WDS MID - 1

1. Describe about cryptography and web development.

A)

Introduction

Cryptography is the science of securing information by converting it into an

unreadable format, while web development is the process of designing and building
websites or web applications. Both intersect when building secure, reliable, and
user-friendly online platforms.

Cryptography

●​ Objectives: Confidentiality, Integrity, Authentication, Non-repudiation.

●​ Types:
○​ Symmetric Encryption (AES, DES): Same key for
encryption/decryption.
○​ Asymmetric Encryption (RSA, ECC): Uses public/private key pairs.
○​ Hash Functions (SHA-256, bcrypt): One-way functions for data
integrity.
●​ Applications: Digital signatures, secure email, online banking, blockchain.

Web Development

●​ Frontend (Client-Side): User interface (HTML, CSS, JavaScript, React).

●​ Backend (Server-Side): Application logic and database handling (Python,
Node.js, Java).
●​ Database: Data storage (MySQL, MongoDB).
●​ Phases: Requirement → Design → Development → Testing → Deployment.
●​ Applications: E-commerce, social media, online education, cloud services.
Cryptography in Web Development

●​ Data Protection: Encrypts sensitive data like passwords and transactions.

●​ Authentication: Digital certificates, tokens, and secure logins.
●​ Integrity: Hashing verifies that transmitted data is unaltered.
●​ Secure Communication: TLS/SSL ensures encrypted connections (HTTPS).
●​ Real-world Uses:
○​ Password hashing in login systems.
○​ Encrypted payment gateways in e-commerce.
○​ JWT (JSON Web Tokens) for secure API communication.

Web development provides the platform for digital interaction, while cryptography
ensures that this interaction remains safe, private, and trustworthy. Together, they
form the backbone of modern secure online services.

2.) Explain digital identification web security

A)

Digital identification refers to the use of electronic methods to verify the identity of
users, devices, or systems in online environments. It is a core part of web security,
ensuring that only authorized entities gain access to sensitive data and services.

Objectives of Digital Identification

1.​ Authentication – Verifying the identity of a user or system.

2.​ Authorization – Granting access to resources based on verified identity.
3.​ Confidentiality – Protecting sensitive information during communication.
4.​ Non-repudiation – Preventing denial of actions by a user.

Techniques Used

●​ Passwords & PINs: Basic form of digital ID, but vulnerable to attacks.
 ●​ Digital Certificates: Issued by Certificate Authorities (CA), used in HTTPS.
●​ Biometric Authentication: Fingerprint, facial recognition, voice ID.
●​ Multi-Factor Authentication (MFA): Combination of password, OTP, and
biometrics.
●​ Public Key Infrastructure (PKI): Uses cryptographic keys for secure
identification.

Role in Web Security

1.​ Secure Login – Encrypted passwords and tokens (e.g., OAuth, JWT).
2.​ Encrypted Communication – TLS/SSL ensures server and client identity
validation.
3.​ Fraud Prevention – Detects and prevents identity theft or unauthorized access.
4.​ E-commerce & Banking – Verifies customer identity before transactions.

Applications

●​ Online banking and payment gateways

●​ Government e-services (eID, Aadhaar authentication in India)
●​ Corporate networks (employee access control)
●​ Social media account protection

Digital identification is the foundation of trust in web security. By combining

cryptography, authentication methods, and secure protocols, it ensures that online
interactions are safe, reliable, and resistant to cyber threats.
3.) Discuss in detail about SSL/TLS?

A)

●​ SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are
protocols that provide secure communication between a web browser (client)
and a web server.
●​ TLS is the successor to SSL and is more secure and efficient.
●​ Websites that use SSL/TLS appear as HTTPS instead of HTTP.

Objectives of SSL/TLS

1.​ Confidentiality – Encrypts data so attackers cannot read it.

2.​ Integrity – Ensures data is not modified during transfer.
3.​ Authentication – Verifies the identity of the server (and sometimes the client)
using digital certificates.
4.​ Non-repudiation – Prevents denial of sending or receiving messages.

