Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.

Published byThomas Wheeler Modified over 9 years ago

Similar presentations

Presentation on theme: "Application Security Chapter 8 Copyright Pearson Prentice Hall 2013."— Presentation transcript:

1 Application Security Chapter 8 Copyright Pearson Prentice Hall 2013

2  Explain why attackers increasingly focus on applications.  List the main steps in securing applications.  Know how to secure WWW services and e-commerce services.  Describe vulnerabilities in web browsers.  Explain the process of securing e-mail.  Explain how to secure voice over IP (VoIP).  Describe threats from Skype VoIP service.  Describe how to secure other user applications.  Know how to secure TCP/IP supervisory applications. 2 Copyright Pearson Prentice Hall 2013

3 3

4  Some attacks inevitably get through network protections and reach individual hosts  In Chapter 7, we looked at host hardening  In Chapter 8, we look at application hardening  In Chapter 9, we will look at data protection 4 Copyright Pearson Prentice Hall 2013

5 Copyright Pearson Prentice-Hall 2010 5

6 6

7 7

8 8

9 9

10 10

11 11

12 12

13 13

14 14

15 Copyright Pearson Prentice-Hall 2010 15

16 Copyright Pearson Prentice-Hall 2010 16

17 Copyright Pearson Prentice-Hall 201017

18 Copyright Pearson Prentice-Hall 200918

19 Copyright Pearson Prentice-Hall 2009 19

20 Copyright Pearson Prentice-Hall 2010 20

21 21

22 22 Lets say this is computer memory running an application. The application is paused to get data So the address of where the application is before interruption is stored So we can return after getting data, but the return address is overwritten and after the pause, a new program begins processing Application Variables Return Address Application Overwrites Return Address Variables New Return Address Exploit/ShellCode

23 23

24 24

25 25

26 26

27 27

28 28

29 29

30 30

31 31

32 32

33 Copyright Pearson Prentice-Hall 2010 33

34 Copyright Pearson Prentice-Hall 2010 34

35 Copyright Pearson Prentice-Hall 2010 35

36 Copyright Pearson Prentice-Hall 2010 36

37 37

38 Copyright Pearson Prentice-Hall 2010 38

39 Copyright Pearson Prentice-Hall 2010 39

40 40 Copyright Pearson Prentice Hall 2013

41 Copyright Pearson Prentice-Hall 2010 41

42 Copyright Pearson Prentice-Hall 2010 42

43 Copyright Pearson Prentice-Hall 2010 43

44  Client-Side Scripting (Mobile Code) ◦ Scripting languages (not full programming languages)  A script is a series of commands in a scripting language  JavaScript (not scripted form of Java)  VBScript (Visual Basic scripting from Microsoft)  A script usually is invisible to users 44 Copyright Pearson Prentice Hall 2013

45 45 Copyright Pearson Prentice Hall 2013

46 Copyright Pearson Prentice-Hall 2010 46 You like beef? click here. You like beef? click here. http://www.micosoft.com

47 Copyright Pearson Prentice-Hall 2010 47

48 Copyright Pearson Prentice-Hall 2010 48

49 Copyright Pearson Prentice-Hall 2010 49

50 Copyright Pearson Prentice-Hall 2010 50

51 Copyright Pearson Prentice-Hall 2010 51 Copyright Pearson Prentice-Hall 2009

52 Copyright Pearson Prentice-Hall 2010 52

53 Copyright Pearson Prentice-Hall 2010 53

54 Copyright Pearson Prentice-Hall 2010 54

55 Copyright Pearson Prentice-Hall 2010 55

56 Copyright Pearson Prentice-Hall 2010 56

57 8.1 Application Security and Hardening 8.2 WWW and E-Commerce Security 8.3 Web Browser Attacks 8.4 E-Mail Security 8.5 Voice over IP (VoIP) Security 8.6 Other User Applications 57 Copyright Pearson Prentice Hall 2013

58  Importance of WWW Service and E-Commerce Security ◦ Cost of disruptions, harm to reputation, and market capitalization ◦ Customer fraud ◦ Exposure of sensitive private information 58 Copyright Pearson Prentice Hall 2013

59  Webservice versus E-Commerce Service ◦ WWW service provides basic user interactions  Microsoft Internet Information Server (IIS), Apache on UNIX, other webserver programs ◦ E-commerce servers add functionality: order entry, shopping cart, payment, etc.  Links to internal corporate databases and external services (such as credit card checking)  Custom programs written for special purposes 59 Copyright Pearson Prentice Hall 2013

