UNIT-1 :

The Web security :

Web security refers to the practices, technologies, and measures taken to protect
websites, web applications, and their users from various types of cyber threats,
attacks, and vulnerabilities.

Types of Web Security Threats

1. Malware: Malicious software designed to harm or exploit a website or its users.

2. Phishing: Fake websites or emails that trick users into revealing sensitive
information.

3. SQL Injection: Malicious code injected into databases to access or modify

sensitive data.

4. Cross-Site Scripting (XSS): Malicious code injected into websites to steal user
data or take control of user sessions.

5. Cross-Site Request Forgery (CSRF): Malicious code that tricks users into
performing unintended actions on web applications.

6. Denial of Service (DoS): Overwhelming a website with traffic to make it

unavailable to users.

7. Man-in-the-Middle (MitM): Intercepting communication between a user and a

website to steal sensitive information.

Web Security Measures

1. Encryption:

2. Firewalls: Blocking unauthorized access to a website or network.

3. Intrusion Detection and Prevention Systems (IDPS):

4. Secure Coding Practices: 5. Regular Updates and Patches:

6. Strong Password Policies:

7. Two-Factor Authentication (2FA):

Web security problems :

1. SQL Injection: Injecting malicious SQL code to access or modify sensitive data.

2. Cross-Site Scripting (XSS): Injecting malicious code into web pages to steal user
data or take control of user sessions.

3. Cross-Site Request Forgery (CSRF): Tricking users into performing unintended

actions on web applications.

4. Phishing: Tricking users into revealing sensitive information like passwords or

credit card numbers.

5. Malware: Distributing malicious software through web applications to

compromise user systems.

Risk analysis :
A security risk assessment identifies, assesses, and implements key security controls in applications. It
also focuses on preventing application security defects and vulnerabilities. Carrying out a risk
assessment allows an organization to view the application portfolio holistically—from an attacker‘s
perspective. It supports managers in making informed resource allocation, tooling, and security control
implementation decisions. Thus, conducting an assessment is an integral part of an organization‘s risk
management process..

How does a security risk assessment work?

Factors such as size, growth rate, resources, and asset portfolio affect the depth of risk assessment
models. Organizations can carry out generalized assessments when experiencing budget or time
constraints. However, generalized assessments don‘t necessarily provide the detailed mappings
between assets, associated threats, identified risks, impact, and mitigating controls.

If generalized assessment results don‘t provide enough of a correlation between these areas, a more
indepth assessment is necessary.
The 4 steps of a successful security risk assessment model:

1. Identification. Determine all critical assets of the technology infrastructure. Next, diagnose sensitive
data that is created, stored, or transmitted by these assets. Create a risk profile for each.

2. Assessment. Administer an approach to assess the identified security risks for critical assets. After
careful evaluation and assessment, determine how to effectively and efficiently allocate time and
resources towards risk mitigation. The assessment approach or methodology must analyze the
correlation between assets, threats, vulnerabilities, and mitigating controls.

3. Mitigation. Define a mitigation approach and enforce security controls for each risk.

4. Prevention. Implement tools and processes to minimize threats and vulnerabilities from occurring in
your firm‘s resources.

A comprehensive security assessment allows an organization to: Identify assets (e.g., network, servers,
applications, data centers, tools, etc.) within the organization.

 Create risk profiles for each asset.

 Understand what data is stored, transmitted, and generated by these assets

. Assess asset criticality regarding business operations. This includes the overall impact to revenue

, reputation, and the likelihood of a firm‘s exploitation. Measure the risk ranking for assets and
prioritize them for assessment.

 Apply mitigating controls for each asset based on assessment results

Best practices cryptography and web :

Use Strong and Modern Cryptographic Algorithms

 Encryption: Utilize AES (Advanced Encryption Standard) with a key size of 128 bits or
higher for encrypting sensitive data.
 Hashing: Use SHA-256 or SHA-3 for hashing passwords and sensitive data.
 Public Key Cryptography: Employ RSA with at least 2048-bit keys or Elliptic Curve
Cryptography (ECC) for secure key exchanges.

2. Implement SSL/TLS

 HTTPS: Ensure all communications between users and servers are encrypted using
HTTPS.
 Certificates: Use certificates from trusted Certificate Authorities (CAs) and keep them
up-to-date.
 TLS Versions: Always use the latest version of TLS (currently TLS 1.3) to avoid
vulnerabilities in older versions.
3. Secure Key Management

 Key Storage: Store keys securely using hardware security modules (HSM) or secure key
management services.
 Key Rotation: Regularly rotate encryption keys to limit the exposure if a key is
compromised.

4. Protect Data at Rest

 Disk Encryption: Encrypt sensitive data stored on disks using Full Disk Encryption
(FDE).
 Database Encryption: Utilize transparent data encryption (TDE) for encrypting
databases.

5. Secure Development Practices

 Input Validation: Validate and sanitize all user inputs to prevent injection attacks.
 Least Privilege: Follow the principle of least privilege for accessing and managing
sensitive data.
 Code Reviews: Conduct regular code reviews and security audits to identify and fix
vulnerabilities.

6. Authentication and Authorization

 Multi-Factor Authentication (MFA): Implement MFA to add an additional layer of

security.
 OAuth and OpenID Connect: Use industry-standard protocols for secure authentication
and authorization.

7. Regular Security Updates

 Patch Management: Keep software, libraries, and dependencies up-to-date with the
latest security patches.
 Vulnerability Scanning: Perform regular vulnerability assessments and penetration
testing.

8. Educate and Train Your Team

 Security Training: Provide ongoing security training to your development and

operations teams.
 Best Practices Documentation: Maintain and disseminate best practices for
cryptography and web security within your organization.
Cryptography and web security :

working cryptographic systems and protocols:

Legal restrictions on cryptography :

Digital Identification :