How SSL/TLS Works (Handshake Process)

1.​ Client Hello → Browser sends supported encryption methods.

2.​ Server Hello → Server responds with chosen method and sends a digital
certificate.
3.​ Key Exchange → Browser and server agree on a secret session key (using
RSA or Diffie-Hellman).
4.​ Secure Communication → All further data is encrypted using symmetric
encryption (fast and secure).

Features of SSL/TLS

●​ Uses public key cryptography for key exchange and authentication.

●​ Uses symmetric encryption for fast communication.
●​ Relies on X.509 certificates issued by Certificate Authorities (CA).
●​ Runs on port 443 (HTTPS).
Difference between SSL and TLS

●​ SSL is older and has known security flaws (e.g., SSL 2.0, SSL 3.0).
●​ TLS is the updated, secure protocol.
●​ Today, only TLS 1.2 and TLS 1.3 are recommended.

Applications

●​ Online banking and e-commerce (secure transactions).

●​ Protecting logins and passwords.
●​ Email and messaging security.
●​ Preventing man-in-the-middle (MITM) attacks.

SSL/TLS is the foundation of web security, ensuring that communication over the
internet is encrypted, authenticated, and safe. While SSL is outdated, TLS is the
modern protocol used worldwide for secure web services.

4.) Do the Web Wars have an effect on your Privacy ? Justify?

A)

The “Web’s War on Privacy” greatly affects how personal information is collected,
stored, and shared on the internet. Today, almost every online activity leaves digital
footprints that organizations, advertisers, hackers, or even governments can exploit.

Ways Privacy is Affected

1.​ Tracking Cookies – Websites track user behavior across pages and platforms,
creating detailed profiles.
2.​ Third-Party Trackers – Advertisers embed scripts that monitor browsing
patterns for targeted ads.
3.​ Data Brokers – Sell personal details (browsing history, habits) to companies
without user consent.
 4.​ Social Media Profiling – Collects personal data like interests, friends, and
lifestyle patterns.
5.​ Location Tracking – Mobile apps and sites monitor user movements in real
time.
6.​ Search Engine Tracking – Queries are linked to IP addresses, exposing
preferences and habits.
7.​ Unencrypted Connections – Without SSL/TLS, hackers can intercept login
credentials or financial data.
8.​ Phishing & Data Breaches – Fake websites and leaks expose sensitive details.
9.​ Government Surveillance – Some governments monitor large-scale internet
traffic.
10.​ IoT Devices – Smart devices (cameras, assistants) constantly collect user
data.

Justification / Impact

●​ Loss of Privacy – Users cannot control what happens to their data.

●​ Identity Theft & Fraud – Stolen details may be misused for financial crimes.
●​ Manipulation – Personal data can be exploited for advertising, political
influence, or discrimination.

The web’s war on privacy has a major negative impact on individuals by reducing
anonymity, increasing surveillance, and exposing sensitive data. To protect privacy,
users should adopt strong passwords, HTTPS, VPNs, encrypted messaging,
privacy-focused browsers, and multi-factor authentication.
5.) Discuss the Common Vulnerabilities in Web Server?

A)

A web server hosts websites and provides services to clients over the internet. Since it
is publicly accessible, it is a frequent target for attackers. Misconfigurations, weak
coding practices, or unpatched systems can expose web servers to security
vulnerabilities.

