Application

Security &
Testing Module
 Day 1
Foundations of Security & Web
Application Security Risks
Why Application Security & Testing?
● Web applications are favorite targets of hackers because they have access to
valuable information and they are relatively easy to exploit.
● A successful attack can result in a variety of devastating consequences
including financial loss, damage to brand reputation and loss of customer
trust.
● Once an afterthought in software design, security is becoming an increasingly
important concern during development as applications become more
frequently accessible over networks and are, as a result, vulnerable to a wide
variety of threats.
● A sound application security routine minimize the likelihood of any
manipulation to access, steal, modify, or delete sensitive data.
Security Is Holistic!
Operating
System (OS)
Security

Security

Application Network
Security Security

Fig. Technological Security

Application Security
Web Server

● How it ascertains the identity of the user?

● Complicated pieces of software that have many options that can be turned on
or off. Eg serve content from database /local file system.

Web Browser:

● Do not interpret data in a robust fashion, can be directed to download data

from malicious web sites.
● Malicious web site can exploit vulnerability in web browser code and give the
attacker control of the machine that the web browser is running on.
Operating System Security
● Web servers rely on the operating system for many functions.
● Operating systems are themselves not inherently secure or insecure.
● However, they are made up of hundreds or millions of lines of source code,
which most likely contain vulnerabilities.
● OS vendors typically issue patches regularly to eliminate such
[Link]. Windows Update feature.
● It is possible that an attacker might try to exploit some vulnerability in the
operating system, even if you have a secure web server running.
Network Security
● Network layer security is important as well—you need to ensure that only valid
data packets are delivered to your web server from the network, and that no
malicious traffic can get routed to your applications or operating system.
● Malicious traffic typically consists of data packets that contain byte
sequences that, when interpreted by software, will produce a result
unexpected to the user, and may cause the user’s machine to fail,
malfunction, or provide access to privileged information to an attacker.
● Firewalls and intrusion detection systems (IDSs) that deal with potentially
malicious network traffic.
Other dimensions to Security
● It is often said that “security is a process, not a product” (Schneier 2000).
There is much more to security than just technology, and it is important to
weigh and consider risks from all relevant threat sources.
● Physically securing your system and laying down good policies for employees
and users is also important!
● Documents containing sensitive information should be shredded before
they’re disposed of so that determined hackers can be prevented from
gathering sensitive information by sifting through the company’s garbage.
Such an attack is often referred to as dumpster diving!
Seven key Concepts in Security
Authentication Authorization

Confidentiality Data Integrity Accountability

Availability Non-repudiation
Authentication: Verifying Identity
● Three types of methods: something you know, something you have, and
something you are.
● Something You Know:
○ Ask some secret which only Bob knows. Eg Password.
○ Disadvantage: Easy passwords, log in gives numerous opportunity to hack!
● Something You Have:
○ OTP products generate a new password to mobile each time a user needs to log in.
○ Other examples: smart cards, ATM cards
○ Disadvantage: Compromised magnetic stripe reader can access the information on Card
● Something You Are:
○ Eg. Biometrics, Voice identification, Facial recognition
○ Disadvantage: Impersonation, A number of false positives and negatives generated.
Authorization: Verifying User’s Authority
● Act of checking whether a user has permission to conduct some action.
● Authorization Scenarios:
○ Alice authenticates herself at an ATM by putting in her ATM card and entering her PIN. Alice
may want to deduct Rs 1,00,000, but may only be authorized to deduct a maximum of Rs
50,000 per day.
○ Operating systems: Access control list (ACL) is used by many operating systems to determine
whether users are authorized to conduct different actions.
●
Confidentiality: Keep Data Secret
● Suppose Eve is an eavesdropper and Alice and Bob are communicating over a
network.
● Eve is able to see the bits—the zeros and ones—that make up Alice and Bob’s
conversation go back and forth over the wires.
● Possible Solution: Encryption
● A key is a secret sequence of bits that Alice and Bob know (or share) that is
not known to potential attackers.
● Eve here is a passive eavesdropper.
● What about if he can also modify the transmitted messages?
Data Integrity: Data Modification Prevention
● Mallory, an active eavesdropper can also modify the transmitted messages.
● Also known as the man in the middle attack.
● Possible Solution: Integrity check,add redundancy to their messages, CRCs,
message authentication codes (MACs).
● A MAC is not only a function of the message itself, but is also a function of a
key known only to Alice and Bob, such that even if Mallory is able to modify
the bytes of a message, she will not be able to appropriately modify the
corresponding MAC.
● The goal of message integrity is to make sure that even if Mallory can “look,”
she cannot “touch” the contents of the message.
Accountability: Who’s the Attacker?
● The goal of accountability is to ensure that you are able to determine who the
attacker or principal is in the case that something goes wrong or an
erroneous transaction is identified.
● malicious incident -> prove that the attacker conducted illegitimate actions.
● Erroneous transaction ->identify which principal made the mistake.
● Possible Solution: system write log entries, MACs (message authentication
codes)
● Use write once, read many (WORM) media to store system logs, since once
written, these logs may be hard.
Availability: Response Time
● An attacker that is interested in reducing the availability of a system typically
launches a denial-of-service (DoS) attack.
● If the online bookstore web site were run on a single web server, and an
attacker transmitted data to the web server to cause it to crash, it would
result in a DoS attack in which legitimate customers would be unable to make
purchases until the web server was started.
● In a distributed denial-of-service (DDoS) attack, perpetrators commandeer
weakly protected personal computers and install malicious software
(malware) on them that sends excessive amounts of network traffic to the
victim web sites.
● Eg. E*TRADE, Amazon, CNN, and Yahoo
Non-repudiation: Ensure Undeniability
● Non-repudiation protocols in the world of security are used to ensure that two
parties cannot deny that they interacted with each other.
● Example Scenario: In most non-repudiation protocols, as Alice and Bob
interact, various sets of evidence, such as receipts, are generated.
● The receipts can be digitally signed statements that can be shown to Trent
(Third Party) to prove that a transaction took place.
● Unfortunately, while non-repudiation protocols sound desirable in theory, they
end up being very expensive to implement, and are not used often in practice.
What is required then??

