book

Internet Security: How to Defend Against Attackers on the Web, 2nd Edition

by Mike Harwood

July 2015

Intermediate to advanced

438 pages

14h 13m

English

Jones & Bartlett Learning

Read now

Unlock full access

The Evolution of Data ProcessingUnderstanding Data, Data Processing, and Information1900s and Rapid GrowthMainframe ComputersClient/Server ComputingDistributed Computing on a NetworkTransformation of Brick-and-Mortar Businesses to E-commerce BusinessesE-commerce TodayThe World Wide Web RevolutionPre-Internet EraGroupware and GopherEmergence of the World Wide WebThe Changing States of the World Wide WebWeb 1.0Web 2.0Web 3.0Introducing the Internet of Things (IoT)Cloud Computing and VirtualizationCloud ComputingVirtualizationChapter Summarykey concepts and termsChapter 1 Assessment
The Evolution of Business from Brick and Mortar to the WebE-commerce: A Brick-and-Mortar ModelCustomer-Focused E-commerceEmerging Trend: Distributed E-commerceThe Process of Transformation into an E-businessManaging and Security the Customer Life CycleHighly Available and Secure Web Site HostingE-commerce and Enhanced Customer-Service DeliveryOne-Way CommunicationLimited Two-Way CommunicationFull Two-Way CommunicationE-businesss with Integrated ApplicationsRisks, Threats, and Vulnerabilities for Business Web SitesConnecting to the Internet Means Connecting to the Outside WorldThe Risks of Handling Revenues OnlineCredit, Charge, and Debit CardsElectronic Cash and WalletsVulnerabilities of Web-Enabled ApplicationsManaging the Risks Inherent in Unsecure SystemsSystem and Protocol SecuritySecuring IP CommunicationsManaging Application and Coding SecurityUsing Service PacksTelecommuting and Secure Access for Remote EmployeesChapter SummaryKey Concepts and TermsChapter 2 Assessment
Common Security Terms and ThreatsSocial EngineeringPhishingIdentity TheftMalware and RansomwareCookiesSecuring Common Online ActivitiesBanking and InvestingShopping OnlineSocial NetworkingOnline GamingProtecting Against E-mail ScamsThe OWASP Top 10 Privacy Risks Project1. Web Application Vulnerabilities2. Operator-Sided Data Leakage3. Insufficient Data Breach Response4. Insufficient Deletion of Personal Data5. Non-transparent Policies, Terms, and Conditions6. Collection of Data Not Required for the Primary Purpose7. Sharing of Data with Third Party8. Outdated Personal Data9. Missing or Insufficient Session Expiration10. Unsecure Data TransferChapter SummaryKey Concepts and TermsChapter 3 Assessment

