Database Security – Issues and Best Practices
Outline
• Intro to Database Security
•Need for Database Security
•Database Security Fundamentals
•Database Security Issues
• OWASP Top 10 – A1:2017– Injection
• OWASP Top 10 – A3:2017– Sensitive Data Exposure
•Attacks against Database Security Mechanisms
•Database Security Best Practices
2
Intro to Database Security
3
Intro to Database Security
• How does a web application work?
4
Client
Server
Involves
databases
Intro to Database Security (contd.)
•Database
• A database is “an organized collection of structured information, or
data, typically stored electronically in a computer system”
• It includes: the data, the DBMS, & applications that use them
•Database Management Systems (DBMS):
• DBMS serve “as an interface between the database and its end
users or programs, allowing users to retrieve, update, and manage
how the information is organized and optimized”
5
Source: What is a Database – Oracle –
https://www.oracle.com/database/what-is-database.html
https://www.oracle.com/database/what-is-database.html
Intro to Database Security (contd.)
•Database Management Systems (DBMS) (continued):
• DBMS also facilitate “oversight and control of databases, enabling a
variety of administrative operations such as performance
monitoring, tuning, and backup and recovery”
• Types:
• Relational, Object-Oriented, Distributed, Data Warehouses, Open Source,
Cloud, Autonomous, etc.
• Examples:
• Oracle, SQL Server, MySQL, Microsoft Access, MariaDB, PostgreSQL, etc.
6
Source: What is a Database – Oracle –
https://www.oracle.com/database/what-is-database.html
https://www.youtube.com/watch?v=_p00AzHE5U4
https://www.oracle.com/database/what-is-database.html
Intro to Database Security (contd.)
•Database Tutorial for Beginners – Lucidchart
7
Source: Lucidchart – Database Tutorial for Beginners –
https://www.youtube.com/watch?v=wR0jg0eQsZA
https://www.youtube.com/watch?v=wR0jg0eQsZA
Intro to Database Security (contd.)
•Database security refers to “the range of tools, controls, and
measures designed to establish and preserve database
confidentiality, integrity, and availability” (IBM, 2019)
•Database security involves protection of
• The data in the database
• The database management system (DBMS) itself
• Any associated applications (including web applications)
• The physical and/or virtual database server farms and their
underlying hardware
• The computing and/or network infrastructure used to access
the database (IBM, 2019)
8
https://www.ibm.com/cloud/learn/database-security
https://www.ibm.com/cloud/learn/database-security
Intro to Database Security (contd.)
•Database security involves securing data
• At rest
• Using techniques such as encryption
• Example: Amazon RDS uses 256-bit Advanced Encryption Standard (AES) for
securing database instances, automated backups, and snapshots at rest
• In flight
• Using protocols such as Transport Layer ...
Database Security – Issues and Best PracticesOutline
1. Database Security – Issues and Best Practices
Outline
• Intro to Database Security
•Need for Database Security
•Database Security Fundamentals
•Database Security Issues
• OWASP Top 10 – A1:2017– Injection
• OWASP Top 10 – A3:2017– Sensitive Data Exposure
•Attacks against Database Security Mechanisms
•Database Security Best Practices
2
Intro to Database Security
3
Intro to Database Security
• How does a web application work?
2. 4
Client
Server
Involves
databases
Intro to Database Security (contd.)
•Database
• A database is “an organized collection of structured
information, or
data, typically stored electronically in a computer system”
• It includes: the data, the DBMS, & applications that use them
•Database Management Systems (DBMS):
• DBMS serve “as an interface between the database and its end
users or programs, allowing users to retrieve, update, and
manage
how the information is organized and optimized”
5
Source: What is a Database – Oracle –
https://www.oracle.com/database/what-is-database.html
https://www.oracle.com/database/what-is-database.html
Intro to Database Security (contd.)
3. •Database Management Systems (DBMS) (continued):
• DBMS also facilitate “oversight and control of databases,
enabling a
variety of administrative operations such as performance
monitoring, tuning, and backup and recovery”
• Types:
• Relational, Object-Oriented, Distributed, Data Warehouses,
Open Source,
Cloud, Autonomous, etc.
• Examples:
• Oracle, SQL Server, MySQL, Microsoft Access, MariaDB,
PostgreSQL, etc.
6
Source: What is a Database – Oracle –
https://www.oracle.com/database/what-is-database.html
https://www.youtube.com/watch?v=_p00AzHE5U4
https://www.oracle.com/database/what-is-database.html
Intro to Database Security (contd.)