Common Vulnerabilities

1.​ Default Configurations

○​ Many servers run with default settings, such as open ports or sample
applications.
○​ Attackers exploit these defaults to gain unauthorized access.
2.​ Directory Traversal Attack
○​ Exploits improper input validation to access restricted files outside the
web root.
○​ Example: ../../etc/passwd to view sensitive system files.
3.​ Unpatched Software
○​ Outdated server software contains known security flaws.
○​ Hackers can exploit these to compromise the server.
4.​ Cross-Site Scripting (XSS)
○​ Occurs when malicious scripts are injected into web pages.
○​ Can steal cookies, session data, or perform phishing attacks.
5.​ SQL Injection
○​ Malicious queries are inserted into input fields to access or modify
databases.
○​ Leads to data leaks or full database compromise.
6.​ Denial of Service (DoS/DDoS)
○​ Attackers flood the server with traffic, making it unavailable to
legitimate users.
7.​ Weak Authentication Mechanisms
 ○​ Poor password policies or missing multi-factor authentication allow
brute-force attacks.
8.​ File Inclusion Vulnerabilities
○​ Local File Inclusion (LFI): Attackers load sensitive local files.
○​ Remote File Inclusion (RFI): Attackers execute malicious files from
remote servers.
9.​ Misconfigured Access Controls
○​ Improper permissions may allow unauthorized users to view or edit
sensitive data.

Web servers face multiple vulnerabilities such as injection attacks,

misconfigurations, and unpatched systems. Proper security practices like regular
patching, input validation, strong authentication, and secure configuration are
essential to prevent exploitation.

6.) How to apply security for Servers on the Web?

A)

Web servers are critical components of online services, but they are common targets
for attackers. To ensure confidentiality, integrity, and availability, proper security
measures must be applied at the server level.

Security Measures for Web Servers

1.​ Regular Updates and Patching

○​ Keep the operating system, server software, and applications updated.
○​ Fixes known vulnerabilities before attackers can exploit them.
2.​ Secure Configuration
○​ Disable default accounts, unused services, and sample applications.
○​ Restrict directory browsing and apply the principle of least privilege.
 3.​ Authentication and Access Control
○​ Enforce strong password policies and use multi-factor authentication.
○​ Implement role-based access control (RBAC) for administrators and
users.
4.​ Encryption
○​ Use SSL/TLS (HTTPS) to encrypt data between client and server.
○​ Secure sensitive files with encryption at rest.
5.​ Input Validation
○​ Sanitize user inputs to prevent SQL Injection, XSS, and File Inclusion
attacks.
○​ Use prepared statements and parameterized queries.
6.​ Firewall and Intrusion Detection
○​ Deploy Web Application Firewalls (WAFs) to block malicious traffic.
○​ Use IDS/IPS systems to detect and stop suspicious activities.
7.​ Logging and Monitoring
○​ Maintain detailed server logs and monitor them for unusual activity.
○​ Enable alerts for brute-force attempts or unauthorized access.
8.​ Backup and Recovery
○​ Perform regular backups of critical data and configuration.
○​ Test recovery procedures to ensure business continuity after attacks.
9.​ Physical and Network Security
○​ Protect data centers with restricted physical access.
○​ Use VPNs and secure network segmentation to limit exposure.

Applying server security involves patch management, secure configurations,

encryption, access control, monitoring, and backups. A multi-layered approach
ensures that even if one defense fails, others will protect the web server from
compromise.
7.) Discuss about Access Control Policy Languages in XML?

A)

Access control ensures that only authorized users can access specific resources. To
define such rules in a machine-readable and interoperable way, XML-based policy
languages are widely used. They allow flexible, platform-independent representation
of policies for web services and applications.

●​ XML is structured and extensible, making it ideal for expressing complex

policies.
●​ Supports interoperability across different platforms and services.
●​ Human-readable and machine-processable.

Major XML-Based Policy Languages

1.​ XACML (eXtensible Access Control Markup Language)

○​ Standard defined by OASIS.
○​ Provides a fine-grained, attribute-based access control (ABAC) model.
○​ Defines Policy Decision Point (PDP) and Policy Enforcement Point
(PEP) architecture.
○​ Example: “Allow doctors to access patient records only during duty
hours.”
2.​ SAML (Security Assertion Markup Language)
○​ XML-based standard for exchanging authentication and authorization
data between security domains.
○​ Widely used in Single Sign-On (SSO) systems.
○​ Allows identity providers (IdPs) to share authentication assertions with
service providers.
3.​ XrML (eXtensible Rights Markup Language)
○​ Focuses on digital rights management (DRM).
○​ Defines who can use digital content and under what conditions.
 ○​ Example: “Users can read this e-book for 30 days, but cannot print or
copy.”
4.​ P3P (Platform for Privacy Preferences Project)
○​ Enables websites to express privacy policies in XML format.
○​ Allows browsers to automatically interpret site privacy practices.

