Computer System Security (TCS591)

B. Tech CSE V Semester

Instructor:
Dr. Mohammad Wazid
Professor, Department of CSE
Graphic Era (Deemed to be University), Dehradun, India
Email: wazidkec2005@gmail.com
Homepage: https://sites.google.com/site/mwazidiiith/home
Securing web applications

• The number of DDoS attacks over the web have

consistently grown over the past few years and are
expected to continue growing in future.
• Important web application security best practices are
discussed below.
 Securing web applications
1. Create a web application security blueprint
• Each organization should always have a plan for web
security.
• All too often, companies take a disorganized approach to the
situation and end up accomplishing next to nothing.
• Develop a actionable security plan with the IT security
team.
• It should outline the organization’s goals.
• It should also prioritize which applications should be secured
first and how they will be tested.
 Securing web applications
1. Create a web application security blueprint
• Although each company’s security blueprint or checklist will
differ depending on their infrastructure.
• Additionally, if the organization is large enough, the
blueprint should name the individuals within the
organization who should be involved in maintaining web
application security.
• We should also be careful about the cost factor that the
organization will incur by engaging in these activities.
 Securing web applications
2. Perform an inventory of the web applications
• Means which application company uses daily basis.
• Most organizations have defective applications running at
any given time and never notice them until something goes
wrong.
• We can’t hope to maintain effective web application security
without knowing precisely which applications the company
uses.
 Securing web applications
2. Perform an inventory of the web applications
• How many are there?
• Where are they located?
• Performing such an inventory can be a big undertaking, and
it is likely to take some time to complete.
• While performing it, make a note of the purpose of each
application.
 Securing web applications
3. Prioritize the web applications
• After completing the inventory of the existing web
applications, sorting them in order of priority is the logical
next step.
• Sort the applications into three categories:
Critical
Serious
Normal
 Securing web applications
3. Prioritize the web applications
• Critical applications are primarily those which interact
externally and contain customer information.
• These are the applications that should be managed first, as
they are the most likely to be targeted and exploited by
hackers.
• Serious applications may be internal or external and may
contain some sensitive information.
• Normal applications have far less exposure, but they should
be included in the tests.
 Securing web applications
3. Prioritize the web applications
• By categorizing the applications like this, we can reserve
extensive testing for critical ones and use less intensive
testing for less critical ones (Less testing and more testing).
• This allows us to make the most effective use of our
organization’s resources and will help us to achieve progress
more quickly.
 Securing web applications
4. Prioritize vulnerabilities
• As the work through the list of web applications prior to
testing them, we need to decide which vulnerabilities are
worth eliminating and which aren’t too worrisome.
• Eliminating all vulnerabilities from all web applications just
isn’t possible.
• Even after categorizing the applications according to
importance, it will take considerable amounts of time to test
them all.
 Securing web applications
4. Prioritize vulnerabilities
• By limiting the testing to only the most threatening
vulnerabilities, we will save a ton of time and get through
the work more quickly.
• As far as determining which vulnerabilities to focus on, that
really depends on the applications we’re using.
• There are a few standard security measures that should be
implemented.
• However, application-specific vulnerabilities need to be
researched and analyzed.
 Securing web applications
5. Run applications using the fewest privileges possible
• Even all of the web applications have been assessed, tested
and purged.
• Still most of the problematic vulnerabilities are there.
• Every web application has specific privileges on both local
and remote computers.
• These privileges should be adjusted to enhance the security.
 Securing web applications
5. Run applications using the fewest privileges possible
• Always use the least permissive settings for all web
applications.
• Only highly authorized people should be able to make
changes in the system.
 Securing web applications
6. Have protection in place during the interim
• Even if we run a small and fairly simple organization, it may
take weeks - or even months - to get through the list of web
applications and to make the necessary changes.
• During that time, the website may be more vulnerable to
attacks.
• Attacks are possible during the security bug fixing
procedure.
• Therefore, it is crucial to have other protections in place in
the meantime to avoid major problems.
 Securing web applications
6. Have protection in place during the interim
• For that purpose we may have couple of options:
• Remove some functionality from certain applications.
• If the functionality makes the application more vulnerable to
attacks then it may be worth it to remove said functionality.
• Use a web application firewall (WAF) to protect against the
most troubling vulnerabilities.
Web application firewall: A WAF filters and blocks
unwanted HTTP traffic going to a web application and
helps protect against XSS, SQL injection, and more.
 Securing web applications
7. Use cookies securely
• We have to be careful about the use of cookies.
• Cookies are incredibly convenient for businesses and users
alike.
• They allow users to be remembered by sites that they visit so
that future visits are faster and, in many cases, more
personalized.
• However, cookies can also be manipulated by hackers to gain
access to protected areas.
 Securing web applications
7. Use cookies securely
• First, never use cookies to store highly sensitive or critical
information.
• For example, don’t use cookies to remember users’ passwords, as
this makes it incredibly easy for hackers to gain unauthorized
access.
• Finally, use encryption for information that is stored in the cookies
that we use.
 Securing web applications
8. Implement the following web security suggestions

• Implement HTTPS and redirect all HTTP traffic to HTTPS.

• Use of protection mechanisms against XSS, CSRF, SQL injection
and other web attacks.
• Use an updated version of TLS.
 Securing web applications
9. Conduct web application security awareness training
• If we run a company, chances are that only certain people within
the organization have a decent grasp of the importance of web
application security and how it works (i.e., account staff).
• The majority of users have only the most basic understanding of
the issue, and this can make them careless.
• By educating employees, they will more readily spot
vulnerabilities themselves.
 Securing web applications
9. Conduct web application security awareness training
• In essence, bringing everyone up to speed about web application
security is a terrific way to get everyone in on the act of finding
and eliminating vulnerabilities.
• With this in mind, consider bringing in a web application security
specialist to conduct awareness training for the employees.
 Securing web applications
10. Introduce a bounty program
• A great way to get feedback from the community regarding
potential web application security issues is to introduce a bounty
program.
• Even if we run a company with dedicated security professionals
employed, they may not be able to identify all potential security
risks.
• Therefore, to help encourage the community to find security risks
and report them, offer a “bounty” of monetary value.
• Example: Google Play Security Reward Program (GPSRP) is a
bug bounty program offered by Google Play.
References
1. Textbook: Security in Computing, 5th Edition by C. P. Pfleeger, S. L.
Pfleeger, J. Margulies
2. Securing web applications. Information available at:
https:// www.keycdn.com/blog/ web-application- security-best-practices