•Database Tutorial for Beginners – Lucidchart
7
Source: Lucidchart – Database Tutorial for Beginners –
https://www.youtube.com/watch?v=wR0jg0eQsZA
https://www.youtube.com/watch?v=wR0jg0eQsZA
4. Intro to Database Security (contd.)
•Database security refers to “the range of tools, controls, and
measures designed to establish and preserve database
confidentiality, integrity, and availability” (IBM, 2019)
•Database security involves protection of
• The data in the database
• The database management system (DBMS) itself
• Any associated applications (including web applications)
• The physical and/or virtual database server farms and their
underlying hardware
• The computing and/or network infrastructure used to
access
the database (IBM, 2019)
8
https://www.ibm.com/cloud/learn/database-security
https://www.ibm.com/cloud/learn/database-security
Intro to Database Security (contd.)
•Database security involves securing data
• At rest
• Using techniques such as encryption
• Example: Amazon RDS uses 256-bit Advanced Encryption
Standard (AES) for
securing database instances, automated backups, and snapshots
at rest
• In flight
• Using protocols such as Transport Layer Security (TLS)
• Example: Amazon RDS uses TLS from the web application to
encrypt a
5. connection to a database instance running MySQL, MariaDB,
SQL Server,
Oracle, or PostgreSQL to protect data in flight
9
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds
-ug.pdf
Need for Database Security
10
Need for Database Security
•As per Oracle (2022):
• Data breaches are “happening everywhere these days, and
hackers
are getting more inventive. It’s more important than ever to
ensure
that data is secure but also easily accessible to users”
•As per IBM (2019):
• The consequences of data breaches include the following:
• Compromised intellectual property
• Damaged brand reputation
• Loss of business continuity
• Fines or penalties for non-compliance
• Expenses related to repairing breaches
11
6. https://www.oracle.com/database/what-is-database.html
https://www.ibm.com/cloud/learn/database-security
Need for Database Security (contd.)
•As per the IBM (2021) Cost of a Data Breach Report:
• The average total cost of a data breach in 2021 was $4.24M
• The highest country average cost of a data breach was $9.05M
for
U.S.
• The highest industry average cost of a data breach was $9.23M
(healthcare)
• The cost per lost or stolen record was $161
• The time to identify and contain a data breach was 287 days
12
https://www.ibm.com/downloads/cas/OJDVQGRY
Need for Database Security (contd.)
•As per IBM (2021), the four cost components are:
13
https://www.ibm.com/downloads/cas/RDEQK07R
Need for Database Security (contd.)
• Data breaches typically involve unauthorized access of
company
databases (Privacy Rights Clearinghouse, 2020)
7. 14
https://privacyrights.org/data-breaches
Database Security Fundamentals
15
Database Security Fundamentals
•Oracle Database Security – Oracle France
Source: Oracle France – Database Security –
https://www.youtube.com/watch?v=GXF3T4g2tJg
16
https://www.youtube.com/watch?v=GXF3T4g2tJg
Database Security Fundamentals (contd.)
•As per Oracle (2021), effective database security involves
using the following powerful preventive and detective
security controls:
• Transparent Data Encryption (TDE)
• Encryption key management
• Privileged user and multifactor access control
• Data classification and discovery
• Database activity monitoring and blocking
• Consolidated auditing and reporting
• Data masking
17
8. https://download.oracle.com/database/oracle-database-security-
primer.pdf
Database Security Fundamentals (contd.)
•Transparent Data Encryption (TDE)
• Helps prevent attacks that attempt to bypass the database and
read
sensitive information from data files at the operating system
level,
from database backups, or from database exports by encrypting
data in the database layer
18
https://www.oracle.com/a/tech/docs/dbsec/aso/advanced-
security-wp-19c.pdf
Database Security Fundamentals (contd.)
•Transparent Data Encryption (TDE) (continued)
• It is transparent because the encryption and decryption
processes
do not require any application changes, and the application
users do
not have to directly deal with encrypted data
• It supports tablespace encryption and column encryption
19
9. Database Security Fundamentals (contd.)
•Encryption Key Management
• TDE uses a two-tier key management architecture
• Consists of data encryption keys and a master encryption key
• Enables rotation of master keys without having to re-encrypt
all of the
sensitive data
• Oracle Database 18c introduced support for Bring Your Own
Key (BYOK)
• Data encryption keys
• Are managed automatically by the database
• The master encryption key
• Is used to encrypt the data encryption keys
• Is stored and managed outside of the database within an
Oracle Wallet or in
an Oracle Key Vault
20
https://www.oracle.com/a/tech/docs/dbsec/aso/advanced-
security-wp-19c.pdf
Database Security Fundamentals (contd.)
•Privileged User and Multifactor Access Control – Oracle
Database Vault
Source: Oracle – Database Vault –
https://www.youtube.com/watch?v=AomjVCdUp6k
10. 21
https://www.oracle.com/database/technologies/security/db-
vault.html
https://www.youtube.com/watch?v=AomjVCdUp6k
Database Security Fundamentals (contd.)
