SlideShare a Scribd company logo

Andrews whitakrer lecture18-security.ppt

Download as ppt, pdf
S
SilverGold16

The document discusses various web security threats and vulnerabilities, including denial-of-service attacks, password cracking, phishing, and SQL injection. It emphasizes the importance of secure coding practices, validation, and input sanitization to prevent security issues, alongside design principles like least privilege and secure authentication. The text also highlights the necessity of security audits and constant assessment of system vulnerabilities to ensure overall security.

Software
1 of 25
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
1 CSE 403 Web Security Testing Reading: Andrews/Whitaker, How to Break Web Software, Ch. 2-5 These lecture slides are copyright (C) Marty Stepp, 2007. They may not be rehosted, sold, or modified without expressed permission from the author. All rights reserved.
2 Big questions ๏ฎ How much do I have to worry about security in my web application? ๏ฎ What kinds of common attacks can be performed? ๏ฎ What common bugs in my code lead to these flaws? ๏ฎ What tools do attackers use? ๏ฎ How can I prevent security problems in my code and (hopefully) ensure overall system security?
3 Denial-of-Service (DoS) ๏ฎ Denial of Service (DoS) attack: Attacker causes web server to be unavailable. ๏ฎ How attack is performed: ๏ฎ Attacker frequently requests many pages from your web site. ๏ฎ distributed DoS (DDoS): DoS using lots of computers ๏ฎ Your server cannot handle this many requests at a time, so it turns into a smoldering pile of goo (or just becomes very slow). ๏ฎ Problems that this attack can cause: ๏ฎ Users cannot get to your site. ๏ฎ Online store's server crashes -> store loses potential revenue. ๏ฎ Server may crash and lose or corrupt important data. ๏ฎ All the bandwidth used by the DoSers may cost you $$$.
4 Packet sniffing ๏ฎ packet sniffing: Listening to traffic sent on a network. ๏ฎ Many internet protocols (http, aim, email) are unsecure. ๏ฎ If an attacker is on the same local network (LAN) as you, he may be able to listen to information your computer is sending. ๏ฎ read your email/IMs as you send them ๏ฎ see what web sites you are viewing ๏ฎ grab your password as it's being sent to the server ๏ฎ solutions: ๏ฎ Use secure protocols (https) ๏ฎ Encryption ๏ฎ Don't let creeps on your LAN
5 Password cracking ๏ฎ password cracking: Guessing the passwords of privileged users of your system. ๏ฎ How attack is performed: ๏ฎ brute force attack: Attacker uses software that sequentially tries every possible password. ๏ฎ dictionary attack: Attacker uses software that sequentially tries passwords based on words in a dictionary. ๏ฎ every word in the dictionary ๏ฎ combinations of words, numbers, etc. ๏ฎ What you can do about it: ๏ฎ Force users to have secure passwords. ๏ฎ Block an IP address from logging in after N failed attempts.
6 Phishing / social engineering ๏ฎ phishing: Masqueraded mails or web sites. ๏ฎ social engineering: Attempts to manipulate users, such as fraudulently acquiring passwords or credit card numbers. ๏ฎ Problems: ๏ฎ If trusted users of your system are tricked into giving out their personal information, attackers can use this to log in as those users and compromise your system.
7 Man-in-the-middle ๏ฎ man-in-the-middle attack: Attacker sits between two communication endpoints and silently intercepts traffic between them. ๏ฎ tricks user to go to attacker's site instead of real site ๏ฎ intercepts sensitive information and/or modifies data before sending it from one endpoint to the other
8 Privilege escalation ๏ฎ privilege escalation: Attacker becomes able to run code on your server as a privileged user. ๏ฎ Example: Perhaps normal users aren't able to directly query your database. But an attacker may find a flaw in your security letting him run as an administrator and perform the query. ๏ฎ Once you're running as root, you're God. You own the server. You can do anything you want...
