1 / 39

Module 1: Web Application Security Overview

Module 1: Web Application Security Overview. Overview. How Data is stored in a Web Application Types of Data that need to be secured Overview of common security practices. How Data is Stored in a Web Application. How Data is stored in a web application.

faxon
Télécharger la présentation

Module 1: Web Application Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 1: Web Application Security Overview

  2. Overview • How Data is stored in a Web Application • Types of Data that need to be secured • Overview of common security practices

  3. How Data is Stored in a Web Application

  4. How Data is stored in a web application • A web application may need several different pieces of information to be gathered and processed before the site can be displayed in the browser • This information could come from many different sources including but not limited to the sources below: • File System • Database • Directory Service • XML file • Distributed Storage System

  5. Files System Many things are stored in folders on the web server and must be secured • Images • Video • Configuration files • Web Pages • AddIns • Components • .Net Assemblies 5

  6. Net Assemblies • In the .NET framework, an assembly is a compiled code library for use in deployment, versioning and security • There are two types: process assemblies (EXE) and library assemblies (DLL) • An assembly can consist of one or more files.

  7. XML file • Extensible Markup Language (XML) is a set of rules for encoding documents in machine-readable form • It is defined in the XML 1.0 Specification produced by the W3C • XML's design goals emphasize simplicity and usability in data exchange over the Internet

  8. XML Uses • Store information about users • Configuration files • Order Information • Data import/export

  9. Configuration file • Configuration files store the initial settings for some computer programs • Used for user applications, server processes and operating system settings • The files are often written in ASCII / XML format. • These files may contain passwords and database connection strings or user information

  10. Database • User Information • Authentication Info • Authorization Info • Order Info • Employee Info • Salary • SSN • Address • Phone Number • Credit Card Info

  11. User Information

  12. Authentication Information • Used to Identify the user • User Name • Password • Domain or Network Name

  13. Authorization Information • Used to determine rights and resources access • Role/Group Membership • Access Control List

  14. Content Deliver Network A system of computers containing copies of data, placed at various points in a network so as to maximize bandwidth for access to the data from clients throughout the network. Typical content stored: • Images • Video • Audio • Podcasts • Other Distributed content

  15. Directory Service • Active Directory • Login Info • Domain Info • LDAP Store • Login Info • User MetaData

  16. Directory Service

  17. Active Directory

  18. Types of Data that need to be secured

  19. Types of Data that need to be secured • Personally identifiable information • Financial information • Order Information • Intellectual property • Authentication Info

  20. Types of Data that need to be secured • Personally Identifiable Information (PII), as used in information security • Information that can be used to uniquely identify, contact, or locate a single individual • Can be exploited by criminals to stalk or steal the identity of a person

  21. Personally identifiable information (PII)

  22. Financial Information • Credit Card Info • If you store credit card information and your storage engine is compromised you are potentially responsible for up to $250,000 per card • Bank Account Info Best practice: Outsource storage and processing to a service provider that specializes in processing financial data processing and hold sufficient insurance

  23. Order Information • Payment Info • Order Totals • Shipping Address • Billing Address

  24. Intellectual Property • DataBase Content • Store procedures and functions • Application Architecture • Location and type of storage • Server Names • Application Configuration

  25. Overview of Common Security Practices

  26. Overview of common security practices • Hardening the server • Patching • Updating • Firewalls • Port forwarding and blocking

  27. Hardening the server Server hardening consists lowering the attack surface of the server • Use only Least Privileged Account LPA • Install only required modules • Disable unused services • Install all required available patches • Remove unused accounts from the server. • Do not connect server to the Internet until it is fully hardened.

  28. RackSpace Server hardening • KickStart process incorporate some post install processes • Support is responsible for additional post install routines • Different KickStart Images for Cloud, Intensive and Managed

  29. Patching • A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data • This includes fixing security vulnerabilities and other bugs, and improving the usability or performance • Patch management is the process of using a strategy and plan of what patches should be applied to which systems at a specified time

  30. Patching

  31. Firewalls

  32. Firewalls • A firewall is a part of a computer system or network that is designed to block unauthorized access • It permits authorized communications • Firewalls can be implemented in either hardware or software, or a combination of both

  33. Firewall techniques • Packet filter • Application gateway • Circuit-level gateway • Proxy server

  34. Understanding and Using Firewalls

  35. Port forwarding • Port forwarding or port mapping is the technique of forwarding a TCP/IP packet • Traversing a network address translator (NAT) gateway to a predetermined network port on a host within a NAT-masqueraded • Typically private network based on the port number on which it was received at the gateway from the originating host

  36. Port blocking • In order to set rules on specific ports, you need to access iptables • Port Blocking - Block all users to port 80: • iptables -I INPUT -p tcp --dport 80 -j DROP • Port Blocking - Block a SINGLE user to port 21: • iptables -I INPUT -s 192.168.1.101 -p tcp --dport 21 -j DROP

  37. Add or edit a port blocking

  38. Review • Components of a Web Application • Types of Data that need to be secured • Overview of common security practices

More Related