•Data Classification and Discovery
• Oracle Label Security enforces data access requirements and
records data classification levels at the database row level
• Automated discovery of sensitive columns and parent-child
relationships
• The discovery process uses built-in extensible patterns such as
credit card numbers and national identifiers to check metadata
and
column data to identify sensitive columns
• The discovery results are stored as an application data model,
which
is reusable across multiple databases
22
https://www.oracle.com/a/tech/docs/dbsec/dms/oracle-dms-data-
sheet-2019.pdf
https://www.oracle.com/database/technologies/security/label -
security.html
Database Security Fundamentals (contd.)
11. •Database Activity Monitoring and Blocking
• Oracle Database Firewall provides a first line of defense for
databases
23
https://www.oracle.com/technetwork/products/audit-
vault/downloads/ds-security-avdf-4412080.pdf
Database Security Fundamentals (contd.)
•Consolidated Auditing and Reporting
• Oracle Audit Vault consolidates audit data from databases,
operating systems, and directories
24
https://www.oracle.com/technetwork/products/audit-
vault/downloads/ds-security-avdf-4412080.pdf
Database Security Fundamentals (contd.)
•Data Masking
• Oracle Data Masking provides a flexible option to discover,
mask
and subset sensitive data, enabling the data to be safely shared
across non-production environments
• Non-production environments such as test and development
systems are the potential targets for a cyber attack as they
12. generally
contain copies of production data
• Compliance costs are lowered as masked non-production
databases
are out of the scope for the audit teams
• Sensitive data such as credit card numbers, national
identifiers, and
other personally identifiable information (PII) can be masked
using
predefined masking formats
25
https://www.oracle.com/security/database-security/data-
masking/
https://www.oracle.com/a/tech/docs/dbsec/dms/oracle-dms-data-
sheet-2019.pdf
Database Security Issues
26
Database Security Issues
•Specific database security issues include:
• Cloud database configuration errors
• SQL injection
• Weak authentication
• Privilege abuse / excessive privileges
• Inadequate logging / weak auditing /
• Unpatched services
• Insecure system architecture
13. • Inadequate backups
Source: BCS.org – The Chartered Institute for IT –
https://www.bcs.org/articles-opinion-and-research/top-ten-
database-
attacks
27
https://www.bcs.org/articles-opinion-and-research/top-ten-
database-attacks
Database Security Issues (contd.)
•OWASP Top 10 – A1:2017–Injection
Source: OWASP Top 10 2017 A1-Injection –
https://owasp.org/www-project-top-ten/2017/A1_2017-
Injection.html
28
https://owasp.org/www-project-top-ten/2017/A1_2017-
Injection.html
Database Security Issues (contd.)•Common database security
vulnerabilities:
Source: OWASP Top 10 2017 A1-Injection –
https://owasp.org/www-project-top-ten/2017/A1_2017-
Injection.html
29
14. https://owasp.org/www-project-top-ten/2017/A1_2017-
Injection.html
Database Security Issues (contd.)
•OWASP Top 10: SQL Injection – Security Innovation
Source: Security Innovation – OWASP Top 10: SQL Injection –
https://www.youtube.com/watch?v=X34cKt8RfJs
30
https://www.youtube.com/watch?v=X34cKt8RfJs
Database Security Issues (contd.)
•OWASP Top 10 – A3:2017–Sensitive Data Exposure
Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –
https://owasp.org/www-project-top-ten/2017/A3_2017-
Sensitive_Data_Exposure
31
https://owasp.org/www-project-top-ten/2017/A3_2017-
Sensitive_Data_Exposure
Database Security Issues (contd.)
•Common database security vulnerabilities:
Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –
15. https://owasp.org/www-project-top-ten/2017/A3_2017-
Sensitive_Data_Exposure
32
https://owasp.org/www-project-top-ten/2017/A3_2017-
Sensitive_Data_Exposure
Database Security Attacks
33
Database Security Attacks
•Most common database security attacks include:
Source: OWASP – Attacks –
https://owasp.org/www-community/attacks/
Attack Type Description
SQL Injection An untrusted source uses an application’s user
input features to enter data that is
used to dynamically construct a SQL query to read sensitive
database data
Denial of Service Storing too much information in a user
session object, such as large quantities of
data retrieved from the database, can cause DoS issues
Brute Force The attacker makes requests to a server using pre-
configured values and then
analyzes the response
16. Ransomware The attacker encrypts and locks the victim’s data
and then demands a ransom to
unlock and decrypt the data
34
https://owasp.org/www-community/attacks/
https://owasp.org/www-community/attacks/SQL_Injection
https://owasp.org/www-community/attacks/Denial_of_Service
https://owasp.org/www-community/attacks/Brute_force_attack
http://owasp-stl.org/guides/owasp_ransomware.pdf
Database Security Attacks (contd.)