There is an interesting trade-off between availability and [Link] how to

architect and design systems that accomplish the security goals?

We want to design systems whose functionality is available to the largest possible

intended audience while being as secure as possible!
Understanding Threats
● Different types of businesses will be more sensitive to different threats, and
will have different security goals to mitigate those threats.
● Understanding threats is important in determining a system’s security goals.
● With time new threats need to be identified and mitigated to allow for the
continued success of those businesses.
● How we design systems to be secure against attacks is dependent on the
type of threats that we expect them to face.
Types of Attacks & Threats

Defacement Infiltration 3

1 2
Phishing

20XX 20XX

Denial of Insider
Service Threats
Defacement
● Defacement is a form of online vandalism in which attackers replace
legitimate pages of an organization’s web site with illegitimate ones.
● In the case of a highly sensitive website, say, [Link], there may be
a database where all of the content for that website is stored. The owner of
the web site may not care if an attacker gains read-only access to the
information in that database—however, they do not want the attacker
changing the information in that database.
● On the other hand, a financial institution or e-commerce web site does not
want the attacker to be able to even read the information in the back-end
database. Eg. [Link]
Infiltration
● Infiltration is an attack in which an unauthorized party gains full access to the
resources of a computer system (including, but not limited to, use of the
CPUs, disks, and network bandwidth)
● Buffer overflow, command injection, and other software vulnerabilities can be
used by attackers to infiltrate and “own” computers.
● Threat from infiltration can be quite different than that of defacement.
● In the real world, attackers can sometimes change logs and even rewrite logs,
● Hence, need to defend against an attacker who attempts to gain write
capability.
● Infiltration of a military website, in which confidential data is acquired by the
attacker, could be a great threat to national security!
Phishing
● Attacker sets up a spoofed website that looks similar to a legitimate web site.
● The attacker then attempts to lure victims to the spoofed web site and enter
their login credentials, such as their usernames and passwords.
● Attackers can lure users to the spoofed web site by sending them e-mails to
click a link within the email &“verify” their account information.
● When unsuspecting users click the link, they arrive at the spoofed site and
enter their login credentials.
● The site simply logs the credentials and later uses the logged credentials to
log into the user’s account and transfer money from the user’s account to
their own.
Pharming
● In a pharming attack, user can be
fooled into entering sensitive data
into a spoofed website.
● Different than phishing as even if
the user correctly enters a URL the
attacker can still redirect the user to
a malicious web site.
● Here machine name–to–IP address
translation for which the DNS is
responsible is compromised.
● Possible Solution: SSL
Other Significant Threats
Insider Threats

● A surprisingly large percentage of attacks take place with the cooperation of

insiders!
○ Database administrators: keys to the entire kingdom
○ System administrators : “superuser” access
● Such information can be abused in the obvious ways: employee data could be
sold to headhunters, customer credit card numbers could be sold on the black
market and product launches could be leaked to the press.

Denial-of-Service (DoS)

● An attacker sends so many packets to a web site that it cannot service the
legitimate users that are trying access it.