Chapter three

Application and OS Security

1
outlines
• Application security
• Application security attacks
• Features of Application Security
• Tools for application security
• Application Security Approaches
• Operating system security
• Key components of OS security
• Threats to OS
• Computer forensics
• Web security
• Mobile security

2
Application Security

• Application security refers to the measures and practices implemented to protect

software applications from threats and vulnerabilities throughout their entire lifecycle.
This encompasses the design, development, deployment, and maintenance stages of an
application.

• The goal of application security is to prevent unauthorized access, data breaches, and
other malicious activities that could compromise the confidentiality, integrity, and
availability of the application and its data.

• Key features of application security include authentication, authorization, encryption,

input validation, secure coding practices, security testing, and ongoing monitoring and
maintenance. 3
Application security attack
• An application security attack refers to any deliberate attempt to compromise the security of
a software application. These attacks exploit vulnerabilities or weaknesses in the
application's design, implementation, or configuration to gain unauthorized access, steal
sensitive information, disrupt the application's functionality, or cause other forms of harm.
Application security attacks can take various forms, including:
1. Injection Attacks: These involve injecting malicious code (such as SQL injection, XSS, or
command injection) into an application to manipulate its behavior or access sensitive data.
2. Denial-of-Service (DoS) Attacks: These attacks aim to overwhelm an application's
resources, rendering it unavailable to legitimate users.
3. Security Misconfiguration: Attackers exploit misconfigured security settings or defaults in
an application to gain unauthorized access or perform other malicious activities.
4. Cross-Site Request Forgery (CSRF) Attacks: an attacker tricks a user into unknowingly
executing unauthorized actions on a web application where the user is authenticated.
4
Application security attack….
5. Authentication Attacks: Attackers attempt to bypass authentication mechanisms to gain
unauthorized access to the application or its resources
6. Cross-Site Scripting (XSS) Attacks: These attacks involve injecting malicious scripts into web
applications, which are then executed in the context of other users' browsers, potentially allowing the attacker
to steal session cookies or perform other malicious actions.