•As per IBM (2022), some of the most common database
security attacks include:
Attack Type Description
Insider Threats Abuse of privileged access by a malicious
insider, a negligent insider, or an
infiltrator
Human Error Accidents, weak passwords, password sharing, and
other
unwise or uninformed user behaviors
SQL Injection Insertion of arbitrary SQL attack strings into
database queries served by web
applications
Buffer Overflow A process attempts to write more data to a
fixed-length block of memory than it is
allowed to hold
17. 35
https://www.ibm.com/cloud/learn/database-security
https://www.w3schools.com/sql/sql_injection.asp
Database Security Attacks (contd.)
•Common database security attacks (continued):
Source: IBM – Database Security: An Essential Guide –
https://www.ibm.com/cloud/learn/database-security
Attack Type Description
DoS/DDoS The attacker floods the database server with so
many requests that the server can
no longer fulfil legitimate requests from actual users
Malware Software written specifically to exploit vulnerabilities
or
otherwise cause damage to the database
Attacks on Backups Organizations fail to protect backup data
with the same stringent controls used to
protect the database itself
36
https://www.ibm.com/cloud/learn/database-security
Database Security
Best Practices
37
18. Database Security Best Practices
•OWASP recommends the following best practices:
• Connect to the database securely
• Prevent unencrypted traffic at the transport layer
• Configure databases to always require authentication
• Never store database credentials in the application source code
especially if they are unencrypted
• Apply the principle of least privilege to the permissions
assigned to
database user accounts
• Harden the underlying operating system for the database
server
Source: OWASP – Database Security Cheat Sheet –
https://cheatsheetseries.owasp.org/cheatsheets/Database_Securit
y_Che
at_Sheet.html
38
https://cheatsheetseries.owasp.org/cheatsheets/Database_Securit
y_Cheat_Sheet.html
Database Security Best Practices (contd.)
•Best practices to secure databases (as per IBM):
• Consider physical security if the database is not in the cloud
• Restrict number of users, their permissions, and network
access to the
19. minimum levels necessary
• Focus on end user account/device security
• Use best-in-class encryption to protect the data while at rest
and in transit
• Keep the DBMS version up to date and apply patches as soon
as they are
issued
• Use best practices for application/web server security
• Secure backups / log all operations / perform audi ts regularly
Source: IBM – Database Security: An Essential Guide –
https://www.ibm.com/cloud/learn/database-security
39
https://www.ibm.com/cloud/learn/database-security
Database Security Best Practices (contd.)
•Use the following database security best practices:
• Best practices to protect against SQL Injection:
• Primary defenses:
• Use prepared statements with parameterized queries
• Use stored procedures
• Allow-list input validation
• Escape all user supplied input
• Additional defenses:
• Enforce least privilege
• Perform allow-list input validation as a secondary defense
Source: OWASP – SQL Injection Prevention Cheat Sheet –
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_P
reve
20. ntion_Cheat_Sheet.html
40
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_P
revention_Cheat_Sheet.html
Recap
• Database security issues continue to be among the OWASP
Top 10 list
of web application security risks
• This is due to weaknesses in database mechanisms such as
dynamic
queries, input validation, key management, access control,
configuration, logging, auditing, backups, etc.
• Hackers are able to exploit the weaknesses using attacks such
as SQL
injection, DoS, brute force, ransomware, etc.
• Best practices to protect databases include understanding what
types
of data needs to be protected, understanding regulatory
compliance,
discovering/classifying databases based on data sensitivity,
using data
masking, monitoring, auditing, encryption, access control,
parameterized queries, stored procedures, allow-list input
validation,
hardening, etc.
41
21. https://www.oracle.com/a/tech/docs/dbsec/dms/oracle-dms-data-
sheet-2019.pdf
Thank you!!!
42
Browser Security – Issues and Best Practices
Outline
• Intro to Browser Security
•Need for Browser Security
•Browser Security Fundamentals
•Browser Security Issues
• OWASP Top 10 – A7:2017– Cross-Site Scripting XSS
• OWASP Top 10 – A3:2017– Sensitive Data Exposure
•Attacks against Browser Security Mechanisms
•Browser Security Best Practices
2
Intro to Browser Security
22. 3
Intro to Browser Security
• How does a web application work?
4
Client
Server
Involves
browsers
Intro to Browser Security (contd.)
•Browser
• A browser is “an application that finds and displays web
pages”.
• It coordinates communication between your computer and the
web
server where a particular website “lives” by:
• Accepting a website address as a URL
• Submitting a request to the server to retrieve the content for
the page
• Processing the code (HTML, CSS, JavaScript, etc.) from the
server
• Loading active content (Flash, ActiveX, etc.) needed by the
page
• Displaying the complete, formatted web page
23. • Repeating the process for every single user interaction with
the page
5
Source: Understanding Your Computer: Web Browsers – U.S.
CERT –
https://www.cisa.gov/uscert/ncas/tips/st04-022
https://www.cisa.gov/uscert/ncas/tips/st04-022
Intro to Browser Security (contd.)
•Examples:
• Google Chrome, Mozilla Firefox, Microsoft Edge, Apple
Safari,
Opera, etc.