9 Cross-site scripting (XSS) ๏ฎ cross-site scripting: Causing one person's script code to be executed when a user browses to another site. ๏ฎ Example: Visit google.com, but evil.com's JavaScript runs. ๏ฎ How attack is performed: ๏ฎ Attacker finds unsecure code on target site. ๏ฎ Attacker uses hole to inject JavaScript into the page. ๏ฎ User visits page, sees malicious script code.
10 SQL Injection ๏ฎ SQL injection: An attacker causing undesired SQL queries to be run on a server's database. ๏ฎ Often caused when untrusted input is pasted into a SQL query ๏ฎ Example: ๏ฎ query="SELECT * FROM Users WHERE name=' + name + "';"; ๏ฎ specify a user name of "haha' OR 'a'='a" ๏ฎ SELECT * FROM Users WHERE name='haha' OR 'a'='a'; ๏ฎ Attacker can see, delete, modify your sensitive personal data!
11 Thinking like an attacker: Finding vulnerabilities
12 Panning for gold ๏ฎ Looking through a target application for exploits: ๏ฎ View Source , and look for: ๏ฎ HTML comments ๏ฎ script code ๏ฎ other sensitive information in code: IP addresses, email addresses, SQL queries, hidden fields, ... ๏ฎ watch HTTP requests/responses ๏ฎ look for hidden pages, files, parameters to target ๏ฎ error messages sent back to your browser by the app ๏ฎ 200: OK ๏ฎ 400: Invalid request ๏ฎ 403: Forbidden ๏ฎ 404: File not found ๏ฎ 500: Internal server error
13 Input forms ๏ฎ Forms let users pass parameters to the web server. ๏ฎ Parameters are passed using GET or POST requests. ๏ฎ GET: parameters are contained in the request URL. http://www.google.com?q=Stephen+Colbert&lang=en ๏ฎ POST: parameters are contained in the HTTP packet header. ๏ฎ harder for the user to see, but no more secure than GET ๏ฎ Forms provide a rich ground for us to attack...
14 Form validation ๏ฎ validation: Examining form parameters to make sure they are acceptable before they are submitted. ๏ฎ nonempty, alphabetical, numeric, length, ... ๏ฎ client-side: HTML/JS checks values before request is sent. ๏ฎ server-side: JSP/Ruby/PHP/etc. checks values received. ๏ฎ Some validation is performed by restricting the choices available to the user. ๏ฎ select boxes ๏ฎ input text boxes with maxlength attribute ๏ฎ key event listeners that erase certain key presses
15 User input attacks ๏ฎ Bypassing client-side input restrictions and validation ๏ฎ maxlength limits on input text fields ๏ฎ choices not listed in a select boxes ๏ฎ hidden input fields ๏ฎ modifying or disabling client-side JavaScript validation code
16 Guessing files/directories ๏ฎ Many sites have reachable files and resources that are hidden from attackers only by obscurity ๏ฎ Try common file/folder/commands to see what happens ๏ฎ /etc/passwd , /etc/shadow ๏ฎ cat, ls, grep ๏ฎ guess file names based on others ๏ฎ page11.php --> page12.php ๏ฎ loginfailure.jsp --> loginsuccess.jsp ๏ฎ accounts/myaccount.html --> accounts/youraccount.html ๏ฎ brute force / web spiders ๏ฎ port scanners
17 Other attacks ๏ฎ Attacking GET parameters ๏ฎ Attacking hidden input fields ๏ฎ Attacking cookies ๏ฎ Injecting malicious script code (XSS) ๏ฎ Injecting malicious SQL queries (SQL injection)
18 Designing for Security
19 Methods of security ๏ฎ Security through obscurity: Relying on the fact that attackers don't know something needed to harm you. ๏ฎ Example: "If an attacker pointed their browser to http://foo.com/passwords.txt, they'd get our passwords. But nobody knows that file is there, so we are safe." ๏ฎ Example: "Our authentication database goes down for 2 minutes every night at 4am. During that time any user can log in without restrictions. But no one knows this, and the odds of a login at that time are miniscule."