Threats When Connecting to the InternetRisks and ThreatsVulnerabilities and ExploitsPerpetratorsWeb Site HostingExternal Web HostingInternal Web HostingDomain Name ServerThe Seven Domains of a Typical IT InfrastructureProtecting Networks in the LAN-to-WAN DomainPerimeter Defense StrategiesFirewallsDemilitarized Zones (DMZs)Proxy ServersIntrusion Detection Systems and Intrusion Protection SystemsBest Practices for Connecting to the InternetChapter SummaryKey Concepts and TermsChapter 4 Assessment
Who Is Coming to Your Web Site?Whom Do You Want to Come to Your Web Site?Accepting User Input on Your Web SiteForumsWeb Site Feedback FormsOnline SurveysThe Open Web Application Security Project Top 10 Threats1. Injection2. Broken Authentication and Session Management3. Cross-Site Scripting (XSS)4. Unsecure Direct Object References5. Security Misconfigurations6. Sensitive Data Exposure7. Missing Function Level Access Control8. Cross-Site Request Forgery (CSRF)9. Using Components with Known Vulnerabilities10. Unvalidated Redirects and ForwardsAdditional Web Threats Not in the Top 10Malicious File ExecutionInformation Leakage and Improper Error HandlingUnsecure Cryptographic StorageUnsecure CommunicationsFailure to Restrict URL AccessBest Practices for Mitigating Known Web Application Risks, Threats, and VulnerabilitiesChapter SummaryKey Concepts and TermsChapter 5 assessment
The Threats to Web Application SecurityCommon Web Site AttacksAbuse of FunctionalityBrute-Force AttacksBuffer OverflowContent SpoofingCredential/Session PredictionCross-Site ScriptingCross-Site Request ForgeryDenial of ServiceFingerprintingFormat StringHTTP Response SmugglingHTTP Response SplittingHTTP Request SmugglingHTTP Request SplittingInteger OverflowsLDAP InjectionMail Command InjectionNull Byte InjectionOS CommandingPath TraversalPredictable Resource LocationRemote File Inclusion (RFI)Routing DetourSession FixationSOAP Array AbuseSSI InjectionSQL InjectionURL Redirector AbuseXPath InjectionXML Attribute BlowupXML External EntitiesXML Entity ExpansionXML InjectionXQuery InjectionCommon Web Site WeaknessesApplication MisconfigurationDirectory IndexingImproper File System PermissionsImproper Input HandlingImproper Output HandlingInformation LeakageUnsecure IndexingInsufficient Anti-AutomationInsufficient AuthenticationInsufficient AuthorizationInsufficient Password RecoveryInsufficient Process ValidationInsufficient Session ExpirationInsufficient Transport Layer ProtectionServer MisconfigurationBest Practices for Mitigating Web AttacksBest Practices for Mitigating WeaknessesChapter SummaryKey Concepts and TermsChapter 6 Assessment
When Your Application Requires User Input into Your Web SiteGet to Know Your Syntax with Request for Comments (RFC)Technologies and Systems Used to Make a Complete Functional Web SiteHypertext Markup Language (HTML)Common Gateway Interface (CGI) ScriptJavaScriptingSQL Database Back-EndYour Development Process and the Software Development Life Cycle (SDLC)Designing a Layered Security Strategy for Web Sites and Web ApplicationsIncorporating Security Requirements Within the SDLCSystems Analysis StageDesigning StageImplementation StageTesting StageAcceptance and Deployment StageMaintenanceUsing Secure and Unsecure ProtocolsHow Secure Sockets Layer WorksSSL Encryption and Hash ProtocolsSelecting an Appropriate Access Control SolutionDiscretionary Access ControlMandatory Access ControlRule-Based Access ControlRole-Based Access ControlCreate Access Controls That Are Commensurate with the Level of Sensitivity of Data Access or InputBest Practices for Securing Web ApplicationsChapter SummaryKey Concepts and TermsChapter 7 assessment
Causes of Web Application VulnerabilitiesAuthenticationInput ValidationSession ManagementVulnerabilities Are Caused by Non-Secure Code in Software ApplicationsDeveloping Policies to Mitigate VulnerabilitiesImplementing Secure Coding Best PracticesIncorporating HTML Secure Coding Standards and TechniquesIncorporating JavaScript Secure Coding Standards and TechniquesIncorporating CGI Form and SQL Database Access Secure Coding Standards and TechniquesSQL Database SecurityImplementing Software Development Configuration Management and Revision-Level TrackingRevision-Level TrackingBest Practices for Mitigating Web Application VulnerabilitiesChapter SummaryKey Concepts and TermsChapter 8 assessment
Credit Card Transaction ProcessingBatch ProcessingReal-Time ProcessingWhat Is the Payment Card Industry Data Security Standard?If PCI DSS Is Not a Law, Why Do You Need to Be in Compliance?Designing and Building Your E-commerce Web Site with PCI DSS in MindWhat Does a PCI DSS Security Assessment Entail?Scope of AssessmentInstructions and Content for Report on ComplianceDetailed PCI DSS Requirements and Security Assessment ProceduresSecurity Assessment Marking ProcedureBest Practices to Mitigate Risk for E-commerce Web Sites with PCI DSS ComplianceBuild and Maintain a Secure NetworkProtect Cardholder DataMaintain a Vulnerability Management ProgramImplement Strong Access Control MeasuresRegularly Monitor and Test NetworksMaintain an Information Security PolicyChapter SummaryKey Concepts and TermsChapter 9 Assessment
Development and Production Software EnvironmentsSoftware Development Life Cycle (SDLC)Policies, Standards, Procedures, and GuidelinesPoliciesStandardsProceduresGuidelinesBuilding a Test Plan and Functionality Checklist for Web Site DeploymentsTesting Strategies for All New Applications and FeaturesDetecting Security Gaps and Holes in Web Site ApplicationsMitigating Any Identified Gaps and Holes and RetestingDeploying Web Site Applications in a Production EnvironmentMonitoring and Analyzing Web Site Traffic, Use, and AccessBest Practices for Testing and Assuring Quality of Production Web SitesChapter SummaryKey Concepts and TermsChapter 10 assessment
Software Testing Versus Web Site Vulnerability and Security AssessmentsPerforming an Initial Discovery on the Targeted Web SitePing SweepNmapOS FingerprintNessus Vulnerability and Port ScanPerforming a Vulnerability and Security AssessmentWeb Server OSWeb Server ApplicationWeb Site Front EndWeb Site Forms and User InputsIncorporate PCI DSS for E-commerce Web SitesUsing Planned Attacks to Identify VulnerabilitiesDevelop an Attack PlanIdentify Gaps and HolesEscalate the Privilege LevelSpotting Vulnerabilities in Back-End Systems and SQL DatabasesDevelop an Attack PlanIdentify Gaps and HolesEscalate the Privilege LevelPerform an SQL Injection for Data ExtractionPreparing a Vulnerability and Security Assessment ReportExecutive SummarySummary of FindingsVulnerability AssessmentSecurity AssessmentRecommendationsBest Practices for Web Site Vulnerability and Security AssessmentsChoose the Right ToolsTest Inside and OutThink Outside the BoxResearch, Research, ResearchChapter SummaryKey Concepts and TermsChapter 11 Assessment
Endpoint DevicesTablet and Smartphone DevicesWireless Networks and How They Work1G/2G Networks3G Networks4G NetworksSecurity Features of 3G and 4G NetworksEndpoint Device CommunicationsVoiceInternet BrowsingE-mailInstant Messaging (IM) ChatSMS/Text MessagingMMS MessagingEndpoint Device Communication Risks, Threats, and VulnerabilitiesThe Open Web Application Security Project Top 10 Mobile Risks1. Weak Server-Side Controls2. Unsecure Data Storage3. Insufficient Transport Layer Protection4. Unintended Data Leakage5. Poor Authorization and Authentication6. Broken Cryptography7. Client-Side Injection8. Security Decisions Via Untrusted Inputs9. Improper Session Handling10. Lack of Binary ProtectionsBest Practices for Securing Endpoint Device CommunicationsTechnological Security of DevicesPhysical Security of DevicesChapter SummaryKey Concepts and TermsChapter 12 assessment
Store-and-Forward CommunicationThreats Associated with VoicemailE-mail and Social Networking ThreatsE-mail ThreatsMessaging on Social Networking SitesReal-Time CommunicationTelephonePresence/AvailabilityInstant Messaging ChatSMS Text MessagingMMS MessagingVoIP ThreatsBest Practices for Securing Telephone and Private Branch Exchange CommunicationsBest Practices for Securing VoIP CommunicationsVoIP Planning Best PracticesVoIP Implementation Best PracticesBest Practices for Securing Unified CommunicationsSIP Features and EssentialsSIP User Agents and Communication Between ThemImplementation Best PracticesChapter SummaryKey Concepts and TermsChapter 13 Assessment
Security and Careers—Database Design and AdministrationComparing Database Administrator and DesignerDatabase Management TasksDatabase Security Training and CertificationSecurity and Careers—Programming and Application DevelopmentCommon Programming TasksProgramming Training and CertificationSecurity and Careers—Network ManagementCommon Network Administration TasksNetwork Administration Training and CertificationSecurity and Careers—Web Design and AdministrationSecuring Programming Languages for Web DevelopersChapter SummaryKey Concepts and TermsChapter 14 assessment
Department of Homeland Security (DHS)Advisory BodiesThe U.S. Secret Service (USSS)The Federal Law Enforcement Training Center (FLETC)National Cyber Security Division (NCSD)United States Computer Emergency Response Team (US-CERT)Cyber-Risk Management ProgramsComputer Emergency Response Team Coordination Center (CERT®/CC)The MITRE Corporation and the CVE ListWhy CVE?Common Vulnerabilities and Exposures (CVE) ListNational Institute of Standards and Technology (NIST)Technical Security StandardsComputer Security Resource Center (CSRC)International Information Systems Security Certification Consortium, Inc. (ISC)2Certified Information Systems Security Professional (CISSP)Systems Security Certified Practitioner (SSCP)(ISC)2 AssociateCertification and Accreditation Professional (CAP)Certified Secure Software Lifecycle Professional (CSSLP)Web Application Security Consortium (WASC)WASC ProjectsOpen Web Application Security Project (OWASP)OWASP Top 10 ListWebScarabAntiSamyEnterprise Security API (ESAPI)WebGoatOpen Software Assurance Maturity Model (OpenSAMM)OWASP GuidesChapter SummaryKey Concepts and TermsChapter 15 Assessment