•Browser Market Share as of February 2022:
6
Source: Global Web Stats – W3Counter–
https://www.w3counter.com/globalstats.php
https://www.w3counter.com/globalstats.php
Intro to Browser Security (contd.)
• Browser security refers to “how differences in design and
implementation of various security technologies in modern web
browsers might affect their security” (X41 Browser Security
White Paper, 2017, pg. 8)
• Browser security involves the following:
24. • Protection against common client-side attacks
• Protection against phishing
• Management of browser extensions
• Use of adequate cryptography protocols
7
Source: X41 Browser Security White Paper –
https://browser-security.x41-dsec.de/X41-Browser-Security-
White-Paper.pdf
https://browser-security.x41-dsec.de/X41-Browser-Security-
White-Paper.pdf
https://browser-security.x41-dsec.de/X41-Browser-Security-
White-Paper.pdf
Intro to Browser Security (contd.)
• Browser security also involves the following:
• Protection against active content
• Active content refers to scripts that execute programs within
the browser
• e.g.: scripts used to create splash pages or options like drop -
down menus
• JavaScript is widely used to create active content
• ActiveX controls reside on your computer and can be used as
spyware
• Protecting cookies
• Cookies store information such as IP address, domain names,
browser info, browsing
habits, etc.
• Both session cookies and persistent cookies must be protected
from security attacks by
25. adjusting the browser’s security settings to block or limit access
to cookie information
8
Source: U.S. CERT – Browsing Safely: Understanding Active
Content and Cookies –
https://www.cisa.gov/uscert/ncas/tips/ST04-012
https://www.cisa.gov/uscert/ncas/tips/ST05-001
https://www.cisa.gov/uscert/ncas/tips/ST04-012
Intro to Browser Security (contd.)
•Browser-specific security features:
• Google Chrome security features
• Apple Safari security features
• Internet Explorer security features
• Microsoft Edge security features
• Mozilla Firefox security features
• Opera security features
9
https://safety.google/chrome/
https://support.apple.com/en-us/HT201265
https://support.microsoft.com/en-us/help/17479/windows-
internet-explorer-11-change-security-privacy-settings
https://www.microsoft.com/en-us/edge/features
https://support.mozilla.org/en-US/products/firefox/privacy-and-
security
https://help.opera.com/en/latest/security-and-privacy/
26. Intro to Browser Security (contd.)
• Your Browser’s Security Features – GCFLearnFree.org
Source: GCFLearnFree.org – Internet Safety: Your Browser’s
Security Features –
https://www.youtube.com/watch?v=2ZZQlgV2Gus
10
https://www.youtube.com/watch?v=2ZZQlgV2Gus
Need for Browser Security
11
Need for Browser Security
•As per U.S. CERT (2015):
• Browsers such as Firefox, Chrome, Edge, and Safari are
installed on
almost all computers
• Default browsers that come with the Operating Systems are
not
setup using secure default configurations
• Unsecure browsers can lead to spyware being installed on your
computers allowing intruders to take control
• There is an increasing threat from attacks that take advantage
of
27. vulnerable web browsers
• Hackers are using compromised or malicious websites to
exploit
vulnerabilities in browsers
12
https://www.cisa.gov/uscert/publications/securing-your-web-
browser
Need for Browser Security (contd.)
•As per U.S. CERT (2015), the problem is made worse by a
number of factors including the following:
13
https://www.cisa.gov/uscert/publications/securing-your-web-
browser
Need for Browser Security (contd.)
•As per the EdgeScan (2019) Vulnerability Statistics Report:
• 19% of all vulnerabilities
were associated with
Layer 7 web applications
• However, the risk
density is much higher
for web application
vulnerabilities compared
to network
vulnerabilities
28. 14
https://www.edgescan.com/wp-
content/uploads/2019/02/edgescan-Vulnerability-Stats-Report-
2019.pdf
Need for Browser Security (contd.)
•As per the EdgeScan (2019)
Vulnerability Statistics Report,
the most common browser-
related vulnerabilities are:
• Cross-Site Scripting – 14.69%
• Other Injection – 8.18%
• DOM-based Vulnerability –
1.82%
• Cross-Site Request Forgery –
1.75%
15
https://www.edgescan.com/wp-
content/uploads/2019/02/edgescan-Vulnerability-Stats-Report-
2019.pdf
Need for Browser Security (contd.)
•Hackers are increasingly using browsers to cause data
breaches (Privacy Rights Clearinghouse, 2020)
16
29. https://privacyrights.org/data-breaches
Need for Browser Security (contd.)
•Hackers are increasingly using browsers to cause data
breaches (Privacy Rights Clearinghouse, 2020)
17
https://privacyrights.org/data-breaches
Browser Security Fundamentals
18
Browser Security Fundamentals
•How Web Browsers Function – Open Canvas
Source: OpenCanvas – How Web Browsers Function –
https://www.youtube.com/watch?v=z0HN-fG6oT4
19
https://www.youtube.com/watch?v=z0HN-fG6oT4
Browser Security Fundamentals (contd.)
