Security in Web Applications

Slides:



Advertisements
Similar presentations
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Advertisements

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Electronic Transaction Security (E-Commerce)
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
WEB2P security Java web application security Dr Jim Briggs.
Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
APACHE SERVER By Innovationframes.com »
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
Session 11: Security with ASP.NET
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
18-jan-962. ETH-W4 (ra)1 security on the Web l security l authentication l privacy.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Chapter 21 Distributed System Security Copyright © 2008.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
Sessions, Cookies, &.htaccess IT 210. Procedural Issues  Quiz #3 Today!  Homework #3 Due Friday at midnight UML for Lab 4  Withdraw Deadline is Wed,
CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Chap1: Is there a Security Problem in Computing?.
CITA 310 Section 9 Securing the Web Environment (Textbook Chapter 10)
Security fundamentals Topic 5 Using a Public Key Infrastructure.
1 Thuy, Le Huu | Pentalog VN Web Services Security.
Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.
Authentication Names and Passwords Names and Passwords Also can use Groups Also can use Groups Webmaster can “require” authentication Webmaster can “require”
Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.
Web Database Security Session 12 & 13 Matakuliah: Web Database Tahun: 2008.
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
Authentication & Authorisation Is the user allowed to access the site?
Why Does The Site Need an SSL Certification?. Security should always be a high concern for your website, but do you need an SSL certificate? A secure.
Securing Information Systems
TOPIC: HTTPS (Security protocol)
Setting and Upload Products
Chapter 5 Electronic Commerce | Security Threats - Solution
SSL Certificates for Secure Websites
Cryptography and Network Security
Grid Security.
PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471
Secure Software Confidentiality Integrity Data Security Authentication
CAN A DATABASE REALLY BE SECURE?
Security and Authentication
Section 12.1 Section 12.2 Discuss the functions of a Web site
Chapter 8 Building the Transaction Database
Jim Fawcett CSE686 – Internet Programming Summer 2005
Chapter 5 Electronic Commerce | Security Threats - Solution
Web Services Security.
How to Check if a site's connection is secure ?
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Chinese wall model in the internet Environment
Unit 8 Network Security.
Electronic Payment Security Technologies
Module 4 System and Application Security
Cryptography and Network Security
Integrated Security System
Presentation transcript:

Security in Web Applications Jeff Offutt https://www.cs.gmu.edu/~offutt/ SWE 432 Design and Implementation of Software for the Web

Topics Introduction Web Apps and Authentication Conclusions 14 November 2018 © Offutt

Why Do We Need Security? Personal identify protection Privacy Legal liability Theft prevention ($, IP, …) Malicious damage 14 November 2018 © Offutt

Security Through Time 100 BC Rome : magic charms 1400s England : not much worth stealing, armed guards for the rich 1600s America : no doors 1800s USA : doors 1900s USA : better lock than your neighbor 21st Century : keys, PINs, passwords, biometrics, … 14 November 2018 © Offutt

Topics Introduction Web Apps and Authentication Conclusions 14 November 2018 © Offutt

Security Requirements for Web Apps Authentication Verify the identity of the parties involved Who is it? Authorization Grant access to resources only to allowed users Are you allowed? Confidentiality Ensure that information is given only to authenticated parties Can you see it? Integrity Ensure that information is not changed or tampered with Can you change it? 14 November 2018 © Offutt

Where to Apply? Security can be applied at three levels : Web server (Apache) Web container (Tomcat) Web application (your servlet) If implemented in a Web application, that is sometimes considered being through the container 14 November 2018 © Offutt

Security Application Methods 1. Secure web applications using a Web server HTTP authentication Authorization of users/groups Authorization of domains Secure HTTP, an extension of HTTP SSL capabilities 2. Secure web applications using a servlet container HTTP authentication (basic, digest) Form-based authentication Securing web applications by programming Authorization of users User information kept on the server in a session 14 November 2018 © Offutt

User-level HTTP Passwords: Apache (1. web server authentication) In the directory : create .htaccess : AuthUserFile /home/student/gburdell/lib/users — passwd file, readable AuthGroupFile /dev/null — for groups, forget it AuthName swe642 — name of directory, part of prompt AuthType Basic — the only one allowed <Limit GET> — most common access control require user gburdell </Limit> The password file In apache’s bin/ User name Create password : htpasswd -c /home/student/gburdell/lib/users gburdell Will prompt for the password Adding additional users : htpasswd /home/student/gburdell/lib/users george add to .htaccess: require user george 14 November 2018 © Offutt

Authentication in Web Apps by Programming Use the password input field <input name=“password” type=“password” id=“password”> Validate the username and password on the server Store whether the user has been authenticated in the session object Never pass this information back to the client ! Don’t forget to lock the back doors Check authentication in every software component If the user is not authenticated, go back to the login screen This is the most common vulnerability in web applications 14 November 2018 © Offutt

Secure Socket Layer (SSL) based Authentication (https) Invented by Netscape in the mid 1990’s Encrypt every HTTP message to and from the web server using standard PKI technology De-facto standard used for secure web-based transactions Default URL https://some.domain.com with default port number 443 Don’t confuse with S-HTTP Encrypts only the http message body 14 November 2018 © Offutt

Applicability of Client SSL Authentication Highest level of security Can integrate with smart-card and biometric technologies Now supported by most browsers Plug-ins are sometimes required Additional server module required to validate clients, usually using a vendor-specific security server Very expensive because large PKI resources (hardware / software / personnel) needed to create, maintain, distribute user certificates 14 November 2018 © Offutt

Security in Web Applications Web applications require proper security at various levels for different purposes HTTP Authentication, Basic/Digest (lowest level) Form-based authentication Customized authentication SSL server authentication SSL client authentication (highest level) Other security concerns Database security Network security Human factors Users must remember passwords Try to reduce the friction of using the application More sophisticated techniques are available 14 November 2018 © Offutt

Topics Introduction Web Apps and Authentication Conclusions 14 November 2018 © Offutt

Security Over the Years Web applications open up many avenues for security threats In the 1980s, security was all math … In the 1990s, security revolved around the database … In the 2000s, security moved to the network … Now most security vulnerabilities are due to software faults For more information, take SWE 681, Secure Software Design and Programming 14 November 2018 © Offutt

Summary In 2007, Symantec reported that most security vulnerabilities were now due to software faults In a house : your lock should be better than your neighbor’s This principle does not work with Web apps 14 November 2018 © Offutt

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.