O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Internet Security: How to Defend Against Attackers on the Web, 2nd Edition

Book Description

The Second Edition of Security Strategies in Web Applications and Social Networking provides an in-depth look at how to secure mobile users as customer-facing information migrates from mainframe computers and application servers to Web-enabled applications. Written by an industry expert, this book provides a comprehensive explanation of the evolutionary changes that have occurred in computing, communications, and social networking and discusses how to secure systems against all the risks, threats, and vulnerabilities associated with Web-enabled applications accessible via the internet. Using examples and exercises, this book incorporates hands-on activities to prepare readers to successfully secure Web-enabled applications.

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright
  4. Table of Contents
  5. Preface
  6. Acknowledgments
  7. PART ONE Evolution of Computing, Risks, and Social Networking
    1. Chapter 1 From Mainframe to Client/Server to World Wide Web
      1. The Evolution of Data Processing
        1. Understanding Data, Data Processing, and Information
        2. 1900s and Rapid Growth
      2. Mainframe Computers
      3. Client/Server Computing
      4. Distributed Computing on a Network
      5. Transformation of Brick-and-Mortar Businesses to E-commerce Businesses
        1. E-commerce Today
      6. The World Wide Web Revolution
        1. Pre-Internet Era
      7. Groupware and Gopher
        1. Emergence of the World Wide Web
      8. The Changing States of the World Wide Web
        1. Web 1.0
        2. Web 2.0
        3. Web 3.0
      9. Introducing the Internet of Things (IoT)
      10. Cloud Computing and Virtualization
        1. Cloud Computing
        2. Virtualization
      11. Chapter Summary
      12. key concepts and terms
      13. Chapter 1 Assessment
    2. Chapter 2 Security Considerations for Small Businesses
      1. The Evolution of Business from Brick and Mortar to the Web
        1. E-commerce: A Brick-and-Mortar Model
        2. Customer-Focused E-commerce
        3. Emerging Trend: Distributed E-commerce
      2. The Process of Transformation into an E-business
        1. Managing and Security the Customer Life Cycle
      3. Highly Available and Secure Web Site Hosting
      4. E-commerce and Enhanced Customer-Service Delivery
        1. One-Way Communication
        2. Limited Two-Way Communication
        3. Full Two-Way Communication
        4. E-businesss with Integrated Applications
      5. Risks, Threats, and Vulnerabilities for Business Web Sites
        1. Connecting to the Internet Means Connecting to the Outside World
      6. The Risks of Handling Revenues Online
        1. Credit, Charge, and Debit Cards
        2. Electronic Cash and Wallets
        3. Vulnerabilities of Web-Enabled Applications
      7. Managing the Risks Inherent in Unsecure Systems
        1. System and Protocol Security
        2. Securing IP Communications
        3. Managing Application and Coding Security
        4. Using Service Packs
      8. Telecommuting and Secure Access for Remote Employees
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 2 Assessment
    3. chapter 3 Security Considerations for Home and Personal Online Use
      1. Common Security Terms and Threats
        1. Social Engineering
        2. Phishing
        3. Identity Theft
        4. Malware and Ransomware
        5. Cookies
      2. Securing Common Online Activities
        1. Banking and Investing
        2. Shopping Online
        3. Social Networking
        4. Online Gaming
      3. Protecting Against E-mail Scams
      4. The OWASP Top 10 Privacy Risks Project
        1. 1. Web Application Vulnerabilities
        2. 2. Operator-Sided Data Leakage
        3. 3. Insufficient Data Breach Response
        4. 4. Insufficient Deletion of Personal Data
        5. 5. Non-transparent Policies, Terms, and Conditions
        6. 6. Collection of Data Not Required for the Primary Purpose
        7. 7. Sharing of Data with Third Party
        8. 8. Outdated Personal Data
        9. 9. Missing or Insufficient Session Expiration
        10. 10. Unsecure Data Transfer
      5. Chapter Summary
      6. Key Concepts and Terms
      7. Chapter 3 Assessment
  8. PART TWO Secure Web-Enabled Application Deployment and Social Networking
    1. Chapter 4 Mitigating Risk When Connecting to the Internet
      1. Threats When Connecting to the Internet
        1. Risks and Threats
        2. Vulnerabilities and Exploits
        3. Perpetrators
      2. Web Site Hosting
        1. External Web Hosting
        2. Internal Web Hosting
        3. Domain Name Server
      3. The Seven Domains of a Typical IT Infrastructure
      4. Protecting Networks in the LAN-to-WAN Domain
        1. Perimeter Defense Strategies
        2. Firewalls
        3. Demilitarized Zones (DMZs)
        4. Proxy Servers
        5. Intrusion Detection Systems and Intrusion Protection Systems
      5. Best Practices for Connecting to the Internet
      6. Chapter Summary
      7. Key Concepts and Terms
      8. Chapter 4 Assessment
    2. Chapter 5 Mitigating Web Site Risks, Threats, and Vulnerabilities
      1. Who Is Coming to Your Web Site?
      2. Whom Do You Want to Come to Your Web Site?
      3. Accepting User Input on Your Web Site
        1. Forums
        2. Web Site Feedback Forms
        3. Online Surveys
      4. The Open Web Application Security Project Top 10 Threats
        1. 1. Injection
        2. 2. Broken Authentication and Session Management
        3. 3. Cross-Site Scripting (XSS)
        4. 4. Unsecure Direct Object References
        5. 5. Security Misconfigurations
        6. 6. Sensitive Data Exposure
        7. 7. Missing Function Level Access Control
        8. 8. Cross-Site Request Forgery (CSRF)