•As per Open Canvas (2016), web browsers use the following
architectural components:
• User interface
30. • Rendering engine
• Browser engine
• Networking
• JavaScript interpreter
• Data storage – cookies, local storage, etc.
20
https://www.youtube.com/watch?v=z0HN-fG6oT4
Browser Security Fundamentals (contd.)
•Google Chrome Architecture
Source: Google Chrome Developers – Anatomy of the Browser
101
(Chrome University) –
https://www.youtube.com/watch?v=PzzNuCk-e0Y
21
https://www.youtube.com/watch?v=PzzNuCk-e0Y
Browser Security Fundamentals (contd.)
•Google Chrome Architecture:
• Browser Process
• Includes the User Interface (UI), networking, and storage
• GPU Process
• Handles rich web page content built using features like
WebGL
• Is a separate process to ensure stability and security
31. • Utility Process
• Runs untrusted code on behalf of browser in a sandbox
• e.g.: installing an extension, processing JSON
• Is a short-lived process
Source: Google Chrome Developers – Anatomy of the Browser
101
(Chrome University) –
https://www.youtube.com/watch?v=PzzNuCk-e0Y
22
https://www.youtube.com/watch?v=PzzNuCk-e0Y
Browser Security Fundamentals (contd.)
•Google Chrome Architecture (continued):
• Extension Process
• Ensures extensions have limited access to browser, page, &
system
• Stops poorly written extension code from adversely affecting
pages
• Pepper Plugins
• Handles plugin code not controlled by Google (Flash, PDF,
etc.)
• Uses new plugin API that is sandboxed
• Renderer – Blink rendering engine
• JavaScript Interpreter – v8 JavaScript engine
Source: Google Chrome Developers – Anatomy of the Browser
101
(Chrome University) –
33. White-Paper.pdf
24
https://browser-security.x41-dsec.de/X41-Browser-Security-
White-Paper.pdf
Browser Security Fundamentals (contd.)
•Google Chrome Security:
• Hardening and Exploit Mitigation
• Supports /GS, ASLR, DEP, no direct win32k syscalls, SEHOP,
etc.
• Web Security
• Same Origin Policy Enforcement
• Restricts interaction between websites of different origins
• Port Banning Enforcement
• Denies connections to non-standard TCP ports
• Content Security Policy Enforcement
• Limits what sources of scripts are acceptable
• HTML5 Features Support
• Supports Service Workers, WebRTC, History API, WebGL,
Web Notifications, etc.
Source: X41 – Browser Security White Paper –
https://browser-security.x41-dsec.de/X41-Browser-Security-
White-Paper.pdf
25
https://browser-security.x41-dsec.de/X41-Browser-Security-
34. White-Paper.pdf
Browser Security Issues
26
Browser Security Issues
• Specific browser security issues include the following:
• Client-side JavaScript code for checking user input is not
enough
• Information sent from the browser can be modified before it
reaches the server
• Plenty of HTTP/HTTPS proxy tools are available to hackers
for this very purpose
• Protocols such as SSL that browsers rely on have their own
issues
• Likewise, attackers can use browser mechanisms such as
cache, cookies, session
IDs, etc. to steal sensitive information
• Java applets are susceptible to Man-in-the-Middle (MITM)
attacks
• Java servlets may be vulnerable to SQL injection
Source: OWASP – Application Security FAQ –
https://owasp.org/www-
community/OWASP_Application_Security_FAQ
27
https://owasp.org/www-
community/OWASP_Application_Security_FAQ
35. Browser Security Issues (contd.)
• Specific browser security issues include the following:
• Browsers pose a unique risk to the enterprise infrastructure
because of their
frequent exposure to untrusted dynamic content
• Configuring browser security settings is challenging due to
uncertainty of both
attack mitigation effectiveness and impact on end users
• Administrator-driven manual patching often incurs significant
lag time before
patches are deployed
• Administrators are often hesitant to enable automatic updating
out of fear that
patches will break existing functionality
• 88% of publicly disclosed vulnerabilities exploited within a
day of release
• Browser plugins accounted for 34.5% of browser-related
vulnerabilities
Source: NSA.gov – Steps to Secure Web Browsing –
https://www.nsa.gov/Portals/70/documents/what-we-
do/cybersecurity/professional-
resources/csi-steps-to-secure-web-browsing.pdf
28
https://www.nsa.gov/Portals/70/documents/what-we-
do/cybersecurity/professional-resources/csi-steps-to-secure-
web-browsing.pdf
37. 31
https://www.youtube.com/watch?v=AjsYOMatAcg
Browser Security Issues (contd.)