20 Secure authentication ๏ฎ Force users to log in to your system before performing sensitive operations ๏ฎ Use secure protocols (https, etc.) to prevent sniffing ๏ฎ Force users to use strong passwords ๏ฎ not "password", "abc", same as user name, etc.
21 Principle of least privilege ๏ฎ principle of least privilege: Having just enough authority to get the job done (and no more!). ๏ฎ Examples: ๏ฎ A web server should only be given access to the set of HTML files that the web server is supposed to serve. ๏ฎ Code should not "run as root" or as a highly privileged user unless absolutely necessary. ๏ฎ Turn off unnecessary services on your web server ๏ฎ disable SSH, VNC, sendmail, etc. ๏ฎ close all ports except 80, others needed for web traffic
22 Sanitizing inputs ๏ฎ sanitizing inputs: Encoding and filtering untrusted user input before accepting it into a trusted system. ๏ฎ Ensure that accepted data is the right type, format, length... ๏ฎ Disallow entry of bad data into an HTML form. ๏ฎ Remove any SQL code from submitted user names. ๏ฎ HTML-encode any input text that is to be displayed back to the user as HTML or JavaScript.
23 Verifying that code is secure ๏ฎ Before code is written: ๏ฎ considering security in the design process ๏ฎ As code is being written: ๏ฎ code reviews ๏ฎ pair programming ๏ฎ After code has been written: ๏ฎ walkthroughs ๏ฎ security audits
24 Security audits ๏ฎ security audit: Series of checks and questions to assess the security of your system ๏ฎ can be done by an internal or external auditor ๏ฎ best if done as a process, not an individual event ๏ฎ penetration test: Targeted white-hat attempt to compromise your system's security ๏ฎ not unlike our attempts to break CSE 144's turnin page ๏ฎ risk analysis: Assessment of relative risks of what can go wrong when security is compromised
25 Security audit questions ๏ฎ Does your system require secure authentication with passwords? ๏ฎ Are passwords difficult to crack? ๏ฎ Are there access control lists (ACLs) in place on network devices? ๏ฎ Are there audit logs to record who accesses data? ๏ฎ Are the audit logs reviewed? ๏ฎ Are your OS security settings up to accepted industry levels? ๏ฎ Have all unnecessary applications and services been eliminated? ๏ฎ Are all operating systems and applications patched to current levels? ๏ฎ How is backup media stored? Who has access to it? Is it up-to-date? ๏ฎ Is there a disaster recovery plan? Has it ever been rehearsed? ๏ฎ Are there good cryptographic tools in place to govern data encryption? ๏ฎ Have custom-built applications been written with security in mind? ๏ฎ How have these custom applications been tested for security flaws? ๏ฎ How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?

More Related Content

Similar to Andrews whitakrer lecture18-security.ppt (20)

PPTX
Secure Software Engineering
Rohitha Liyanagama
ย 
PPT
Security Testing for Mobile and Web Apps
DrKaramHatim
ย 
PDF
Web application security (eng)
Anatoliy Okhotnikov
ย 
PDF
Secure Coding BSSN Semarang Material.pdf
nanangAris1
ย 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
ย 
PDF
Problems with parameters b sides-msp
Mike Saunders
ย 
PPT
Intro to Web Application Security
Rob Ragan
ย 
PPTX
So Your Company Hired A Pentester
NorthBayWeb
