktop From the web  Web security xbasic functions Building a Web Security System

16 Alpha Five Web Security System

17  Alpha Five Help V9 Alpha Five Help V9  http://support.alphasoftware.com/alphafivehelpv9/ Web_Publishing_Tutorial/Implementing_Version_8_ Security.htmPublishing the web security http://support.alphasoftware.com/alphafivehelpv9/ Web_Publishing_Tutorial/Implementing_Version_8_ Security.htmPublishing the web security  http://support.alphasoftware.com/alphafivehelpv9/ Web_Publishing_Tutorial/Adding_Users_with_a_Web _Component.htm http://support.alphasoftware.com/alphafivehelpv9/ Web_Publishing_Tutorial/Adding_Users_with_a_Web _Component.htm  http://support.alphasoftware.com/alphafivehelpv9/F unctions/..\Lists\Web_Application_Functions.htm http://support.alphasoftware.com/alphafivehelpv9/F unctions/..\Lists\Web_Application_Functions.htm Resources

Download ppt "Security Issues With Web Based Systems. Security Issues Web Based Systems  Security can not be considered an add-on or afterthought  Security must be."

Similar presentations

MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the: course is a PowerPoint demonstration intended to introduce.

MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the: course is a PowerPoint demonstration intended to introduce.
Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.

Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.
MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the:  course is a PowerPoint demonstration intended to introduce.

MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the:  course is a PowerPoint demonstration intended to introduce.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Institute for Clinical and Translational Science (ICTS) Fred McClurg Neil Nuehring New Features and Improvements in REDCap 6.1.4.

Institute for Clinical and Translational Science (ICTS) Fred McClurg Neil Nuehring New Features and Improvements in REDCap
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)

SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
NMED 3850 A Advanced Online Design February 25, 2010 V. Mahadevan.

NMED 3850 A Advanced Online Design February 25, 2010 V. Mahadevan.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
1 Chapter 12 Working With Access 2000 on the Internet.

1 Chapter 12 Working With Access 2000 on the Internet.
JavaScript Forms Form Validation Cookies CGI Programs.

JavaScript Forms Form Validation Cookies CGI Programs.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Data Sources Create a connection definition in Cognos Step 2: Create a Cognos Account on Each Data Source Step 1: Import Metadata Step 3: Publish Package.

Data Sources Create a connection definition in Cognos Step 2: Create a Cognos Account on Each Data Source Step 1: Import Metadata Step 3: Publish Package.
Stanford University EH&S A Service Oriented Architecture For Rich Internet Applications Sheldon M. Heitz.

Stanford University EH&S A Service Oriented Architecture For Rich Internet Applications Sheldon M. Heitz.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
SiS Technical Training Development Track Technical Training(s) Day 1 – Day 2.

SiS Technical Training Development Track Technical Training(s) Day 1 – Day 2.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Similar presentations

Ads by Google