Content preview from Internet Security: How to Defend Against Attackers on the Web, 2nd Edition

CHAPTER 8

Mitigating Web Application Vulnerabilities

WEB APPLICATIONS ARE AN ESSENTIAL PART of the online experience. Every day, companies roll out Web applications to increase the appeal, functionality, and interactivity of their Web sites. These applications can take the form of portals, shopping carts, Web mail, online auctions, forms, discussion groups, and more. For all the good these Web applications introduce, they also bring a host of new vulnerabilities and security threats. Malicious users may invade a Web site through backdoor access of an unsecured Web application, completely circumventing perimeter security measures.

This chapter details the causes of these vulnerabilities and the largest targets for Web applications. In addition, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Securing the Virtual Environment: How to Defend the Enterprise Against Attack, Included DVD

Publisher Resources

ISBN: 9781284090550

Internet Security: How to Defend Against Attackers on the Web, 2nd Edition

by Mike Harwood

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Securing the Virtual Environment: How to Defend the Enterprise Against Attack, Included DVD

Hacker Techniques, Tools, and Incident Handling

Legal Issues in Information Security

Automating Active Directory® Administration with Windows PowerShell® 2.0

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Securing the Virtual Environment: How to Defend the Enterprise Against Attack, Included DVD

Hacker Techniques, Tools, and Incident Handling

Legal Issues in Information Security

Automating Active Directory® Administration with Windows PowerShell® 2.0

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.