ย 
PPT
2 secure systems design
drewz lin
ย 
PPT
Hack applications
enrizmoore
ย 
PPTX
Security testing for web developers
matthewhughes
ย 
PPT
Hacking web applications
phanleson
ย 
PPSX
Web security
kareem zock
ย 
PDF
Web Security
KHOANGUYNNGANH
ย 
PDF
Top 10 Web Application vulnerabilities
Terrance Medina
ย 
PPTX
cryptography .pptx
RRamyaDevi
ย 
PPTX
Hackers versus Developers and Secure Web Programming
Akash Mahajan
ย 
PDF
Application security 101
Vlad Garbuz
ย 
PDF
Web Security
Gerald Villorente
ย 
PDF
OWASPTop 10
InnoTech
ย 
Secure Software Engineering
Rohitha Liyanagama
ย 
Security Testing for Mobile and Web Apps
DrKaramHatim
ย 
Web application security (eng)
Anatoliy Okhotnikov
ย 
Secure Coding BSSN Semarang Material.pdf
nanangAris1
ย 
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
ย 
Problems with parameters b sides-msp
Mike Saunders
ย 
Intro to Web Application Security
Rob Ragan
ย 
So Your Company Hired A Pentester
NorthBayWeb
ย 
2 secure systems design
drewz lin
ย 
Hack applications
enrizmoore
ย 
Security testing for web developers
matthewhughes
ย 
Hacking web applications
phanleson
ย 
Web security
kareem zock
ย 
Web Security
KHOANGUYNNGANH
ย 
Top 10 Web Application vulnerabilities
Terrance Medina
ย 
cryptography .pptx
RRamyaDevi
ย 
Hackers versus Developers and Secure Web Programming
Akash Mahajan
ย 
Application security 101
Vlad Garbuz
ย 
Web Security
Gerald Villorente
ย 
OWASPTop 10
InnoTech
ย 

Recently uploaded (20)

PDF
Designing Accessible Content Blocks (1).pdf
jaclynmennie1
ย 
PPTX
computer forensics encase emager app exp6 1.pptx
ssuser343e92
ย 
PPTX
ManageIQ - Sprint 264 Review - Slide Deck
ManageIQ
ย 
PPTX
NeuroStrata: Harnessing Neuro-Symbolic Paradigms for Improved Testability and...
Ivan Ruchkin
ย 
PPTX
EO4EU Ocean Monitoring: Maritime Weather Routing Optimsation Use Case
EO4EU
ย 
PDF
IDM Crack with Internet Download Manager 6.42 Build 41
utfefguu
ย 
PPTX
Seamless-Image-Conversion-From-Raster-to-wrt-rtx-rtx.pptx
Quick Conversion Services
ย 
PPTX
Introduction to web development | MERN Stack
JosephLiyon
ย 
PDF
Automated Testing and Safety Analysis of Deep Neural Networks
Lionel Briand
ย 
PDF
Rewards and Recognition (2).pdf
ethan Talor
ย 
PPTX
IObit Driver Booster Pro Crack Download Latest Version
chaudhryakashoo065
ย 
PPTX
Iobit Driver Booster Pro 12 Crack Free Download
chaudhryakashoo065
ย 
PPTX
IObit Driver Booster Pro 12.4-12.5 license keys 2025-2026
chaudhryakashoo065
ย 
PDF
Alur Perkembangan Software dan Jaringan Komputer
ssuser754303
ย 
PPTX
Quality on Autopilot: Scaling Testing in Uyuni
Oscar Barrios Torrero
ย 
PDF
Automated Test Case Repair Using Language Models
Lionel Briand
ย 
PDF
AI Software Development Process, Strategies and Challenges
Net-Craft.com
ย 
PDF
Laboratory Workflows Digitalized and live in 90 days with Scifeonยดs SAPPA P...
info969686
ย 
PDF
Cloud computing Lec 02 - virtualization.pdf
asokawennawatte
ย 
PDF
How DeepSeek Beats ChatGPT: Cost Comparison and Key Differences
sumitpurohit810
ย 
Designing Accessible Content Blocks (1).pdf
jaclynmennie1
ย 
computer forensics encase emager app exp6 1.pptx
ssuser343e92
ย 
ManageIQ - Sprint 264 Review - Slide Deck
ManageIQ
ย 
NeuroStrata: Harnessing Neuro-Symbolic Paradigms for Improved Testability and...
