Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Slides:



Advertisements
Similar presentations
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Advertisements

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Do’s and Don’ts for web application developers
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Access Control Methodologies
15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 7 HARDENING SERVERS.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Martin Kruliš by Martin Kruliš (v1.0)1.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
B USINESS LAYER SAMANVITHA RAMAYANAM 4 th MARCH 2010 CPE 691.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Session 11: Security with ASP.NET
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
CSC 2720 Building Web Applications Web Application Security.
Session and cookie management in.Net Justin Brunelle CS795 6/18/2009.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
SEC835 Practical aspects of security implementation Part 1.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Module 11: Securing a Microsoft ASP.NET Web Application.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
CP476 Internet Computing CGI1 Cookie –Cookie is a mechanism for a web server recall info of accessing of a client browser –A cookie is an object sent by.
1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Project: Simulated Encrypted File System (SEFS) Omar Chowdhury Fall 2015CS526: Information Security1.
The overview How the open market works. Players and Bodies  The main players are –The component supplier  Document  Binary –The authorized supplier.
Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.
Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
API Security Auditing Be Aware,Be Safe
Server Concepts Dr. Charles W. Kann.
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Security mechanisms and vulnerabilities in .NET
Lesson 16-Windows NT Security Issues
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Fast-Track UiPath Developer Module 10: Sensitive Data Handling
Presentation transcript:

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Web Applications I will talk about ways to design a web application to be more secure and some basic guidelines to follow when developing web applications.

Web Applications Authenticate Users http applications are stateless Design secure session management mechanisms

Vulnerabilities Web Applications  Input Validation  Authentication  Authorization  Configuration Management  Sensitive Data  Session Management  Cryptography  Parameter Manipulation  Exception Management  Auditing and Logging

Web Applications These systems need to have a significant amount of time spent on them in the design phase. Why?

Web Application  Assume all input is malicious  Centralize your approach  Do not rely on client-side validation  Be careful with canonicalization issues  Constrain, Reject and sanitize your input Input

Web Application Validate data for type, length, format and range. Sanitize- Strip excess null characters or spaces etc...

Authentication Web Applications  User names and passwords sent over secure channel(SSL)  Credentials stored  Credentials verified  Authentication ticket to verify user after logon(cookie)  Separate public and restricted areas.  Use account lockout policies for end-user accounts.  Support password expiration periods.  Be able to disable accounts.  Do not store passwords in user stores.  Require strong passwords.  Do not send passwords over the wire in plaintext.  Protect authentication cookies

Authorization Web Applications  Use multiple gate keepers  Restrict user access to system level resources  Consider authorization granularity  Hybrid model

Configuration Management Web Applications  Secure Administration interfaces  Secure your configuration stores  Maintain separate administration privileges  Use least privileged process and service accounts

Web Application  Storing secrets  Do not store any keys or passwords in plain text  Retrieve data on demand  Secure the communication between client and server  Do not store data in cookies Sensitive Data

Web Application  Use SSL to protect session cookies  Encrypt the contents of the authentication cookies  Limit session lifetime Session Management

Web Application  Privacy  Authenticity  Integrity  Authentication Cryptography

Web Application  Encrypt cookie state  Make sure that users do not bypass security checks  Validate all values sent from the client  Do not trust http header information Parameter Manipulation

Web Application  Don’t give the client unnecessary information  Log detailed error messages  Catch exceptions and handle them  Buffer over flow attacks Exception Management

Web Application  Log all key events  Secure log files  Back up and analyze log files  One application to use BIG-IP ASM Logging Events

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.