7. Man-in-the-Middle (MitM) Attacks: Attackers intercept and manipulate communication

between users and the application to steal sensitive information or tamper with data.
8. Zero-Day Exploits: Attackers leverage previously unknown vulnerabilities in an application to
launch attacks before developers have had a chance to patch them.
• Application security attacks pose significant risks to organizations, including financial losses,
damage to reputation, and legal consequences. Therefore, it's crucial for organizations to
implement robust security measures and regularly update and patch their applications to mitigate
these risks.
5
Features of Application Security
1.Authentication: Ensures that users are who they claim to be.
1. Methods: Includes passwords, biometrics (fingerprints, facial recognition), and multi-
factor authentication which combines two or more authentication methods for added
security.
2. Importance: Prevents unauthorized access to the application by ensuring only legitimate
users can log in.
2.Authorization: Determines what authenticated users are allowed to do within the
application.
1. Methods: Implemented through role-based access control (RBAC) or attribute-based
access control (ABAC), where permissions are assigned based on the user's role or
specific attributes.
2. Importance: Ensures users can only access resources and perform actions that they are
permitted to, protecting sensitive data and functionality from unauthorized access.
3. Input Validation: Ensures that all user inputs are properly validated and sanitized.
1. Methods: Involves checking inputs against expected patterns, lengths, and data types,
and sanitizing inputs to remove or escape potentially harmful characters.
2. Importance: Prevents injection attacks, such as SQL injection and cross-site scripting
6
(XSS), which can compromise the security of the application and its data.
Features of Application Security…
4. Logging and Monitoring: Logging refers to the process of recording events, actions, and
changes that occur within an application or system.
•Purpose: Record and analyze security-relevant events to detect and respond to security
incidents.
•Method: Capture and store logs of user activities, system events and security-related events.
•Importance: Helps in detecting and responding to security incidents, compliance with
regulations, and troubleshooting.
5. Secure Coding Practices:
•Purpose: Develop code with security in mind to prevent vulnerabilities.
•Method: Follow secure coding guidelines and best practices.
•Importance: Reduces the risk of introducing vulnerabilities into the application's codebase .
6. Security Testing:
•Purpose: Identify and mitigate security vulnerabilities in the application.
•Method: Conduct static analysis, dynamic analysis, and penetration testing.
•Importance: Helps in identifying and fixing security vulnerabilities before they can be
exploited by attackers.
7
Tools for Application Security
Application security tools are software solutions designed to identify, prevent, and mitigate
security vulnerabilities within applications. These tools help ensure that applications are
secure from potential threats and comply with security standards and regulations.
Finding the right application security technologies for organization is crucial to the
effectiveness of any security measures for security team implements.
Application Security Testing:- is the process of evaluating an application's security
posture to identify vulnerabilities and weaknesses that could be exploited by attackers
Application security Testing can be divided into numerous categories
• Static Application Security Testing (SAST): These tools are used early in the
development process. It is white-box testing with access to source code, at rest,
identifies weaknesses that may lead to a vulnerability and generates a report analyzing
the source code of an application for security vulnerabilities.
• This testing can detect issues of buffer overflows, SQL injection etc, which performed
during the development phase of an application. E.g. syntax errors, input validation
issues.
8
Tools for Application Security…
Dynamic Application Security Testing (DAST): tools simulate attacks on a running
application to find vulnerabilities. These tools focus on the application's exposed interfaces and
behavior during execution. Simulating security breaches on a live web application to deliver
precise information about exploitable flaws helps identify issues such as query strings, use of
scripts, requests and responses, memory leakage, authentication, cookie and session handling,
execution of third-party components, and data injection.
Interactive Application Security Testing (IAST) It combines parts of SAST and DAST. It
scans the source code for vulnerabilities while running the application and simulating the ways
a user would commonly interact with it helps make remediation easier by providing
information about root cause of vulnerabilities and analyze data flow, source code,
configuration, and third-party libraries. It has access to all the application's code and
components, allowing to produce more accurate results by observing the application's behavior
and interaction with its environment.
Run-time Application Security Protection (RASP) tools monitor an application's behavior in
real-time to detect and block attacks as they occur. These tools integrate with the application
and provide protection during its execution. Tools are continuously monitoring behavior of the
app, which is useful particularly in mobile environments when apps can be rewritten, run on a
rooted phone or have privilege abuse to turn them into doing wicked things. 9
Tools for Application Security…
Web Application Firewalls (WAF): WAFs protect web applications by filtering and
monitoring HTTP traffic between a web application and the internet. They can block
malicious traffic and prevent common web attacks such as SQL injection and cross-site
scripting (XSS).
Container Security Tools: These tools focus on securing containerized applications,
ensuring that container images are free of vulnerabilities and that container runtime
environments are secure.
Identity and Access Management (IAM) Tools: IAM tools ensure that only authorized
users have access to an application's resources, managing authentication, authorization, and
user identities.
Encryption and Data Protection Tools: These tools help protect sensitive data by
encrypting it both at rest and in transit, ensuring that data breaches do not result in the
exposure of sensitive information.
NOTE: Using a combination of these tools and practices helps organizations build a robust
application security strategy, addressing vulnerabilities throughout the software
development lifecycle and in production environments.
10
Application Security Approaches
There are various app security approaches. Some common approaches are:
1. Design Review: architecture and design of the application can be examined for
security flaws before code is created. The construction of a threat model is a popular
strategy used at this phase.
2. White-box Security Review or Code Review: The security engineer inspecting
source code and looking for security issues. Vulnerabilities unique to the application
can be discovered through understanding the application.
3. Black-box Security Audit: accomplished only through the use of an application to test
for security flaws, no source code is necessary.
4. Automated Tooling: security tools can be automated by including in the development
or testing process. Automated DAST/SAST tools that incorporated into code editors or
continuous integration ( CI ) / continuous deployment (CD )systems.
5. Coordinated Vulnerability Platform: Many websites and software providers offer
hacker-powered application security solutions through which individuals can be
recognized and compensated for reporting defects.
11
OS Security
• Operating System (OS) security refers to the measures and mechanisms implemented to
protect an operating system from threats, vulnerabilities, and unauthorized access. The
goal of OS security is to ensure the integrity, confidentiality, and availability of the
operating system and the data it manages. This involves a combination of hardware and
software mechanisms designed to safeguard the OS against attacks and misuse.
Key Components of OS Security
 Access Control:
1. User Authentication: Ensuring that only authorized users can access the system through
mechanisms like passwords, biometrics, and multi-factor authentication.
2. User Authorization: Granting permission and privileges to users based on their roles,
typically managed via Access Control Lists/ACL/ or Role-Based Access Control/RBAC /.
 Data Protection:
1. Encryption: Encrypting data at rest and in transit to prevent unauthorized access and
tampering.
2. File System Permissions: Setting permissions for files and directories to control who
can read, write, or execute them. 12
 Key Components of OS Security…..
Patch Management: Regularly updating the OS with security patches and updates to fix
vulnerabilities and protect against known threats.
Firewall and Network Security: Using firewalls to filter incoming and outgoing traffic
based on predefined security rules.
1. Implementing network security measures like Intrusion Detection Systems (IDS) and
Intrusion Prevention Systems (IPS) to monitor and protect against network-based
attacks.
Malware Protection: Employing antivirus and anti-malware software to detect, quarantine,
and remove malicious software.
Secure Boot and Firmware Protection: Ensuring that the system boots using trusted
firmware and software to prevent boot-level attacks.
• Using technologies like Secure Boot to verify the integrity of the boot process.
User and Process Isolation: Using techniques like sandboxes and jails to isolate
applications and processes, preventing them from affecting each other or the underlying OS.
13
Key Components of OS Security…..
Security Policies and Procedures: are essential components of an organization's
information security framework. They provide guidelines and instructions for protecting
sensitive information and ensuring the security of the organization's assets.
• Security policies are formalized rules and guidelines that dictate how an organization
manages and protects its information and IT resources. They define the organization’s
stance on security and outline the responsibilities of employees and other stakeholders.
Establishing and enforcing security policies, procedures, and best practices to guide users
and administrators in maintaining a secure OS environment.
• Key Characteristics of Security Policies:
• typically high-level documents that provide broad guidelines rather than specific instructions.
• approved by senior mgt and have the authority to enforce compliance across the organization.
• They cover various aspects of security, including physical security, data protection, network
security, access control, incident response, and more.
• should be clearly written and easily accessible to all employees and relevant stakeholders.