Ivan Ruchkin
ย 
EO4EU Ocean Monitoring: Maritime Weather Routing Optimsation Use Case
EO4EU
ย 
IDM Crack with Internet Download Manager 6.42 Build 41
utfefguu
ย 
Seamless-Image-Conversion-From-Raster-to-wrt-rtx-rtx.pptx
Quick Conversion Services
ย 
Introduction to web development | MERN Stack
JosephLiyon
ย 
Automated Testing and Safety Analysis of Deep Neural Networks
Lionel Briand
ย 
Rewards and Recognition (2).pdf
ethan Talor
ย 
IObit Driver Booster Pro Crack Download Latest Version
chaudhryakashoo065
ย 
Iobit Driver Booster Pro 12 Crack Free Download
chaudhryakashoo065
ย 
IObit Driver Booster Pro 12.4-12.5 license keys 2025-2026
chaudhryakashoo065
ย 
Alur Perkembangan Software dan Jaringan Komputer
ssuser754303
ย 
Quality on Autopilot: Scaling Testing in Uyuni
Oscar Barrios Torrero
ย 
Automated Test Case Repair Using Language Models
Lionel Briand
ย 
AI Software Development Process, Strategies and Challenges
Net-Craft.com
ย 
Laboratory Workflows Digitalized and live in 90 days with Scifeonยดs SAPPA P...
info969686
ย 
Cloud computing Lec 02 - virtualization.pdf
asokawennawatte
ย 
How DeepSeek Beats ChatGPT: Cost Comparison and Key Differences
sumitpurohit810
ย 
Ad

Andrews whitakrer lecture18-security.ppt

  • 1. 1 CSE 403 Web Security Testing Reading: Andrews/Whitaker, How to Break Web Software, Ch. 2-5 These lecture slides are copyright (C) Marty Stepp, 2007. They may not be rehosted, sold, or modified without expressed permission from the author. All rights reserved.
  • 2. 2 Big questions ๏ฎ How much do I have to worry about security in my web application? ๏ฎ What kinds of common attacks can be performed? ๏ฎ What common bugs in my code lead to these flaws? ๏ฎ What tools do attackers use? ๏ฎ How can I prevent security problems in my code and (hopefully) ensure overall system security?
  • 3. 3 Denial-of-Service (DoS) ๏ฎ Denial of Service (DoS) attack: Attacker causes web server to be unavailable. ๏ฎ How attack is performed: ๏ฎ Attacker frequently requests many pages from your web site. ๏ฎ distributed DoS (DDoS): DoS using lots of computers ๏ฎ Your server cannot handle this many requests at a time, so it turns into a smoldering pile of goo (or just becomes very slow). ๏ฎ Problems that this attack can cause: ๏ฎ Users cannot get to your site. ๏ฎ Online store's server crashes -> store loses potential revenue. ๏ฎ Server may crash and lose or corrupt important data. ๏ฎ All the bandwidth used by the DoSers may cost you $$$.
  • 4. 4 Packet sniffing ๏ฎ packet sniffing: Listening to traffic sent on a network. ๏ฎ Many internet protocols (http, aim, email) are unsecure. ๏ฎ If an attacker is on the same local network (LAN) as you, he may be able to listen to information your computer is sending. ๏ฎ read your email/IMs as you send them ๏ฎ see what web sites you are viewing ๏ฎ grab your password as it's being sent to the server ๏ฎ solutions: ๏ฎ Use secure protocols (https) ๏ฎ Encryption ๏ฎ Don't let creeps on your LAN
  • 5. 5 Password cracking ๏ฎ password cracking: Guessing the passwords of privileged users of your system. ๏ฎ How attack is performed: ๏ฎ brute force attack: Attacker uses software that sequentially tries every possible password. ๏ฎ dictionary attack: Attacker uses software that sequentially tries passwords based on words in a dictionary. ๏ฎ every word in the dictionary ๏ฎ combinations of words, numbers, etc. ๏ฎ What you can do about it: ๏ฎ Force users to have secure passwords. ๏ฎ Block an IP address from logging in after N failed attempts.
