Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 1: Web Application Security Overview 1. Overview How Data is stored in a Web Application Types of Data that need to be secured Overview of common.

Published byCaren Bruce Modified over 9 years ago

Similar presentations

Presentation on theme: "Module 1: Web Application Security Overview 1. Overview How Data is stored in a Web Application Types of Data that need to be secured Overview of common."— Presentation transcript:

1 Module 1: Web Application Security Overview 1

2 Overview How Data is stored in a Web Application Types of Data that need to be secured Overview of common security practices 2

3 3 How Data is Stored in a Web Application

4 How Data is stored in a web application A web application may need several different pieces of information to be gathered and processed before the site can be displayed in the browser This information could come from many different sources including but not limited to the sources below: –File System –Database –Directory Service –XML file –Distributed Storage System 4

5 Files System Many things are stored in folders on the web server and must be secured –Images –Video –Configuration files –Web Pages –AddIns –Components –.Net Assemblies 5

6 File System

7 Net Assemblies In the.NET framework, an assembly is a compiled code library for use in deployment, versioning and security There are two types: process assemblies (EXE) and library assemblies (DLL) An assembly can consist of one or more files.

8 XML file Extensible Markup Language (XML) is a set of rules for encoding documents in machine-readable form It is defined in the XML 1.0 Specification produced by the W3C XML's design goals emphasize simplicity and usability in data exchange over the Internet

9 XML Uses Store information about users Configuration files Order Information Data import/export 9

10 XML file

11 Configuration file Configuration files store the initial settings for some computer programs Used for user applications, server processes and operating system settings The files are often written in ASCII / XML format. These files may contain passwords and database connection strings or user information

12 Database User Information Authentication Info Authorization Info Order Info Employee Info –Salary –SSN –Address –Phone Number Credit Card Info 12

13 User Information

14 Authentication Information Used to Identify the user –User Name –Password –Domain or Network Name 14

15 Authorization Information Used to determine rights and resources access –Role/Group Membership –Access Control List 15

16 Authentication Info

17 Authorization Info

18 Credit Card Info

19 Content Deliver Network A system of computers containing copies of data, placed at various points in a network so as to maximize bandwidth for access to the data from clients throughout the network. Typical content stored: Images Video Audio Podcasts Other Distributed content 19

20 Distributed Storage System

21 Directory Service Active Directory –Login Info –Domain Info LDAP Store –Login Info –User MetaData 21

22 Directory Service

23 Active Directory

24 Active Directory- Login Info

25 Active Directory-Domain Info

26 26 Types of Data that need to be secured

27 Personally identifiable information Financial information Order Information Intellectual property Authentication Info 27

28 Types of Data that need to be secured Personally Identifiable Information (PII), as used in information security Information that can be used to uniquely identify, contact, or locate a single individual Can be exploited by criminals to stalk or steal the identity of a person

29 Personally identifiable information (PII)

30 Personally Identifiable Information (PII) PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII Profitable market - Collecting and Reselling PII Many web site privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.

31 Financial Information Credit Card Info –If you store credit card information and your storage engine is compromised you are potentially responsible for up to $250,000 per card Bank Account Info Best practice: Outsource storage and processing to a service provider that specializes in processing financial data processing and hold sufficient insurance 31

32 Order Information Payment Info Order Totals Shipping Address Billing Address 32

33 Intellectual Property DataBase Content –Store procedures and functions Application Architecture –Location and type of storage –Server Names Application Configuration 33

34 34 Overview of Common Security Practices

35 Overview of common security practices Hardening the server Patching Updating Firewalls Port forwarding and blocking 35

36 Hardening the server Server hardening consists lowering the attack surface of the server Use only Least Privileged Account LPA Install only required modules Disable unused services Install all required available patches Remove unused accounts from the server. Do not connect server to the Internet until it is fully hardened.

37 Hardening the server

38 RackSpace Server hardening KickStart process incorporate some post install processes Support is responsible for additional post install routines Different KickStart Images for Cloud, Intensive and Managed 38

39 Server hardening is accomplished manually during setup

40 Patching A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data This includes fixing security vulnerabilities and other bugs, and improving the usability or performance Patch management is the process of using a strategy and plan of what patches should be applied to which systems at a specified time

41 Patching

42 A Typical Example For Updating To use this site, you must be running Microsoft Internet Explorer 5 or later To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website If you prefer to use a different web browser, you can obtain updates from the Microsoft Download Center or you can stay up to date with the latest critical and security updates by using Automatic Updates

43 To turn on Automatic Updates: Click Start, and then click Control Panel. Depending on which Control Panel view you use, Classic or Category, do one of the following: –Click System, and then click the Automatic Updates tab. –Click Performance and Maintenance, click System, and then click the Automatic Updates tab. –Click the option that you want. Make sure Automatic Updates is not turned off.

44 Updating

45 Firewalls

46 A firewall is a part of a computer system or network that is designed to block unauthorized access It permits authorized communications Firewalls can be implemented in either hardware or software, or a combination of both

47 Firewall techniques Packet filter Application gateway Circuit-level gateway Proxy server

48 How Does a Firewall Work?

49 The earliest computer firewalls were simple routers.

50 Understanding and Using Firewalls

51 An example of a user interface for a firewall on Ubuntu (Gufw)

52 Port forwarding Port forwarding or port mapping is the technique of forwarding a TCP/IP packet Traversing a network address translator (NAT) gateway to a predetermined network port on a host within a NAT-masqueraded Typically private network based on the port number on which it was received at the gateway from the originating host

53 Port forwarding

54

55 Port blocking In order to set rules on specific ports, you need to access iptables Port Blocking - Block all users to port 80: –iptables -I INPUT -p tcp --dport 80 -j DROP Port Blocking - Block a SINGLE user to port 21: –iptables -I INPUT -s 192.168.1.101 -p tcp --dport 21 -j DROP

56 GFI Web Monitor installed on a proxy machine connected to a router supporting port blocking

57 Add or edit a port blocking

58 Review Components of a Web Application Types of Data that need to be secured Overview of common security practices 58

59 59

Download ppt "Module 1: Web Application Security Overview 1. Overview How Data is stored in a Web Application Types of Data that need to be secured Overview of common."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Interpret Application Specifications

Interpret Application Specifications
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.

Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.
Installing software on personal computer

Installing software on personal computer
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.

1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.
Patch Management Module 13. Module 2-421 You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.

Patch Management Module 13. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
Internet safety By Lydia Snowden.

Internet safety By Lydia Snowden.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING

Similar presentations

Ads by Google