14
Key Components of OS Security…..
• Examples of security policy: Acceptable Use Policy (AUP), Data Protection
Policy, Access Control Policy, Incident Response Policy, Password Policy,
Remote Work Policy:
• Security Procedures: are detailed, step-by-step instructions on how to implement the
security policies. They provide the specific actions required to achieve the security
objectives outlined in the policies.
• Key Characteristics of Security Procedures:
• Detailed and Specific: Procedures provide specific steps to be followed to ensure
compliance with security policies.
• Operational Focus: They are operational in nature and are used by staff to perform
daily security-related tasks.
• Consistency: Procedures ensure that security tasks are performed consistently and
correctly across the organization.
• Documentation: Detailed documentation of procedures helps in training employees
and serves as a reference during security operations.
15
Key Components of OS Security…..
• Examples of security procedures:
• Account creation: Step-by-step instructions for creating, modifying, and disabling
user accounts.
• Back up: Procedures for regularly backing up data and recovering it in the event of
data loss.
• Incident response steps: Detailed steps for detecting, reporting, and mitigating
security incidents, including communication protocols and documentation
requirements.
• Patch Management: procedures: Instructions for identifying, testing, and applying
software updates and patches to systems.

16
Threats to Operating System
There are various threats to the operating system. Some of them are as follows:
Malware: It contains viruses, worms, trojan horses, and other dangerous software. These
are generally short code snippets that may corrupt files, delete the data, replicate to
propagate further, and even crash a system. The malware frequently goes unnoticed by the
victim user while criminals silently extract important data.
Network Intrusion: Network intruders are classified as masqueraders, misfeasors, and
unauthorized users. A masquerader is an unauthorized person who gains access to a system
and uses an authorized person's account. A misfeasor is a legitimate user who gains
unauthorized access to and misuses programs, data, or resources. A rogue user takes
supervisory authority and tries to evade access constraints and audit collection.
Buffer Overflow: It is also known as buffer overrun. It is the most common and dangerous
security issue of the operating system. It is defined as a condition at an interface under
which more input may be placed into a buffer and a data holding area than the allotted
capacity, and it may overwrite other information. Attackers use such a situation to crash a
system or insert specially created malware that allows them to take control of the system.