        9. 9. Using Components with Known Vulnerabilities
        10. 10. Unvalidated Redirects and Forwards
      5. Additional Web Threats Not in the Top 10
        1. Malicious File Execution
        2. Information Leakage and Improper Error Handling
        3. Unsecure Cryptographic Storage
        4. Unsecure Communications
        5. Failure to Restrict URL Access
      6. Best Practices for Mitigating Known Web Application Risks, Threats, and Vulnerabilities
      7. Chapter Summary
      8. Key Concepts and Terms
      9. Chapter 5 assessment
    3. Chapter 6 Introducing the Web Application Security Consortium (WASC)
      1. The Threats to Web Application Security
      2. Common Web Site Attacks
        1. Abuse of Functionality
        2. Brute-Force Attacks
        3. Buffer Overflow
        4. Content Spoofing
        5. Credential/Session Prediction
        6. Cross-Site Scripting
        7. Cross-Site Request Forgery
        8. Denial of Service
        9. Fingerprinting
        10. Format String
        11. HTTP Response Smuggling
        12. HTTP Response Splitting
        13. HTTP Request Smuggling
        14. HTTP Request Splitting
        15. Integer Overflows
        16. LDAP Injection
        17. Mail Command Injection
        18. Null Byte Injection
        19. OS Commanding
        20. Path Traversal
        21. Predictable Resource Location
        22. Remote File Inclusion (RFI)
        23. Routing Detour
        24. Session Fixation
        25. SOAP Array Abuse
        26. SSI Injection
        27. SQL Injection
        28. URL Redirector Abuse
        29. XPath Injection
        30. XML Attribute Blowup
        31. XML External Entities
        32. XML Entity Expansion
        33. XML Injection
        34. XQuery Injection
      3. Common Web Site Weaknesses
        1. Application Misconfiguration
        2. Directory Indexing
        3. Improper File System Permissions
        4. Improper Input Handling
        5. Improper Output Handling
        6. Information Leakage
        7. Unsecure Indexing
        8. Insufficient Anti-Automation
        9. Insufficient Authentication
        10. Insufficient Authorization
        11. Insufficient Password Recovery
        12. Insufficient Process Validation
        13. Insufficient Session Expiration
        14. Insufficient Transport Layer Protection
        15. Server Misconfiguration
      4. Best Practices for Mitigating Web Attacks
      5. Best Practices for Mitigating Weaknesses
      6. Chapter Summary
      7. Key Concepts and Terms
      8. Chapter 6 Assessment
    4. Chapter 7 Securing Web Applications
      1. When Your Application Requires User Input into Your Web Site
        1. Get to Know Your Syntax with Request for Comments (RFC)
      2. Technologies and Systems Used to Make a Complete Functional Web Site
        1. Hypertext Markup Language (HTML)
        2. Common Gateway Interface (CGI) Script
        3. JavaScripting
        4. SQL Database Back-End
      3. Your Development Process and the Software Development Life Cycle (SDLC)
      4. Designing a Layered Security Strategy for Web Sites and Web Applications
      5. Incorporating Security Requirements Within the SDLC
        1. Systems Analysis Stage
        2. Designing Stage
        3. Implementation Stage
        4. Testing Stage
        5. Acceptance and Deployment Stage
        6. Maintenance
      6. Using Secure and Unsecure Protocols
      7. How Secure Sockets Layer Works
        1. SSL Encryption and Hash Protocols
      8. Selecting an Appropriate Access Control Solution
        1. Discretionary Access Control
        2. Mandatory Access Control
        3. Rule-Based Access Control
        4. Role-Based Access Control
        5. Create Access Controls That Are Commensurate with the Level of Sensitivity of Data Access or Input
      9. Best Practices for Securing Web Applications
      10. Chapter Summary
      11. Key Concepts and Terms
      12. Chapter 7 assessment
    5. chapter 8 Mitigating Web Application Vulnerabilities
      1. Causes of Web Application Vulnerabilities
        1. Authentication
        2. Input Validation
        3. Session Management
        4. Vulnerabilities Are Caused by Non-Secure Code in Software Applications
      2. Developing Policies to Mitigate Vulnerabilities
      3. Implementing Secure Coding Best Practices
      4. Incorporating HTML Secure Coding Standards and Techniques