•OWASP Top 10 – A3:2017–Sensitive Data Exposure
Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –
https://owasp.org/www-project-top-ten/2017/A3_2017-
Sensitive_Data_Exposure
32
https://owasp.org/www-project-top-ten/2017/A3_2017-
Sensitive_Data_Exposure
Browser Security Issues (contd.)
•Common browser security vulnerabilities:
Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –
https://owasp.org/www-project-top-ten/2017/A3_2017-
Sensitive_Data_Exposure
33
https://owasp.org/www-project-top-ten/2017/A3_2017-
Sensitive_Data_Exposure
Browser Security Attacks
38. 34
Browser Security Attacks
•Most common browser security attacks:
Source: OWASP – Attacks –
https://owasp.org/www-community/attacks/
Attack Type Description
Cache Poisoning A maliciously constructed response is cached
by the browser
Clickjacking The attacker hijacks clicks meant for their own
page and routes them to another
page
Cross-Site Request Forgery
(CSRF)
An attack that forces an end user to execute unwanted
actions on a web application in which they’re currently
authenticated
Cross-Site Scripting (XSS) A type of injection in which
malicious scripts are injected into
otherwise benign and trusted websites
35
https://owasp.org/www-community/attacks/
https://owasp.org/www-community/attacks/Cache_Poisoning
https://owasp.org/www-community/attacks/Clickjacking
39. https://owasp.org/www-community/attacks/csrf
https://owasp.org/www-community/attacks/xss/
Browser Security Attacks (contd.)
•Most common browser security attacks (continued):
Attack Type Description
Man-in-the-Browser A previously installed Trojan horse is used
to act between the
browser and the browser’s security mechanism, sniffing or
modifying transactions as they are formed on the browser,
but still displaying back the user’s intended transaction
Session Hijacking An attack that compromises the session token
by stealing or
predicting a valid session token to gain unauthorized access
to the Web Server
Spyware A program that captures statistical information from a
user’s
computer and sends it over internet without user acceptance.
This information is usually obtained from cookies and the
web browser’s history.
Source: OWASP – Attacks –
https://owasp.org/www-community/attacks/
36
https://owasp.org/www-community/attacks/Man-in-the-
browser_attack
https://owasp.org/www-
community/attacks/Session_hijacking_attack
https://owasp.org/www-community/attacks/Spyware
40. https://owasp.org/www-community/attacks/
Browser Security
Best Practices
37
Browser Security Best Practices
•Best practices for web browser security include :
• Setting up browsers to Auto Update
• Disabling malicious browser plugins such as Adware
• Connecting to websites only using HTTPS
• Clearing the browser history including cookies
• Disabling the browser’s auto-complete of forms (including
stored
passwords) functionality
• Blocking browser pop-ups using extensions such as AdBlock
• Using VPN or proxy servers
Source: InfoSec Institute – Best Practices for Web Browser
Security –
https://resources.infosecinstitute.com/best-practices-web-
browser-security/
38
https://resources.infosecinstitute.com/best-practices-web-
browser-security/
Browser Security Best Practices (contd.)
•Best practices for web browser security include :
41. • Enabling automatic updates
• Mitigates 91% of publicly known vulnerabilities
• Enabling reputation services such as Google Safe Browsing or
Microsoft SmartScreen
• Prevents 87.7% of socially engineered malware and phishing
attempts
• Disable unsafe plugins and extensions
• Use advanced mitigation techniques/tools
• Browser isolation, Cloud Browsers, O/S level mitigations, etc.
Source: NSA.gov – Steps to Secure Web Browsing –
https://www.nsa.gov/Portals/70/documents/what-we-
do/cybersecurity/professional-
resources/csi-steps-to-secure-web-browsing.pdf
39
https://safebrowsing.google.com/
https://support.microsoft.com/en-us/help/17443/microsoft-edge-
smartscreen-faq
https://www.nsa.gov/Portals/70/documents/what-we-
do/cybersecurity/professional-resources/csi-steps-to-secure-
web-browsing.pdf
Browser Security Best Practices (contd.)
•Use the following best practices to protect against XSS:
Source: OWASP Top 10 2017 A7-Cross Site Scripting XSS –
https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-
Site_Scripting_(XSS).html
42. 40
https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-
Site_Scripting_(XSS).html
Recap
• Browser security issues continue to be among the OWASP Top
10
list of web application security risks
• This is due to weaknesses in browser mechanisms such as
browser processes, renderers, plugins, extensions, etc.
• Hackers are able to exploit the weaknesses using attacks such
as
cache poisoning, clickjacking, CSRF, XSS, MITM, session
hijacking,
spyware, etc.
• Best practices to protect browsers include using auto update,
HTTPS, pop-up blockers, VPNs or proxy servers, reputation
services, sandboxing, isolation, hardening, same origin policy,
port banning, content security policy, cloud browsers, etc.
41
Thank you!!!