60 60 Copyright Pearson Prentice Hall 2013

61  Website Defacement  Numerous IIS buffer overflow attacks ◦ Many of which take over the computer  IIS directory traversal attacks 61 Copyright Pearson Prentice Hall 2013

62 62 Users should only be able to reach files below the WWW root, which is below the true system root Copyright Pearson Prentice Hall 2013

63 63 In URLs,.. means move up one level. If allowed, user can get outside the WWW root box, into other directories In URLs,.. means move up one level. If allowed, user can get outside the WWW root box, into other directories Copyright Pearson Prentice Hall 2013

64  IIS directory traversal attacks (Figure 8-11) ◦ Companies filter out “..” ◦ Attackers respond with hexadecimal and UNICODE representations for “..” and “..” ◦ Typical of the constant “arms race” between attackers and defenders 64 Copyright Pearson Prentice Hall 2013

65  Patching the WWW and E-Commerce Software and Their Components ◦ Patching the webserver software is not enough ◦ Also must patch e-commerce software ◦ E-commerce software might use third-party component software that must be patched 65 Copyright Pearson Prentice Hall 2013

66  Other Website Protections ◦ Website vulnerability assessment tools, such as Whisker ◦ Reading website error logs ◦ Placing a webserver-specific application proxy server in front of the webserver 66 Copyright Pearson Prentice Hall 2013

67 67 An internal employee (10.10.10.10) may be blindly searching for confidential directories (bolded) on an internal webserver (10.0.0.1) Copyright Pearson Prentice Hall 2013

68 8.1 Application Security and Hardening 8.2 WWW and E-Commerce Security 8.3 Web Browser Attacks 8.4 E-Mail Security 8.5 Voice over IP (VoIP) Security 8.6 Other User Applications 68 Copyright Pearson Prentice Hall 2013

69  TCP/IP Supervisory Protocols ◦ Many supervisory protocols in TCP/IP  ARP, ICMP, DNS, DHCP, LDAP, RIP, OSPF, BGP, SNMP, etc. ◦ The targets of many attacks ◦ The IETF has a program to improve security in all (the Danvers Doctrine) 69 Copyright Pearson Prentice Hall 2013

70  Example ◦ Simple Network Management Protocol (SNMP) ◦ Messages  GET messages to get information from a managed object  SET messages to change the configuration of a managed object  SET is often turned off because it is dangerous 70 Copyright Pearson Prentice Hall 2013

71  Example ◦ SNMP versions and security  Version 1: no security  Version 2: weak authentication with a community string shared by the manager and managed devices  Version 3: pair-shared secrets, optional confidentiality, message integrity, and anti-replay protection  Still needed: public key authentication 71 Copyright Pearson Prentice Hall 2013

72 mydebitcredit.com Copyright Pearson Prentice-Hall 2010 72

73 73

74 74

75 75

76 76

77 Cop yrig ht Pear son Pren tice - Hall 201 0 77

78 78 I had 69 out of date themes!!!!!!

79 79

80 80

81 81

82 82

83 83

84 84

85  CloudFlare CloudFlare ◦ “CloudFlare leverages the knowledge of a diverse community of websites to power a new type of security service. Online threats range from nuisances like comment spam and excessive bot crawling to malicious attacks like SQL injection and denial of service (DOS) attacks. CloudFlare provides security protection against all of these types of threats and more to keep your website safe.” Copyright Pearson Prentice-Hall 2010 85

86  Chapter 7 – Operating Systems / Hosts  Chapter 8 – Applications  Chapter 9 – Data  But social networks connect us with everything….  Permissions Copyright Pearson Prentice-Hall 2010 86

87 87

Download ppt "Application Security Chapter 8 Copyright Pearson Prentice Hall 2013."

Similar presentations

Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
4.01 How Web Pages Work.

4.01 How Web Pages Work.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.

Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
Host Hardening Chapter 7.

Host Hardening Chapter 7.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
ELC 200 Day 9. Agenda Questions? Assignment 2 is Due Assignment 3 is posted  Due Feb. 25, 2014  assignment3.pdf assignment3.pdf Finish Building an E-commerce.

ELC 200 Day 9. Agenda Questions? Assignment 2 is Due Assignment 3 is posted  Due Feb. 25, 2014  assignment3.pdf assignment3.pdf Finish Building an E-commerce.

Similar presentations

Ads by Google