      5. Incorporating JavaScript Secure Coding Standards and Techniques
      6. Incorporating CGI Form and SQL Database Access Secure Coding Standards and Techniques
        1. SQL Database Security
      7. Implementing Software Development Configuration Management and Revision-Level Tracking
        1. Revision-Level Tracking
      8. Best Practices for Mitigating Web Application Vulnerabilities
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 8 assessment
    6. chapter 9 Maintaining PCI DSS Compliance for E-commerce Web Sites
      1. Credit Card Transaction Processing
        1. Batch Processing
        2. Real-Time Processing
      2. What Is the Payment Card Industry Data Security Standard?
        1. If PCI DSS Is Not a Law, Why Do You Need to Be in Compliance?
      3. Designing and Building Your E-commerce Web Site with PCI DSS in Mind
      4. What Does a PCI DSS Security Assessment Entail?
        1. Scope of Assessment
        2. Instructions and Content for Report on Compliance
        3. Detailed PCI DSS Requirements and Security Assessment Procedures
        4. Security Assessment Marking Procedure
      5. Best Practices to Mitigate Risk for E-commerce Web Sites with PCI DSS Compliance
        1. Build and Maintain a Secure Network
        2. Protect Cardholder Data
        3. Maintain a Vulnerability Management Program
        4. Implement Strong Access Control Measures
        5. Regularly Monitor and Test Networks
        6. Maintain an Information Security Policy
      6. Chapter Summary
      7. Key Concepts and Terms
      8. Chapter 9 Assessment
    7. Chapter 10 Testing and Quality Assurance for Production Web Sites
      1. Development and Production Software Environments
        1. Software Development Life Cycle (SDLC)
      2. Policies, Standards, Procedures, and Guidelines
        1. Policies
        2. Standards
        3. Procedures
        4. Guidelines
      3. Building a Test Plan and Functionality Checklist for Web Site Deployments
      4. Testing Strategies for All New Applications and Features
      5. Detecting Security Gaps and Holes in Web Site Applications
      6. Mitigating Any Identified Gaps and Holes and Retesting
      7. Deploying Web Site Applications in a Production Environment
      8. Monitoring and Analyzing Web Site Traffic, Use, and Access
      9. Best Practices for Testing and Assuring Quality of Production Web Sites
      10. Chapter Summary
      11. Key Concepts and Terms
      12. Chapter 10 assessment
    8. chapter 11 Performing a Web Site Vulnerability and Security Assessment
      1. Software Testing Versus Web Site Vulnerability and Security Assessments
      2. Performing an Initial Discovery on the Targeted Web Site
        1. Ping Sweep
        2. Nmap
        3. OS Fingerprint
        4. Nessus Vulnerability and Port Scan
      3. Performing a Vulnerability and Security Assessment
        1. Web Server OS
        2. Web Server Application
        3. Web Site Front End
        4. Web Site Forms and User Inputs
        5. Incorporate PCI DSS for E-commerce Web Sites
      4. Using Planned Attacks to Identify Vulnerabilities
        1. Develop an Attack Plan
        2. Identify Gaps and Holes
        3. Escalate the Privilege Level
      5. Spotting Vulnerabilities in Back-End Systems and SQL Databases
        1. Develop an Attack Plan
        2. Identify Gaps and Holes
        3. Escalate the Privilege Level
        4. Perform an SQL Injection for Data Extraction
      6. Preparing a Vulnerability and Security Assessment Report
        1. Executive Summary
        2. Summary of Findings
        3. Vulnerability Assessment
        4. Security Assessment
        5. Recommendations
      7. Best Practices for Web Site Vulnerability and Security Assessments
        1. Choose the Right Tools
        2. Test Inside and Out
        3. Think Outside the Box
        4. Research, Research, Research
      8. Chapter Summary
      9. Key Concepts and Terms
      10. Chapter 11 Assessment
  9. PART THREE Web Applications and Social Networking Gone Mobile
    1. Chapter 12 Securing Mobile Communications
      1. Endpoint Devices
        1. Tablet and Smartphone Devices
      2. Wireless Networks and How They Work
        1. 1G/2G Networks
        2. 3G Networks
        3. 4G Networks
        4. Security Features of 3G and 4G Networks
      3. Endpoint Device Communications
