Presentation is loading. Please wait.

Presentation is loading. Please wait.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Published byMervin Garrett Modified over 9 years ago

Similar presentations

Presentation on theme: "Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department"— Presentation transcript:

1 Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department tomkowiaka@uwplatt.edu

2 Web Applications I will talk about ways to design a web application to be more secure and some basic guidelines to follow when developing web applications.

3 Web Applications Authenticate Users http applications are stateless Design secure session management mechanisms

4 Vulnerabilities Web Applications  Input Validation  Authentication  Authorization  Configuration Management  Sensitive Data  Session Management  Cryptography  Parameter Manipulation  Exception Management  Auditing and Logging

5 Web Applications These systems need to have a significant amount of time spent on them in the design phase. Why?

6 Web Application  Assume all input is malicious  Centralize your approach  Do not rely on client-side validation  Be careful with canonicalization issues  Constrain, Reject and sanitize your input Input

7 Web Application Validate data for type, length, format and range. Sanitize- Strip excess null characters or spaces etc...

8 Authentication Web Applications  User names and passwords sent over secure channel(SSL)  Credentials stored  Credentials verified  Authentication ticket to verify user after logon(cookie)  Separate public and restricted areas.  Use account lockout policies for end-user accounts.  Support password expiration periods.  Be able to disable accounts.  Do not store passwords in user stores.  Require strong passwords.  Do not send passwords over the wire in plaintext.  Protect authentication cookies

9 Authorization Web Applications  Use multiple gate keepers  Restrict user access to system level resources  Consider authorization granularity  Hybrid model

10 Configuration Management Web Applications  Secure Administration interfaces  Secure your configuration stores  Maintain separate administration privileges  Use least privileged process and service accounts

11 Web Application  Storing secrets  Do not store any keys or passwords in plain text  Retrieve data on demand  Secure the communication between client and server  Do not store data in cookies Sensitive Data

12 Web Application  Use SSL to protect session cookies  Encrypt the contents of the authentication cookies  Limit session lifetime Session Management

13 Web Application  Privacy  Authenticity  Integrity  Authentication Cryptography

14 Web Application  Encrypt cookie state  Make sure that users do not bypass security checks  Validate all values sent from the client  Do not trust http header information Parameter Manipulation

15 Web Application  Don’t give the client unnecessary information  Log detailed error messages  Catch exceptions and handle them  Buffer over flow attacks Exception Management

16 Web Application  Log all key events  Secure log files  Back up and analyze log files  One application to use BIG-IP ASM Logging Events

Download ppt "Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department"

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Do’s and Don’ts for web application developers

Do’s and Don’ts for web application developers
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Access Control Methodologies

Access Control Methodologies
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Similar presentations

Ads by Google