1. THENMOZHI. P AP/CSE CCS374- WEB APPLICATION SECURITY Unit I – FUNDAMENTALS OF WEB APPLICATION SECURITY MOUNT ZION COLLEGE OF ENGINEERING AND TECHNOLOGY

2. COURSE OUTCOME MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 2 CO1: Understanding the basic concepts of web application security. CO2: Explain the process for secure development of web applications. CO3: Identify the skill to design and develop Secure Web Applications that use Secure APIs. CO4: Describe the importance of carrying out vulnerability assessment and penetration testing. CO5: Examine the skill to think like a hacker and to use hackers tool sets.

3. UNIT I – FUNDAMENTALS OF WEB APPLICATION SECURITY MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 3 1.1 The history of Software Security & Recognizing Web Application Security Threats 1.2 Web Application Security 1.3 Authentication and Authorization 1.4 Secure Socket layer 1.5 Transport layer Security 1.6 Session Management-Input Validation

4. 4 Previous class discussion: 1.4 Secure Socket layer MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 UNIT I – FUNDAMENTALS OF WEB APPLICATION SECURITY

5. 5 Today class discussion: 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.3 UNIT I – FUNDAMENTALS OF WEB APPLICATION SECURITY

6. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 6 1.5 Transport layer Security Transport Layer Securities (TLS) are designed to provide security at the transport layer. TLS was derived from a security protocol called Secure Socket Layer (SSL).Secure SocketLayer (SSL) TLS ensures that no third party may eavesdrop or tampers with any message.

7. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 7

8. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 8 Benefits of TLS: Encryption: TLS/SSL can help to secure transmitted data using encryption. Interoperability: TLS/SSL works with most web browsers, including Microsoft Internet Explorer and on most operating systems and web servers.

9. 1.5 Transport layer Security 1.5 Transport layer Security 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.3 9 There are several benefits of TLS: Algorithm flexibility: TLS/SSL provides operations for authentication mechanism, encryption algorithms and hashing algorithm that are used during the secure session. Ease of Deployment: Many applications TLS/SSL temporarily on a windows server 2003 operating systems. Ease of Use: Because we implement TLS/SSL beneath the application layer, most of its operations are completely invisible to client.

10. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 10 Working of TLS: The client connect to server (using TCP), the client will be something. The client sends number of specification:TCP 1.Version of SSL/TLS. 2.which cipher suites, compression method it wants to use.

11. 1.5 Transport layer Security TLS client and server to communicate with each other: MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 11

12. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 12 Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication over a computer network. TLS is the successor to Secure Sockets Layer (SSL), and it is commonly used to secure data transmission on the internet, particularly in web applications. TLS ensures the confidentiality, integrity, and authenticity of the data exchanged between a client (typically a web browser) and a server.

13. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 13 Key aspects of TLS in web application security: 1. Encryption: - Purpose: TLS encrypts data during transmission, ensuring that even if intercepted, the data remains confidential. - Symmetric and Asymmetric Encryption: TLS uses a combination of symmetric and asymmetric encryption. Symmetric encryption is used for bulk data transfer, while asymmetric encryption is used for key exchange and authentication.

14. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 14 2. Authentication: - Purpose: TLS provides a mechanism for both the client and the server to authenticate each other, ensuring that they are communicating with the intended and legitimate parties. - Digital Certificates: TLS relies on digital certificates to verify the identity of the server (and optionally, the client). Certificates are issued by Certificate Authorities (CAs) and contain information such as the public key and details about the entity's identity.

15. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 15 3. Data Integrity: - Purpose: TLS ensures that the data transmitted between the client and the server has not been tampered with during transmission. - Hash Functions: Cryptographic hash functions are used to generate checksums (hashes) for the transmitted data. The recipient can verify the integrity of the data by comparing the received hash with the calculated hash.

16. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 16 4. Secure Handshake: - Purpose: Before establishing a secure connection, the client and server perform a handshake to negotiate the encryption algorithms, exchange necessary parameters, and authenticate each other. - Key Exchange: During the handshake, a process called key exchange occurs, where the client and server agree on a shared secret key for encrypting and decrypting data.

17. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.3 17 5. Forward Secrecy: - Purpose: TLS supports Perfect Forward Secrecy (PFS), ensuring that even if a long-term secret key is compromised, past communication cannot be decrypted. - Key Agreement Protocols: PFS is typically achieved using key agreement protocols like Diffie-Hellman.

18. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 18 6. Versions: - Evolution: TLS has undergone several versions, with each version addressing security vulnerabilities and improving cryptographic mechanisms. - Current Versions: As of my last knowledge update in January 2022, TLS 1.3 is the latest version, offering improved security and performance compared to earlier versions.

19. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 19 8. **TLS in HTTPS:** - **Implementation:** In web applications, TLS is commonly implemented through HTTPS (HTTP Secure). This ensures that the communication between the client and the server occurs over a secure, encrypted connection. - **URL Prefix:** URLs using HTTPS start with "https://" instead of "http://".

20. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.3 20 8. **TLS in HTTPS:** - **Implementation:** In web applications, TLS is commonly implemented through HTTPS (HTTP Secure). This ensures that the communication between the client and the server occurs over a secure, encrypted connection. - **URL Prefix:** URLs using HTTPS start with "https://" instead of "http://".

21. 1.5 Transport layer Security MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.5 21 TLS is a critical component of web application security, providing a secure foundation for the transmission of sensitive data. As cyber threats evolve, it's essential to stay informed about the latest TLS versions, vulnerabilities, and best practices to ensure the continued security of web applications

22. SUMMARY MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.3 22 1.5 Transport layer Security Transport layer Security Benefits of TLS Working of TLS Key aspects of TLS in web application security

23. REFERENCES MZCET/CSE/VI Sem/CCS374_WAS/Unit 1/1.3 23 1.3Authentication and Authorization https://www.youtube.com/watch?v=-7OX58nHPb8 https://www.f5.com/glossary/web-application-security https://www.youtube.com/watch?v=7Q17ubqLfaM&lis t=PLZlA0Gpn_vH9yI1hwDVzWqu5sAfajcsBQ https://www.youtube.com/watch?v=7Q17ubqLfaM&lis t=PLZlA0Gpn_vH9yI1hwDVzWqu5sAfajcsBQ https://academy.pega.com/topic/authorization- models/v1 https://academy.pega.com/topic/authorization- models/v1