Application security
Application security includes all tasks that introduce a
secure software development life cycle to development
teams.
Its final goal is to improve security practices and,
through that, to find, fix and preferably prevent security
issues within applications.
Threat modelling for web applications :
35
Application threats
A threat is the occurrence of any events or
circumstances that may harm any kind of assets of the
organization.
Application threats are posed at a particular level that
may maliciously harm any kind of application.
Application threats Categories
Input validation
It includes any kind of false presumption regarding the
inputs provided by the ignorant user.
It involves the type, range or format of input data.
36
Types of Input Validation (refer Table 1)
37
Authentication
Authentication is the act of proving an assertion, such as
the identity of a computer system user.
In contrast with identification, the act of indicating a
person or thing's identity, authentication is the process
of verifying that identity
Types of Authentication (refer table 2)
38
Authorization
Allow users to a access a specific resource or service
Types of Authorization (refer table 3)
39
Threat Modelling For Web
Applications
Threat modeling is an activity that helps you identify and
mitigate threats. It’s very important because it makes
you look at security risks top-down, focus on decision-
making and prioritize cybersecurity decisions, and
consider how you can use your resources in the best
possible way. Its divide into :
Security Objectives
Application Overview
Decompose Application
Threats
Vulnerabilities
Common Security On the Web
Threats on the client server
Many computers on the client side are vulnerable to
attacks like viruses, worms, Trojan horses and so on that
are created by hackers, crackers or due to malicious
codes.
Threats on the server side
Data available on web servers is exposed to
unauthorized access. If an intrusion occurs on the web
server, it could lead to reduction in speed or it
might crash the server.
Network Threats
If a network on the web is not properly secured, it might
be the root cause for loss
of information. 40
Tools for web-based solutions
Stinger
Is a stand-alone utility tool used to detect and remove
certain viruses in the browser-hijacked systems, not a
full anti-virus protection tools, but rather this tool will
guide administrators and users when dealing with an
infected system.
Cwshredder
This tool will scan entire system and looks for hijacking
in the browser. Features of Cwshredder Tool:
Spyware detection and removal
Real-time active defense
Provides restore utility
Provides automatic frequent updates
Microsoft Anti-spyware Software
Is a security technology that helps users to protect a
Windows operating system from spyware and other
potentially unwanted software. This software will detect
and remove spyware on your computer.
41
Email Works
Emails are routed to user accounts via several computer
servers. They route the message to their final destination
and store them so that users can pick them up and send
them once they connect to the email infrastructure.
Email can be accessed through an email client or a web
interface. Some terms includes:
MUA : Mail User Agent
MTA : Mail Transfer Agent
MDA : Mail Delivery Agent
MRA : Mail Retrieval Agent
42
How Email Works
sally@onlinebusiness sends an email message and
connects to an SMTP (Simple Mail Transfer Protocol)
server as configured in her email client or Mail User
Agent (MUA).
On the SMTP server, a Mail Transfer Agent (MTA)
looks at the recipient address and looks up the
domain part of the address to determine its
destination.
After querying a Domain Name System (DNS) server
for the name of the Mail eXchanger (MX) for the
recipient’s domain name, the SMTP server will send
the message to that server via the SMTP protocol.
The receiving server will store the message (MDA)
and make it available to the recipient
([email protected]), who can access
it (MUA) via POP3.
43
Email Encryption
The only mechanism for securing e-mail is
encryption.
Encryption protects against sniffing, unsecure
attachment and also spoofing.
All e-mail encryption approaches use public key
encryption to protect messages.
To set up secure e-mail, the e-mail encryption
package will generate a private key for the user
and a public key that the user can send to those
who need secure e-mail.
Spoofing can be prohibited through public key
encryption.
The ability to decode a message with an exact
public key proves that it was encoded with the
analogous private key, which subsequently confirms
that the message is from the user who sent the
public key.
E-mail encryption technologies:
Secure Multipurpose Internet Mail Extension
(S/MIME)
Pretty Good Privacy (PGP)
44
Email Authentication
Email authentication verifies that an email is
actually from you.
The way email was originally designed makes
sender details easy to forge, or "spoof." Spammers
and phishers take advantage of this by posing as
banks, auction sites, energy companies or otherwise
to steal money or spread malicious software.
45
Common E-mail Protocol
MIME/Secure MIME (Multipurpose Internet Mail
Extension (MIME) / Secure MIME)
Pragmatic General Protocol
SMTP
POP and IMAP
Risk Related with E-mail
security
E-mail Spoofing
Spreading Malware
E-mail Bombing
E-mail Spamming
46
SUMMARY
Protecting basic communication systems is a key
to resisting attacks.
Nowaday, e-mail encryption is very important.
Awareness on risk related to e-mail need to put
into consideration so that you’re not easily been
attack by an attacker when you send confidential
material.
47
REFERENCES
Dougla. J. L. (2020). Information Security Policies,
Procedures, and Standards: A
Practitioner's Reference 1st Edition. Auerbach
Publications. (ISBN: 036766996X)
Darril. G., &. Andz. I. (2020). Managing Risk in
Information Systems (Information Systems Security &
Assurance) 3rd Edition. Jones & Bartlett Learning.
(ISBN: 1284183718)
Mike. C. (2020). Access Control and Identity
Management (Information Systems Security &
Assurance) 3rd Edition. Jones & Bartlett Learning.
(ISBN: 1284198359)
Smith. R. E. (2020). Elementary Information Security
3rd Edition. Burlington: Jones & Bartlett Learning.
(ISBN: 1284153045)
48
Published by :
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Information security is a set of practices designed to keep personal data secure from unauthorized access and alteration during storing or transmitting from one place to another. Information security is designed and implemented to protect the print, electronic and other private, sensitive and personal data from unauthorized persons. It is used to protect data from being misused, disclosure, destruction, modification, and disruption. It is important to keep the communication between the academic department and students running during the lockdown and to continue to support students by providing access to learning resources. eBook represent a practical resource for students since it can be downloaded to any mobile device and ready anywhere. With remote online learning, this eBook is a practical resource for academic department and students of Information Security course. BASIC SECURITY is an ebook that provides a foundation in the basic Information knowledge and skills necessary for ICT professionals. Students are exposed to the principles and good practices in environmentally sustainable secured computing and the use of appropriate tools and technologies in managing IS environment. This e book covers a basic chapter for information security.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search