17
Computer forensics
Computer forensics, also known as digital forensics, involves the identification,
preservation, analysis, and presentation of digital evidence. It plays a crucial role in legal
and information security contexts, particularly when dealing with cybercrimes, data
breaches, and other security incidents.
 Key Aspects of Computer Forensics
•Identification: Identifying potential sources of digital evidence, such as computers, mobile
devices, servers, and cloud storage. it includes Determining the scope of the investigation
and the specific data required.
•Preservation: Chain of Custody: Maintaining a documented history of the evidence from
collection to presentation to ensure its integrity using methods like cryptographic hashing to
ensure that the data remains unchanged.
•Analysis: Employing various forensic techniques to analyze data, such as file recovery, log
analysis, and network traffic analysis by utilizing specialized tools like EnCase, FTK
(Forensic Toolkit), and open-source alternatives like Autopsy and Sleuth Kit.
•Presentation: Preparing detailed reports that summarize findings and methodologies.
Providing expert testimony in court to explain the evidence and its relevance.
18
Web security
• Web security involves protecting websites, web applications, and web services from
cyber threats and vulnerabilities. It encompasses a range of practices, tools, and
protocols designed to ensure the integrity, confidentiality, and availability of data and
resources on the web.
Key Concepts and Practices in Web Security:
1. Web Application Firewalls (WAFs)
•Purpose: Filter and monitor HTTP traffic between a web application and the internet.
•Functionality: Block malicious traffic, prevent common attacks like SQL injection,
cross-site scripting (XSS), and distributed denial-of-service (DDoS) attacks.
2. Secure Development Practices
•Input Validation: Ensure all user inputs are validated to prevent injection attacks.
•Output Encoding: Encode output data to prevent XSS attacks.
•Authentication and Authorization: Implement strong authentication mechanisms and
enforce proper authorization.
19
Key Concepts and Practices in Web Security…
3. Encryption
• HTTPS: Use SSL/TLS to encrypt data transmitted between the user’s browser and the web server.
• Data Encryption: Encrypt sensitive data stored on the server.
4. Session Management
• Secure Cookies: Use secure cookies with Http Only and Secure flags to protect session data.
• Session Expiry: Implement session timeouts to reduce the risk of session hijacking.
5. Content Security Policy (CSP)
• Purpose: Mitigate XSS attacks by controlling resources a browser is allowed to load and execute.
• Implementation: Define a CSP header that specifies allowed content sources.
6. Regular Security Testing
• Vulnerability Scanning: Regularly scan for vulnerabilities using automated tools.
• Penetration Testing: Conduct full penetration testing to identify and remediate security flaws.
7. Patch Management
• Timely Updates: update web servers, frameworks, and libraries to patch known vulnerabilities.

20
Best Practices for Enhancing Web Security:
•Regular Security Audits: Conduct regular security audits to identify and address
vulnerabilities.
•User Education: Train users on security best practices and raise awareness about social
engineering attacks.
•Backup and Recovery: Regularly back up web application data and have a robust
disaster recovery plan.
•Secure Configuration: Follow security best practices for configuring web servers,
databases, and applications.
 NOTE: Web security is essential for protecting web applications and services from a
myriad of cyber threats. By implementing comprehensive security measures, adhering
to best practices, and staying alert through regular testing and monitoring, organizations
can safeguard their web environments and protect sensitive data from unauthorized
access and attacks.