  • 6. 6 Phishing / social engineering ๏ฎ phishing: Masqueraded mails or web sites. ๏ฎ social engineering: Attempts to manipulate users, such as fraudulently acquiring passwords or credit card numbers. ๏ฎ Problems: ๏ฎ If trusted users of your system are tricked into giving out their personal information, attackers can use this to log in as those users and compromise your system.
  • 7. 7 Man-in-the-middle ๏ฎ man-in-the-middle attack: Attacker sits between two communication endpoints and silently intercepts traffic between them. ๏ฎ tricks user to go to attacker's site instead of real site ๏ฎ intercepts sensitive information and/or modifies data before sending it from one endpoint to the other
  • 8. 8 Privilege escalation ๏ฎ privilege escalation: Attacker becomes able to run code on your server as a privileged user. ๏ฎ Example: Perhaps normal users aren't able to directly query your database. But an attacker may find a flaw in your security letting him run as an administrator and perform the query. ๏ฎ Once you're running as root, you're God. You own the server. You can do anything you want...
  • 9. 9 Cross-site scripting (XSS) ๏ฎ cross-site scripting: Causing one person's script code to be executed when a user browses to another site. ๏ฎ Example: Visit google.com, but evil.com's JavaScript runs. ๏ฎ How attack is performed: ๏ฎ Attacker finds unsecure code on target site. ๏ฎ Attacker uses hole to inject JavaScript into the page. ๏ฎ User visits page, sees malicious script code.
  • 10. 10 SQL Injection ๏ฎ SQL injection: An attacker causing undesired SQL queries to be run on a server's database. ๏ฎ Often caused when untrusted input is pasted into a SQL query ๏ฎ Example: ๏ฎ query="SELECT * FROM Users WHERE name=' + name + "';"; ๏ฎ specify a user name of "haha' OR 'a'='a" ๏ฎ SELECT * FROM Users WHERE name='haha' OR 'a'='a'; ๏ฎ Attacker can see, delete, modify your sensitive personal data!
  • 11. 11 Thinking like an attacker: Finding vulnerabilities
  • 12. 12 Panning for gold ๏ฎ Looking through a target application for exploits: ๏ฎ View Source , and look for: ๏ฎ HTML comments ๏ฎ script code ๏ฎ other sensitive information in code: IP addresses, email addresses, SQL queries, hidden fields, ... ๏ฎ watch HTTP requests/responses ๏ฎ look for hidden pages, files, parameters to target ๏ฎ error messages sent back to your browser by the app ๏ฎ 200: OK ๏ฎ 400: Invalid request ๏ฎ 403: Forbidden ๏ฎ 404: File not found ๏ฎ 500: Internal server error
  • 13. 13 Input forms ๏ฎ Forms let users pass parameters to the web server. ๏ฎ Parameters are passed using GET or POST requests. ๏ฎ GET: parameters are contained in the request URL. http://www.google.com?q=Stephen+Colbert&lang=en ๏ฎ POST: parameters are contained in the HTTP packet header. ๏ฎ harder for the user to see, but no more secure than GET ๏ฎ Forms provide a rich ground for us to attack...
