Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brad Glisson and Ray Welland Department of Computing Science

Published byClementine Cook Modified over 6 years ago

Similar presentations

Presentation on theme: "Brad Glisson and Ray Welland Department of Computing Science"— Presentation transcript:

1 Web Development Evolution: The Assimilation of Web Engineering Security
Brad Glisson and Ray Welland Department of Computing Science Glasgow University Department of Computing Science

2 Department of Computing Science
Market Indications The 2004 Computer Security Institute (CSI)/Federal Bureau of Investigation (FBI) Computer Crime and Security Survey estimates that losses from internet security breaches, in the US, exceeded $141 million within the last year. The Department of Trade and Industry’s Information Security Breaches Survey 2004 by PricewaterhouseCoopers indicates that security problems are on the rise in the United Kingdom and that malicious attacks are the primary culprits. The Department of Trade and Industry’s (2004) survey estimates “security breaches continue to cost” UK businesses “several billions of pounds”. The Deloitte 2005 Global Survey estimates that identity theft cost the UK almost a billion dollars in 2003. Department of Computing Science

3 Organization for Internet Safety (OIS)
“a flaw within a software system that can cause it to work contrary to its documented design and could be exploited to cause the system to violate its documented security policy”. Department of Computing Science

4 Common Application Security Problems
Un-validated parameters Cross-site scripting Buffer overflows Command injection flaws Error-handling problems Insecure use of cryptography Broken Access Controls Department of Computing Science

5 Department of Computing Science
Problem Current web applications face major security problems because security design is not integrated into the Web Engineering Development Process. Security needs to be built into the application design upfront by explicitly stating the security approach in the methodology. This deficiency creates an environment conducive to security breaches. Exploitation of these breaches translates into staggering corporate financial losses. Department of Computing Science

6 Department of Computing Science
WES Solution My PhD research has produced a possible solution, A Web Engineering Security (WES) Methodology. An independent flexible Web Engineering development methodology that is specific to security. The process needs to be compatible with existing application development processes so that they are complementary, hence Deliverables between phases will vary on the size of the organizational and the methodology they are implementing, and Flexible enough to be tailored to individual companies of varying size. Department of Computing Science

7 Web Engineering Security (WES) Process
Department of Computing Science

8 Project Development Risk Assessment
NIST - National Institute of Standards and Technology - agency of the U.S. Commerce Department's Technology Administration. COBRA - Security risk analysis application OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation - Focuses on organizational risk and strategic, practice-related issues, balancing operational risk, security practices, and technology. FRAP - Facilitated Risk Analysis Process Department of Computing Science

9 Project Development Risk Assessment
Detail critical functions Determine the necessary service levels. Identify possible threats outline their motivating factors Estimate the probability of attack Estimate the probability of a successful attack Detail the cost of providing protection. Department of Computing Science

10 Web Engineering Security (WES) Process
Department of Computing Science

11 Application Security Requirements
Security Policy Compatibility Acceptable application computing practices interactions with the network, internet, messaging, and business specific applications or services interactions with internal companies, outside communities, vendors, and customers Corporate Culture Compatibility General security practice education Managerial acceptance and habits Social engineering (human element) attacks Technological acceptance of corporate norms Technological Compatibility Organization’s existing applications, software compatibility, legacy systems and the acquisition of new software and technology. Technical Skills within the company Existing security solutions Department of Computing Science

12 Web Engineering Security (WES) Process
Department of Computing Science

13 Security Design / Coding
Address issues Technology that is currently deployed in the organization Take advantage of existing security tools within the organization The best realistic design solution that meets the organization’s needs Coding Standards Secure coding practices Implementation of time tested security functions Data security Department of Computing Science

14 Web Engineering Security (WES) Process
Department of Computing Science

15 Controlled Environment Implementation
Separate PC Complete Environment that Mirrors Production Point is to make sure new software is compatible with the existing environment Department of Computing Science

16 Web Engineering Security (WES) Process
Department of Computing Science

17 Department of Computing Science
Testing Application Testing End User Testing Automated Scripts Penetration Testing Incident Management Will / When? How do you handle? Disaster Recovery News Department of Computing Science

18 Web Engineering Security (WES) Process
Department of Computing Science

19 Web Engineering Security (WES) Process
Department of Computing Science

20 Department of Computing Science
End User Evaluation Critical to the success of the solution Solution is too secure & end users are not using it? Solution not secure enough? Department of Computing Science

21 Agile Web Engineering (AWE)
Department of Computing Science

22 Agile Web Engineering (AWE) Web Engineering Security (WES)
AWE & WES Comparison Agile Web Engineering (AWE) Web Engineering Security (WES) Business Analysis Project Development Risk Assessment Requirements Application Security Requirements Security Policy Compatibility Corporate Culture Compatibility Technological Compatibility Design Security Design / Coding Implementation Controlled Environment Implementation Testing Application Testing Incident Management Disaster Recovery Management Evaluation (End User Evaluation) Deploy Deploy in Production End User Evaluation Department of Computing Science

23 Department of Computing Science
Conclusions Technical solutions alone will not solve current security issues in the global web environment. Increasing business pressures will force organizations to address application security from a development perspective The most effective way to handle security, in the application design, is to incorporate security upfront into the development methodology. Department of Computing Science

24 Contact Details Brad Glisson, Department of Computing Science,
University of Glasgow Web: Prof. Ray Welland, Web: Department of Computing Science

25 Department of Computing Science
Application Security Confidentiality – Proper access is restricted to the appropriate individuals. Integrity – modification of assets by the appropriate personnel & within guidelines. Availability - Access is available to the appropriate parties at designated times. [i] [i] Pfleeger, Charles P. and Shari Lawrence Pfleeger. Security in Computing Third Edition. Prentice Hall Saddle River, NJ pg 10. Department of Computing Science

26 Department of Computing Science
Relevant Work Secure Software Comprehensive Lightweight Application Security Process (CLASP) Microsoft’s Trustworthy Computing Security Development Lifecycle Security Patterns - “A methodology for secure software design”.[2] [2] Fernandez, E.B. A methodology for secure software design. in Procs. of the 2004 Intl. Symposium on Web Services and Applications (ISWS'04). c2004. Las Vegas, NV. Department of Computing Science

27 Department of Computing Science
Definitions Unvalidated Input Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application. Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions. Broken Authentication and Session Management Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users’ identities. Cross Site Scripting (XSS) Flaws The web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user. Buffer Overflows Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components. Injection Flaws Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. Improper Error Handling Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. Insecure Storage Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. Denial of Service Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. Insecure Configuration Management Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box. The Open Web Application Security Project (OWASP). The Ten Most Critical Web Application Security Vulnerabilities. c2004 Department of Computing Science

28 Department of Computing Science
Additional Support R.F. Darcy’s report on Information Security indicates that: patch management is critical in mitigating cyber vulnerabilities number of security vulnerabilities reported is increasing and attacks are becoming automated Conclusion no longer be assumed that security will be addressed in the acquisition of the functional or non-functional requirements surveys indicate that there are fundamental security problems with the methodologies being used in real world web application development Department of Computing Science

Download ppt "Brad Glisson and Ray Welland Department of Computing Science"

Similar presentations

Webgoat.

Webgoat.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan

Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan
Security Controls – What Works

Security Controls – What Works
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.

Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Threats and Attacks Principles of Information Security, 2nd Edition

Threats and Attacks Principles of Information Security, 2nd Edition
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Web Application Security

Web Application Security
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google