21
Mobile security
• Mobile security refers to the protection of smartphones, tablets, and other mobile devices from threats
and vulnerabilities that can compromise data, privacy, and functionality. It involves a range of practices,
tools, and technologies designed to safeguard mobile devices, their applications, and the data they
handle.
Key Aspects of Mobile Security:
1. Device Security
•Encryption:
• Purpose: Protect data stored on the device.
• Implementation: Use built-in encryption features (e.g., iOS encryption, Android full-disk
encryption).
•Secure Boot:
• Purpose: Ensure that the device boots using only trusted software.
• Implementation: Use manufacturer-provided secure boot features to prevent unauthorized
modifications.
•Lock Screen Security:
• Purpose: Prevent unauthorized access to the device.
• Implementation: Use strong passcodes, biometric authentication (fingerprint, facial recognition),
22
and lock screen timeouts.
Key Aspects of Mobile Security ….
2. Application Security
•App Permissions:
• Purpose: Control the access apps have to device resources.
• Implementation: Review & limit app permissions to only what is necessary for their function.
•Secure Coding Practices:
• Purpose: Develop secure mobile applications.
• Implementation: Follow secure coding guidelines, perform code reviews, and use mobile-
specific security libraries.
•App Vetting:
• Purpose: Ensure the apps installed on devices are secure.
• Implementation: Use official app stores, and employ mobile application management (MAM)
solutions to vet apps.
3. Network Security
•VPNs (Virtual Private Networks)
•Secure Wi-Fi
•Network Monitoring 23
Risk management framework
A Risk Management Framework (RMF) is a structured approach used to identify, assess,
manage, and monitor risks within an organization. It provides a systematic process for
managing potential risks that could impact the achievement of the organization's objectives.
The RMF helps ensure that risk management activities are integrated into the organization's
overall governance, strategy, and operations.
Key Components of a Risk Management Framework
1. Establishing the Context:
o Define the internal and external environment in which the organization operates.
o Identify the objectives, stakeholders, and the risk criteria .
2. Risk Assessment:
o Risk Identification: Determine what risks might affect the organization.
o Risk Analysis: Understand the nature of the risk, its potential impact, and likelihood.
o Risk Evaluation: Compare the level of risk against risk criteria to prioritize them.
24
Key Components of a Risk Management Framework…..
3. Risk Treatment:
o Develop and implement strategies to mitigate, transfer, avoid, or accept risks.
o Select appropriate risk controls and measures.
4. Monitoring and Review:
o Continuously monitor the risk environment and the effectiveness of risk management
strategies.
o Review and update the risk management framework and processes as needed.
5. Communication and Consultation:
o Ensure effective communication and consultation with internal and external
stakeholders throughout the risk management process.
o Maintain transparency and promote a risk-aware culture within the organization.

25
Common Risk Management Frameworks
1. ISO 31000:
o An international standard providing guidelines and principles for effective risk management.
o Emphasizes integration into organizational processes, structured and comprehensive
approach, customized processes, and continual improvement.
2. NIST Risk Management Framework (RMF):
o Developed by the National Institute of Standards and Technology (NIST) for managing
risks to federal information systems.
o Includes steps such as preparing, categorizing, selecting, implementing, assessing,
authorizing, and monitoring security controls.
3. COSO Enterprise Risk Management (ERM):
o Provides a comprehensive framework for enterprise risk management, integrating with
the organization's strategy and performance.
o Focuses on governance, strategy, performance, review, and communication.
26
Steps in a Typical Risk Management Process
1. Establish Context: Define the scope, objectives, and risk criteria and understand the internal and
external environment.
2. Identify Risks: Identify potential events or conditions that could affect objective and use
techniques such as brainstorming, checklists, and SWOT analysis.
3. Analyze Risks: Determine the likelihood and impact of identified risks and use qualitative or
quantitative methods for risk analysis.
4. Evaluate Risks: Prioritize risks based on their analysis and decide which risks need treatment
and the urgency.
5. Treat Risks: Develop and implement risk treatment plans and consider options such as
avoidance, reduction, sharing, or acceptance.
6. Monitor and Review: Track the effectiveness of risk treatments and review and update risk
assessments regularly.
7. Communicate and Consult: Ensure stakeholders are informed about risks and risk
management activities and foster a culture of risk awareness and open communication . 27
 you
a n k
T h s ?
t i on
ue s
Q

28