Advantages

●​ Standardization – Supported by industry bodies like OASIS and W3C.

●​ Flexibility – Can handle role-based, attribute-based, and rights-based access.
●​ Automation – Policies can be enforced automatically by systems.

XML-based access control policy languages like XACML, SAML, XrML, and P3P
provide a standardized way to define, exchange, and enforce access rules. They
enhance security, interoperability, and trust in web-based systems and applications.

8.) Define Database Security?

A)

Database Security refers to the set of processes, controls, and technologies used to
protect a database from unauthorized access, misuse, and threats. It ensures that the
confidentiality, integrity, and availability (CIA) of data stored in a database are
maintained.

Objectives of Database Security

1.​ Confidentiality – Only authorized users can view sensitive data.

2.​ Integrity – Data remains accurate, consistent, and protected from unauthorized
changes.
3.​ Availability – Data and database services are accessible when needed.
4.​ Authentication & Authorization – Verifying user identity and granting
appropriate access rights.
 5.​ Accountability – Tracking user activities through auditing and logging.

Threats to Database Security

●​ Unauthorized access by hackers or insiders.

●​ SQL Injection and other web-based attacks.
●​ Malware or ransomware targeting databases.
●​ Data leaks due to weak authentication or misconfiguration.
●​ Physical damage or system failure.

Security Measures

●​ Strong access control and role-based permissions.

●​ Encryption of sensitive data (at rest and in transit).
●​ Regular patches and updates for DBMS.
●​ Backup and recovery planning.
●​ Monitoring and auditing user activities.

Database security is essential to protect sensitive organizational and personal data. By

applying strong access control, encryption, monitoring, and recovery strategies,
organizations can ensure safe and reliable database operations.
9.) Describe the Characteristics and Best Practices in Risk Analysis?

A)

Risk Analysis is the process of identifying, evaluating, and prioritizing risks that may
affect the confidentiality, integrity, or availability of data and systems. It helps
organizations apply appropriate security measures to minimize threats.

Characteristics of Risk Analysis

1.​ Systematic Approach – Follows a structured process to identify risks.

2.​ Asset-Centric – Focuses on protecting valuable assets like data, software, and
infrastructure.
3.​ Threat Identification – Considers both internal and external threats (hackers,
insiders, disasters).
4.​ Vulnerability Assessment – Detects weaknesses in systems and processes.
5.​ Impact Evaluation – Measures potential damage (financial loss, data leaks,
downtime).
6.​ Probability Estimation – Assesses likelihood of risk occurrence.
7.​ Cost-Benefit Orientation – Balances the cost of security controls against the
potential loss.
8.​ Continuous Process – Needs periodic updates as threats and technology
evolve.

Best Practices in Risk Analysis

1.​ Identify Assets Clearly – Know what data and resources are most critical.
2.​ Classify Data – Separate sensitive data (e.g., financial, personal) from general
data.
3.​ Perform Threat Modeling – Identify possible attack scenarios.
4.​ Use Standard Frameworks – Follow guidelines like ISO 27005 or NIST SP
800-30.
5.​ Prioritize Risks – Focus on high-impact and high-probability risks first.
 6.​ Apply Layered Security – Use defense-in-depth (firewalls, encryption, access
control).
7.​ Involve Stakeholders – Management, IT staff, and end-users should
participate.
8.​ Document and Monitor – Keep records of risks, controls, and continuously
monitor them.
9.​ Regular Reviews – Update risk analysis periodically to address new threats.