        1. Voice
        2. Internet Browsing
        3. E-mail
        4. Instant Messaging (IM) Chat
        5. SMS/Text Messaging
        6. MMS Messaging
      4. Endpoint Device Communication Risks, Threats, and Vulnerabilities
      5. The Open Web Application Security Project Top 10 Mobile Risks
        1. 1. Weak Server-Side Controls
        2. 2. Unsecure Data Storage
        3. 3. Insufficient Transport Layer Protection
        4. 4. Unintended Data Leakage
        5. 5. Poor Authorization and Authentication
        6. 6. Broken Cryptography
        7. 7. Client-Side Injection
        8. 8. Security Decisions Via Untrusted Inputs
        9. 9. Improper Session Handling
        10. 10. Lack of Binary Protections
      6. Best Practices for Securing Endpoint Device Communications
        1. Technological Security of Devices
        2. Physical Security of Devices
      7. Chapter Summary
      8. Key Concepts and Terms
      9. Chapter 12 assessment
    2. chapter 13 Securing Personal and Business Communications
      1. Store-and-Forward Communication
      2. Threats Associated with Voicemail
      3. E-mail and Social Networking Threats
        1. E-mail Threats
        2. Messaging on Social Networking Sites
      4. Real-Time Communication
        1. Telephone
        2. Presence/Availability
        3. Instant Messaging Chat
        4. SMS Text Messaging
        5. MMS Messaging
        6. VoIP Threats
      5. Best Practices for Securing Telephone and Private Branch Exchange Communications
      6. Best Practices for Securing VoIP Communications
        1. VoIP Planning Best Practices
        2. VoIP Implementation Best Practices
      7. Best Practices for Securing Unified Communications
        1. SIP Features and Essentials
        2. SIP User Agents and Communication Between Them
        3. Implementation Best Practices
      8. Chapter Summary
      9. Key Concepts and Terms
      10. Chapter 13 Assessment
    3. Chapter 14 Security Training, Education, and Certification
      1. Security and Careers—Database Design and Administration
        1. Comparing Database Administrator and Designer
        2. Database Management Tasks
        3. Database Security Training and Certification
      2. Security and Careers—Programming and Application Development
        1. Common Programming Tasks
        2. Programming Training and Certification
      3. Security and Careers—Network Management
        1. Common Network Administration Tasks
        2. Network Administration Training and Certification
      4. Security and Careers—Web Design and Administration
        1. Securing Programming Languages for Web Developers
      5. Chapter Summary
      6. Key Concepts and Terms
      7. Chapter 14 assessment
    4. chapter 15 Web Application Security Organizations
      1. Department of Homeland Security (DHS)
        1. Advisory Bodies
        2. The U.S. Secret Service (USSS)
        3. The Federal Law Enforcement Training Center (FLETC)
      2. National Cyber Security Division (NCSD)
        1. United States Computer Emergency Response Team (US-CERT)
        2. Cyber-Risk Management Programs
      3. Computer Emergency Response Team Coordination Center (CERT®/CC)
      4. The MITRE Corporation and the CVE List
        1. Why CVE?
        2. Common Vulnerabilities and Exposures (CVE) List
      5. National Institute of Standards and Technology (NIST)
        1. Technical Security Standards
        2. Computer Security Resource Center (CSRC)
      6. International Information Systems Security Certification Consortium, Inc. (ISC)2
        1. Certified Information Systems Security Professional (CISSP)
        2. Systems Security Certified Practitioner (SSCP)
        3. (ISC)2 Associate
        4. Certification and Accreditation Professional (CAP)
        5. Certified Secure Software Lifecycle Professional (CSSLP)
      7. Web Application Security Consortium (WASC)
        1. WASC Projects
      8. Open Web Application Security Project (OWASP)
        1. OWASP Top 10 List
        2. WebScarab
        3. AntiSamy
        4. Enterprise Security API (ESAPI)
        5. WebGoat
        6. Open Software Assurance Maturity Model (OpenSAMM)
        7. OWASP Guides
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 15 Assessment
  10. APPENDIX A Answer Key
  11. APPENDIX B Standard Acronyms
  12. Glossary of Key Terms
  13. References
  14. Index