Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in Web Applications

Published byFelícia Zagalo Barreiro Modified over 6 years ago

Similar presentations

Presentation on theme: "Security in Web Applications"— Presentation transcript:

1 Security in Web Applications
Jeff Offutt SWE 432 Design and Implementation of Software for the Web

2 Topics Introduction Web Apps and Authentication Conclusions
14 November 2018 © Offutt

3 Why Do We Need Security? Personal identify protection Privacy
Legal liability Theft prevention ($, IP, …) Malicious damage 14 November 2018 © Offutt

4 Security Through Time 100 BC Rome : magic charms
1400s England : not much worth stealing, armed guards for the rich 1600s America : no doors 1800s USA : doors 1900s USA : better lock than your neighbor 21st Century : keys, PINs, passwords, biometrics, … 14 November 2018 © Offutt

5 Topics Introduction Web Apps and Authentication Conclusions
14 November 2018 © Offutt

6 Security Requirements for Web Apps
Authentication Verify the identity of the parties involved Who is it? Authorization Grant access to resources only to allowed users Are you allowed? Confidentiality Ensure that information is given only to authenticated parties Can you see it? Integrity Ensure that information is not changed or tampered with Can you change it? 14 November 2018 © Offutt

7 Where to Apply? Security can be applied at three levels :
Web server (Apache) Web container (Tomcat) Web application (your servlet) If implemented in a Web application, that is sometimes considered being through the container 14 November 2018 © Offutt

8 Security Application Methods
1. Secure web applications using a Web server HTTP authentication Authorization of users/groups Authorization of domains Secure HTTP, an extension of HTTP SSL capabilities 2. Secure web applications using a servlet container HTTP authentication (basic, digest) Form-based authentication Securing web applications by programming Authorization of users User information kept on the server in a session 14 November 2018 © Offutt

9 User-level HTTP Passwords: Apache (1. web server authentication)
In the directory : create .htaccess : AuthUserFile /home/student/gburdell/lib/users — passwd file, readable AuthGroupFile /dev/null — for groups, forget it AuthName swe642 — name of directory, part of prompt AuthType Basic — the only one allowed <Limit GET> — most common access control require user gburdell </Limit> The password file In apache’s bin/ User name Create password : htpasswd -c /home/student/gburdell/lib/users gburdell Will prompt for the password Adding additional users : htpasswd /home/student/gburdell/lib/users george add to .htaccess: require user george 14 November 2018 © Offutt

10 Authentication in Web Apps by Programming
Use the password input field <input name=“password” type=“password” id=“password”> Validate the username and password on the server Store whether the user has been authenticated in the session object Never pass this information back to the client ! Don’t forget to lock the back doors Check authentication in every software component If the user is not authenticated, go back to the login screen This is the most common vulnerability in web applications 14 November 2018 © Offutt

11 Secure Socket Layer (SSL) based Authentication (https)
Invented by Netscape in the mid 1990’s Encrypt every HTTP message to and from the web server using standard PKI technology De-facto standard used for secure web-based transactions Default URL with default port number 443 Don’t confuse with S-HTTP Encrypts only the http message body 14 November 2018 © Offutt

12 Applicability of Client SSL Authentication
Highest level of security Can integrate with smart-card and biometric technologies Now supported by most browsers Plug-ins are sometimes required Additional server module required to validate clients, usually using a vendor-specific security server Very expensive because large PKI resources (hardware / software / personnel) needed to create, maintain, distribute user certificates 14 November 2018 © Offutt

13 Security in Web Applications
Web applications require proper security at various levels for different purposes HTTP Authentication, Basic/Digest (lowest level) Form-based authentication Customized authentication SSL server authentication SSL client authentication (highest level) Other security concerns Database security Network security Human factors Users must remember passwords Try to reduce the friction of using the application More sophisticated techniques are available 14 November 2018 © Offutt

14 Topics Introduction Web Apps and Authentication Conclusions
14 November 2018 © Offutt

15 Security Over the Years
Web applications open up many avenues for security threats In the 1980s, security was all math … In the 1990s, security revolved around the database … In the 2000s, security moved to the network … Now most security vulnerabilities are due to software faults For more information, take SWE 681, Secure Software Design and Programming 14 November 2018 © Offutt

16 Summary In 2007, Symantec reported that most security vulnerabilities were now due to software faults In a house : your lock should be better than your neighbor’s This principle does not work with Web apps 14 November 2018 © Offutt

Download ppt "Security in Web Applications"

Similar presentations

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.

ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Similar presentations

Ads by Google