Risk analysis is a systematic and continuous process that identifies vulnerabilities,

evaluates potential threats, and helps in choosing cost-effective security measures. By
following best practices, organizations can strengthen their defenses and reduce the
overall impact of risks.

10.) Explain in detail about Web Security Problem with the help of an Example?

A)

Web security is the process of protecting websites, web applications, and online
services from threats that can compromise data, functionality, or trust. The Web
Security Problem arises because the web involves three main components — the
server, the communication channel, and the client machine — each of which can
be attacked.

Main Issues in Web Security

1.​ Server Security

○​ Servers may be misconfigured or unpatched.
○​ Attackers exploit vulnerabilities to steal or modify data.
2.​ Communication Security
○​ Data transmitted over the internet can be intercepted.
○​ Without encryption, attackers perform man-in-the-middle (MITM)
attacks.
 3.​ Client Security
○​ End-user devices can be infected with malware.
○​ Harmful scripts can execute in the browser (XSS attacks).

Example: E-Commerce Website

●​ A user logs into an online shopping site.

●​ The website uses HTTP instead of HTTPS.
●​ An attacker on the same public Wi-Fi intercepts the login request and steals the
username and password.
●​ Using the stolen credentials, the attacker gains access to the user’s account and
makes unauthorized purchases.

This example shows that lack of transport security exposes both users and the
organization to fraud and data theft.

Solutions

●​ Server-side: Apply patches, strong authentication, and disable unused services.

●​ Transport layer: Use SSL/TLS (HTTPS) for secure communication.
●​ Client-side: Validate input, block malicious scripts, and use secure coding
practices.
●​ General: Firewalls, intrusion detection, regular audits, and backups.

The Web Security Problem is multi-layered and affects the server, the network
channel, and the client. A single weakness can lead to a chain of attacks. Therefore,
a defense-in-depth approach with encryption, secure coding, monitoring, and user
awareness is essential.
11.) Explain the Best Practices occurring during Risk Analysis?

A)

Risk Analysis is the process of identifying, evaluating, and prioritizing potential

risks that can threaten an organization’s data, systems, or operations. It helps in
deciding the right security controls to minimize threats while balancing cost and
performance. To ensure effective results, certain best practices should be followed.

Best Practices in Risk Analysis

1.​ Identify and Classify Assets

○​ Clearly list all critical assets such as databases, applications, and
hardware.
○​ Classify them based on importance (e.g., confidential data, financial
records, public data).
2.​ Perform Threat and Vulnerability Assessment
○​ Identify possible threats like hackers, insider misuse, malware, or
natural disasters.
○​ Assess vulnerabilities in systems, networks, and applications.
3.​ Follow Standard Frameworks
○​ Use well-known guidelines like NIST SP 800-30 or ISO 27005.
○​ Ensures consistency, reliability, and industry compliance.
4.​ Involve Stakeholders
○​ Include management, IT teams, and end-users in the risk analysis
process.
○​ Encourages shared responsibility and realistic decision-making.
5.​ Prioritize Risks (Risk Ranking)
○​ Evaluate risks in terms of likelihood and impact.
○​ Focus resources on high-probability and high-impact risks first.
6.​ Consider Cost–Benefit Analysis
○​ Balance the cost of implementing controls with the potential loss from
risks.
 ○​ Avoid over-spending on low-priority risks.
7.​ Apply Layered Security (Defense in Depth)
○​ Use multiple security measures such as firewalls, intrusion detection,
encryption, and access controls.
○​ Reduces the chance of a single point of failure.
8.​ Maintain Documentation and Reports
○​ Record identified risks, applied controls, and analysis results.
○​ Helps in audits, accountability, and future improvements.
9.​ Regular Reviews and Continuous Monitoring
○​ Risks evolve over time due to new technologies and threats.
○​ Update risk analysis periodically and monitor systems continuously.

Best practices in risk analysis ensure that an organization can proactively identify
threats, prioritize them, and apply the most effective controls. By involving
stakeholders, following frameworks, and continuously updating, risk analysis
becomes a powerful tool for strengthening databases and overall IT security.