  • 14. 14 Form validation ๏ฎ validation: Examining form parameters to make sure they are acceptable before they are submitted. ๏ฎ nonempty, alphabetical, numeric, length, ... ๏ฎ client-side: HTML/JS checks values before request is sent. ๏ฎ server-side: JSP/Ruby/PHP/etc. checks values received. ๏ฎ Some validation is performed by restricting the choices available to the user. ๏ฎ select boxes ๏ฎ input text boxes with maxlength attribute ๏ฎ key event listeners that erase certain key presses
  • 15. 15 User input attacks ๏ฎ Bypassing client-side input restrictions and validation ๏ฎ maxlength limits on input text fields ๏ฎ choices not listed in a select boxes ๏ฎ hidden input fields ๏ฎ modifying or disabling client-side JavaScript validation code
  • 16. 16 Guessing files/directories ๏ฎ Many sites have reachable files and resources that are hidden from attackers only by obscurity ๏ฎ Try common file/folder/commands to see what happens ๏ฎ /etc/passwd , /etc/shadow ๏ฎ cat, ls, grep ๏ฎ guess file names based on others ๏ฎ page11.php --> page12.php ๏ฎ loginfailure.jsp --> loginsuccess.jsp ๏ฎ accounts/myaccount.html --> accounts/youraccount.html ๏ฎ brute force / web spiders ๏ฎ port scanners
  • 17. 17 Other attacks ๏ฎ Attacking GET parameters ๏ฎ Attacking hidden input fields ๏ฎ Attacking cookies ๏ฎ Injecting malicious script code (XSS) ๏ฎ Injecting malicious SQL queries (SQL injection)
  • 19. 19 Methods of security ๏ฎ Security through obscurity: Relying on the fact that attackers don't know something needed to harm you. ๏ฎ Example: "If an attacker pointed their browser to http://foo.com/passwords.txt, they'd get our passwords. But nobody knows that file is there, so we are safe." ๏ฎ Example: "Our authentication database goes down for 2 minutes every night at 4am. During that time any user can log in without restrictions. But no one knows this, and the odds of a login at that time are miniscule."
  • 20. 20 Secure authentication ๏ฎ Force users to log in to your system before performing sensitive operations ๏ฎ Use secure protocols (https, etc.) to prevent sniffing ๏ฎ Force users to use strong passwords ๏ฎ not "password", "abc", same as user name, etc.
  • 21. 21 Principle of least privilege ๏ฎ principle of least privilege: Having just enough authority to get the job done (and no more!). ๏ฎ Examples: ๏ฎ A web server should only be given access to the set of HTML files that the web server is supposed to serve. ๏ฎ Code should not "run as root" or as a highly privileged user unless absolutely necessary. ๏ฎ Turn off unnecessary services on your web server ๏ฎ disable SSH, VNC, sendmail, etc. ๏ฎ close all ports except 80, others needed for web traffic
  • 22. 22 Sanitizing inputs ๏ฎ sanitizing inputs: Encoding and filtering untrusted user input before accepting it into a trusted system. ๏ฎ Ensure that accepted data is the right type, format, length... ๏ฎ Disallow entry of bad data into an HTML form. ๏ฎ Remove any SQL code from submitted user names. ๏ฎ HTML-encode any input text that is to be displayed back to the user as HTML or JavaScript.
  • 23. 23 Verifying that code is secure ๏ฎ Before code is written: ๏ฎ considering security in the design process ๏ฎ As code is being written: ๏ฎ code reviews ๏ฎ pair programming ๏ฎ After code has been written: ๏ฎ walkthroughs ๏ฎ security audits
  • 24. 24 Security audits ๏ฎ security audit: Series of checks and questions to assess the security of your system ๏ฎ can be done by an internal or external auditor ๏ฎ best if done as a process, not an individual event ๏ฎ penetration test: Targeted white-hat attempt to compromise your system's security ๏ฎ not unlike our attempts to break CSE 144's turnin page ๏ฎ risk analysis: Assessment of relative risks of what can go wrong when security is compromised
  • 25. 25 Security audit questions ๏ฎ Does your system require secure authentication with passwords? ๏ฎ Are passwords difficult to crack? ๏ฎ Are there access control lists (ACLs) in place on network devices? ๏ฎ Are there audit logs to record who accesses data? ๏ฎ Are the audit logs reviewed? ๏ฎ Are your OS security settings up to accepted industry levels? ๏ฎ Have all unnecessary applications and services been eliminated? ๏ฎ Are all operating systems and applications patched to current levels? ๏ฎ How is backup media stored? Who has access to it? Is it up-to-date? ๏ฎ Is there a disaster recovery plan? Has it ever been rehearsed? ๏ฎ Are there good cryptographic tools in place to govern data encryption? ๏ฎ Have custom-built applications been written with security in mind? ๏ฎ How have these custom applications been tested for security flaws? ๏ฎ How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?