Auditing the Development of Web-Based Applications

44 slides
0.17 MB
875 views

Similar Presentations

Presentation Transcript

1

Auditing the Development of Web-Based ApplicationsJian Zhen

2

OverviewOverview of WWW and HTTP Web-based Application Concepts Overview of the Development Cycles Security Requirements Web-based Application Security Application Code Reviews

3

World-Wide-Web (WWW)Invented by Tim Berners-Lee and others at the European Laboratory for Particle Physics (CERN) Based on hypertext--a system of embedding links in text to link to other text The most popular way of linking to resources on the Internet

4

WWW (Cont.)Hundres of millions of pages indexed by search engines Tens of terabytes archived by Alexa Hundreds of millions users on the Web

5

WWW and HTTPStatic Web Model

6

Common Gateway Interface (CGI)Common An open specification Many languages Gateway Strength is not in what is does by itself Methods to access other systems Interface Well defined way to call features

7

CGI (cont.)A way of providing dynamic web content Forms Counters Guest Books Database Queries Used by most of the web-based applications

8

The CGI Model

9

Web ApplicationsBrowsers: Plug-ins Applets DHTML etcInternetServer: CGI Servlets ASP NSAPI CORBA/ODBCStatic PagesDatabase

10

Web ApplicationsClient side HTML/DHTML JavaScript, VBScript, PerlScript Java ActiveX Plug-ins

11

Web ApplicationsServer side Frontend: CGIs (Perl, C/C++), Java Servlets, ISAPI, NSAPI, ASP, etc Middleware: CORBA, ODBC, DCOM, etc Backend: Oracle, Informix, Sybase, DB2, etc

12

Web ApplicationsComplex distributed, Client/Server applications Many elements involved and integrated Rapid development Requires more planning, design, and control than “conventional” projects.

13

Web Development CyclesAnalysisDesignTestingImplementationPrototyping

14

Web Development CyclesAnalysis Feasibility study Identify requirements Involvment: your requirements

15

Web Development CyclesDesign Design specifications Involvment: system interoperability, resiliency, capacity planning, mature technologies, security design

16

Design SpecificationBusiness Requirement Existing and Proposed System Overview Hardware and Software Requirements System Schematic System Interoperability Operational cycle/Workflow System Modules Input-Output User Interface Prototypes

17

Web Development CyclesPrototyping Most time-consuming stage Coding Build, review, and refine prototype Involvement: coding standards, effective application development environment

18

Web Development CyclesTesting Unit/System test plans Module/Unit testing System integration testing Involvement: test plans, effective testing environment, testing stages, code reviews

19

Web Development CyclesDelivery/Implementation Install systems Train users Acceptance testing Involvement: effective implementation

20

Security RequirementsPrivacy - All user information are protected Authentication/Access Control- Only authorized users are allowed to access the resources Integrity - User and application data cannot be tempered with Auditing - Keeping audit logs and audit trails and ensuring their integrity

21

PrivacyProtecting users’ private information SSN Birthdates Employee Ids Passwords Technologies Encryption: DES, RSA, SSL Local vs. Network

22

AuthenticationProof of Identity Required to enforce access control and accountability, and achieve non-repudiation Technologies username/password Smart Cards, SecurID Biometrics

23

Access ControlDetermine who is authorized to receive or modify information Common mechanisms Mandatory Access Control (MAC) Owners cannot modify access list (SeOS) Discretionary Access Control (DAC) Owners are allowed to modify access (UNIX) Role-based Access Control (RBAC) Role granted provides necessary access

24

AuditingThe process of collecting and recording security-relevant activities on a system After-the-fact technique Audit logs are used as evidence

25

Data EncryptionConfidentiality Scrambling data to unreadable format Integrity User and application data are not modified Technologies Public/Secret Key Encryption: RSA, DES Digital Signatures: DSS Hashes: MD5

26

Web-based Application SecuritySecurity flaws occur when software bugs allow violation of security policy Different security flaw present different threats Opening backdoors Stealing information or system resource Destroying or tempering data

Browse More Presentations

Last Updated: 8th March 2018