12.)Explain briefly about the legal restrictions on Cryptography?

A)

Cryptography is a powerful tool that ensures confidentiality, integrity, and

authentication in digital communication. However, because it can also be misused by
criminals and terrorists, many governments impose legal restrictions on its use,
export, and strength.

Need for Legal Restrictions

1.​ National Security – Strong encryption may prevent law enforcement and
intelligence agencies from monitoring criminal activities.
2.​ Export Control – Countries limit export of advanced cryptographic tools to
prevent them from reaching hostile states or organizations.
 3.​ Law Enforcement Access – Some regulations require companies to provide
decryption keys or lawful interception facilities when demanded.

Types of Restrictions

1.​ Export Restrictions

○​ Some countries classify cryptographic software as a munition
(weapon).
○​ For example, the USA earlier restricted export of encryption stronger
than 40-bit keys.
○​ Today, stronger cryptography is allowed but still monitored.
2.​ Import and Usage Restrictions
○​ Certain countries (e.g., China, Russia, Iran) restrict the use of foreign or
unauthorized encryption tools.
○​ Only government-approved algorithms may be used.
3.​ Key Escrow / Backdoors
○​ Some governments mandate key escrow, where companies must deposit
encryption keys with authorities.
○​ This ensures access in case of criminal investigation but raises privacy
concerns.
4.​ Licensing Requirements
○​ Organizations using strong cryptography may need to obtain a license or
permission from government agencies.

Challenges and Controversy

●​ Too many restrictions may weaken security for businesses and individuals.
●​ Weak encryption standards can be exploited by hackers.
●​ Balancing privacy rights of individuals with national security needs is a
major challenge.
Legal restrictions on cryptography aim to protect national security and law
enforcement capabilities, but they must not compromise individual privacy and
business security. A balance between regulation and freedom of use is essential in
modern web security.

13.) Explain the Web Wars on your Privacy?

A) Refer Q4

14.) Discuss the Privacy Protecting Techniques in Web Security?

A)

Privacy is one of the biggest concerns in web security. As users share sensitive data
(personal details, location, browsing habits), it becomes vulnerable to misuse by
attackers, advertisers, and even governments. Privacy protecting techniques are
methods that safeguard user information, ensuring confidentiality, anonymity, and
trust in online systems.

Key Privacy Protecting Techniques

1.​ Encryption (SSL/TLS, End-to-End)

○​ Protects data during transmission by converting it into unreadable form.
○​ HTTPS ensures that attackers cannot intercept passwords, credit card
numbers, or messages.
2.​ Anonymity Tools
○​ Proxy servers, VPNs, and TOR networks hide user IP addresses.
○​ Prevents tracking of browsing behavior and location.
3.​ Access Control and Authentication
○​ Role-based access ensures only authorized users can access sensitive
data.
 ○​ Strong authentication (multi-factor authentication) prevents
unauthorized entry.
4.​ Data Minimization
○​ Collect only the data required for a service.
○​ Reduces risk if data is stolen or misused.
5.​ Cookie Management & Anti-Tracking Tools
○​ Blocking third-party cookies, using browser extensions like Privacy
Badger.
○​ Prevents advertisers from building detailed user profiles.
6.​ Pseudonymization and Anonymization
○​ Replacing personal identifiers with codes or random values.
○​ Widely used in healthcare and research databases to protect identities.
7.​ Privacy Policy Enforcement (P3P)
○​ Websites can declare how user data will be used, and browsers interpret
these policies.
○​ Helps users make informed decisions about sharing information.
8.​ Intrusion Detection and Monitoring
○​ Detects abnormal activities that may indicate data theft attempts.
○​ Maintains logs for accountability and audits.
9.​ User Awareness and Education
○​ Encouraging strong passwords, avoiding suspicious links, and limiting
oversharing.

Privacy protecting techniques such as encryption, anonymity, access control, data

minimization, and cookie management form the backbone of web security. By
combining technical measures with strong policies and user awareness, organizations
can build systems that respect privacy while ensuring security.
15.) Discuss the key Considerations about Web Server Security?

A)

A web server is the backbone of any website or web application, responsible for
delivering content and services to users. Because it is accessible over the internet, it is
a frequent target for hackers. Ensuring web server security is essential to protect
sensitive data, maintain trust, and guarantee availability.

Key Considerations

1.​ Secure Configuration

○​ Remove default accounts, sample applications, and unnecessary
services.
○​ Restrict directory browsing and apply the principle of least privilege.
2.​ Patch Management
○​ Keep the operating system, server software, and applications updated.
○​ Fixes known vulnerabilities before attackers exploit them.
3.​ Authentication and Access Control
○​ Use strong password policies and multi-factor authentication for
administrators.
○​ Apply role-based access to limit permissions.
4.​ Encryption (SSL/TLS)
○​ Enforce HTTPS to secure data in transit.
○​ Protect sensitive files with encryption at rest.
5.​ Input Validation
○​ Prevent attacks such as SQL Injection, XSS, and Command Injection.
○​ Implement prepared statements and parameterized queries.

6.​ Firewall and Intrusion Detection

○​ Deploy Web Application Firewalls (WAFs) to block malicious
requests.
 ○​ Use IDS/IPS to detect and stop suspicious activities.
7.​ Logging and Monitoring
○​ Enable server logs to track unauthorized access attempts.
○​ Monitor logs regularly and enable real-time alerts.
8.​ Backup and Recovery
○​ Maintain regular backups of web server data and configurations.
○​ Test disaster recovery plans to ensure business continuity.
9.​ Physical and Network Security
○​ Secure data centers with restricted access.
○​ Use VPNs and network segmentation to isolate critical services.

Web server security is not a one-time task but a continuous process. Proper
configuration, timely patching, strong authentication, encryption, monitoring, and
recovery planning form the foundation of a secure web server. By following these
considerations, organizations can prevent attacks, protect user trust, and ensure
reliable services.

16.) Define Database Security? List and some Explain Recent Advances in Access
Control?

A)

Database Security refers to the set of processes, tools, and controls that protect a
database against confidentiality, integrity, and availability (CIA) threats. It prevents
unauthorized access, protects sensitive information, ensures accurate data, and
guarantees service availability to legitimate users.

●​ Confidentiality: Data is visible only to authorized users.

●​ Integrity: Data remains consistent and unaltered by unauthorized actions.
●​ Availability: Data and services are accessible when required.
Recent Advances in Access Control

Traditional access control models like DAC (Discretionary Access Control) and
MAC (Mandatory Access Control)are still used but may not be sufficient for
modern environments such as cloud computing, IoT, and big data systems. Hence,
recent advances focus on flexibility, scalability, and context-awareness.

1. Role-Based Access Control (RBAC)

●​ Users are assigned roles, and roles define permissions.

●​ Example: A Doctor role can access patient records, while a Receptionist role
can only view appointments.
●​ Widely adopted in enterprises because it simplifies management.

2. Attribute-Based Access Control (ABAC)

●​ Decisions are made based on attributes of user, resource, action, and

environment.
●​ Example: “Allow access to a patient file if the user is a Doctor AND accessing
during duty hours.”
●​ More fine-grained and dynamic than RBAC.

3. Context-Aware Access Control

●​ Uses contextual factors like time, location, device type, or network security
level.
●​ Example: A bank employee can approve transactions only from the office
network, not from a personal device.

4. Risk-Adaptive Access Control (RAdAC)

●​ Balances operational need vs. security risk.

●​ Example: During emergencies, a hospital may temporarily allow extended
access for medical staff.
5. Privacy-Aware Access Control

●​ Ensures compliance with privacy regulations (e.g., GDPR).

●​ Users can control how their personal data is shared and accessed.

Database security ensures that sensitive data is protected against misuse and loss. With
evolving threats, recent access control models like RBAC, ABAC, Context-Aware,
RAdAC, and Privacy-Aware systems provide more flexibility, scalability, and
compliance than traditional models.

17.) ​Explain how XACML can be used for XML access control.

A)

Access control ensures that only authorized users can access specific resources. Since
many web applications exchange information in XML format, there is a need for a
standard way of defining and enforcing access policies.

XACML (eXtensible Access Control Markup Language), developed by OASIS, is

an XML-based standard that provides fine-grained, attribute-based access control for
XML and web resources.

How XACML Works

XACML follows a Policy Decision Point (PDP) and Policy Enforcement Point
(PEP) architecture:

1.​ Policy Enforcement Point (PEP) – Intercepts a user request for an XML
document.
2.​ Policy Decision Point (PDP) – Evaluates the request against stored XACML
policies.
3.​ Policy Administration Point (PAP) – Manages and defines access policies.
 4.​ Policy Information Point (PIP) – Provides attribute values (e.g., user role,
time, location).
5.​ Based on evaluation, the PDP responds with Permit, Deny, NotApplicable, or
Indeterminate.

Use of XACML in XML Access Control

1.​ Fine-Grained Authorization

○​ Access can be controlled not only at the document level but also at the
element/attribute level within XML.
○​ Example: A doctor can read <MedicalHistory> but not <BillingInfo>.
2.​ Attribute-Based Access
○​ Policies are based on attributes of the subject (user role), resource
(XML element), action (read/write), and environment (time,
location).
○​ Example: “Permit access to <LabResults> if user.role = Doctor AND
access.time = DutyHours.”
3.​ Separation of Policy from Application Logic
○​ Policies are written in XML and can be updated without modifying the
application code.
○​ Increases flexibility and scalability.
4.​ Interoperability
○​ Being XML-based, XACML integrates easily with web services, SOA,
and cloud systems.

XACML provides a standardized and flexible way to enforce access control in XML
documents. By supporting fine-grained, attribute-based rules and separating policies
from application logic, it ensures security, scalability, and interoperability in
modern web and enterprise applications.
18.) List and Explain the roles of Cryptography?

A)

Cryptography is the science of securing information by transforming it into an

unreadable form, ensuring that only authorized parties can understand it. In web
security, cryptography plays a vital role in protecting data, communication, and
user trust. Its applications extend from simple password protection to securing global
financial transactions.

Roles of Cryptography

1.​ Confidentiality (Secrecy)

○​ Ensures that only authorized users can read the information.
○​ Achieved using encryption algorithms such as AES, RSA.
○​ Example: Encrypting emails so that only the recipient can read them.
2.​ Integrity
○​ Guarantees that data is not altered during storage or transmission.
○​ Achieved using hash functions (SHA, MD5) and digital signatures.
○​ Example: Software downloads use checksums to verify data integrity.
3.​ Authentication
○​ Confirms the identity of users or systems.
○​ Uses digital certificates, challenge-response protocols, or key-based
authentication.
○​ Example: Logging into a banking website using SSL/TLS certificates.
4.​ Non-Repudiation
○​ Prevents a sender from denying their actions, such as sending a message
or signing a document.
○​ Implemented using digital signatures with public/private key pairs.
○​ Example: An e-contract signed digitally cannot later be denied by the
signer.
5.​ Access Control Support
○​ Works with authentication to enforce access rights.
 ○​ Cryptographic tokens or keys allow only authorized users to access data.
○​ Example: Encrypted files accessible only by users with decryption keys.
6.​ Secure Communication
○​ Protects data in transit against eavesdropping and tampering.
○​ Protocols like SSL/TLS, IPSec, and VPNs rely on cryptography.
○​ Example: HTTPS ensures safe browsing and online payments.

The roles of cryptography cover confidentiality, integrity, authentication,

non-repudiation, and secure communication. Together, these functions form the
foundation of web security, e-commerce, cloud services, and modern digital
interactions. Without cryptography, trust and security in digital systems would be
impossible.