42
43. Server Security – Issues and Best Practices
Outline
• Intro to Server Security
• Need for Server Security
• Server Security Fundamentals
• Server Security Issues
• OWASP Top 10 – A6:2017– Security Misconfiguration
• OWASP Top 10 – A10:2017– Insufficient Logging and
Monitoring
• Attacks against Server Security Mechanisms
• Server Security Best Practices
2
Intro to Server Security
3
Intro to Server Security
• How does a web application work?
4
Client
Server
44. Involves
servers
Intro to Server Security (contd.)
• Server
• A server serves as the host for web applications
• It refers to the “server” portion of the client-server
architecture
• It receives the HyperText Transfer Protocol (HTTP) request
message from the client machine’s browser
• It authenticates the client based on the user-supplied
credentials
• It authorizes the client’s access to the requested web
application
after authentication
5
Intro to Server Security (contd.)
• Server (continued)
• It sends an HTTP response header back to the client machine
with the response
code 200 for successful requests or the response code 404 for
page not found
(maybe due to a broken link)
• It uses ports to make services available to clients
45. • Common port numbers: 80 for HTTP traffic, 443 for HTTPS
traffic, 25 for
SMTP traffic, 21 for FTP traffic, 23 for telnet traffic, etc.
• Examples:
• Apache HTTP Server, Apache Tomcat, Microsoft IIS, IBM
WebSphere, Oracle
WebLogic, Red Hat JBoss EAP, etc.
6
Intro to Server Security (contd.)
• Server Market Share:
7
Source: Web and Application Servers Market Share Report –
Datanyze –
https://www.datanyze.com/market-share/web-and-application-
servers--425
https://www.datanyze.com/market-share/web-and-application-
servers--425
Intro to Server Security (contd.)
• What is a Server? – PowerCert Animated Videos
8
Source: PowerCert Animated Videos – What is a Server? –
https://www.youtube.com/watch?v=UjCDWCeHCzY
46. https://www.youtube.com/watch?v=UjCDWCeHCzY
Intro to Server Security (contd.)
• Server security refers to “the fundamental activities performed
as part
of securing and maintaining the security of servers that provide
services over network communications as a main function”
(NIST SP
800-123, pg.10)
• Server security involves the following (NIST SP 800-44,
pg.18):
• Installing, configuring, and securing the server Operating
System (OS)
• Installing, configuring, and securing the server software
• Employing appropriate network protection mechanisms
• Firewalls, packet filtering routers, proxies, etc.
• Ensuring that the hosted web applications are securely coded
• Employing secure administration and maintenance processes
• Patching and upgrading, testing, monitoring of logs, backing
up data and OS
• Protecting information and data in a careful/systemic manner
• Conducting initial/periodic vulnerability scans of
server/network
infrastructure
9
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-123.pdf
47. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-44ver2.pdf
Intro to Server Security (contd.)
• Server security (by technology):
• Apache HTTP Server security settings
• NGINX security settings
• Internet Information Services (IIS) security settings
• LiteSpeed Web Server security settings
• OpenResty security settings
• Server security (by Operating System)
• Ubuntu Linux Server guide
• Windows Server security guide
• macOS Server Guide
10
http://httpd.apache.org/docs/2.4/misc/security_tips.h tml
https://docs.nginx.com/nginx/admin-guide/security-controls/
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-
iis-10-version-1709/new-features-introduced-in-iis-10-1709
https://www.litespeedtech.com/products/litespeed-web-
server/features/feature-explanations
https://openresty.org/en/ann-1015008002.html
https://assets.ubuntu.com/v1/f954307f-ubuntu-server-guide.pdf
https://docs.microsoft.com/en-us/windows-server/get-
started/whats-new-in-windows-server-2022
https://support.apple.com/guide/server/welcome/mac
Need for Server Security
11
48. Need for Server Security
• As per NIST SP 800-123:
• Servers are frequently targeted by attackers because of the
value
of their data and services
• Servers might contain personally identifiable information that
could be used to perform identity theft
• Most organizations install servers with standard directory
names,
directory locations, and filenames making it easy for attackers
to
target those servers
• The failure of organizations to fully recognize the amount of
expense and skills required to field a secure server often results
in
overworked employees and insecure systems
12
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-123.pdf
Need for Server Security (contd.)
• As per NIST SP 800-123 (continued):
• Default hardware and software configurations are typically set
by
manufacturers to emphasize features, functions, and ease of use,
at the expense of security
49. • The default configuration of the OS often includes guest
accounts
(with and without passwords), administrator or root level
accounts, and accounts associated with local and network
services
• Because manufacturers are unaware of each organization’s
security needs, server administrators need to configure new
servers to reflect their organizations’ security requirements and
reconfigure them as needed
13
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-123.pdf
Need for Server Security (contd.)
• As per NIST SP 800-44:
• Compromised web sites can serve as an entry point for
intrusions
into many organizations’ internal networks
• Organizations can face monetary losses, damage to reputation,
or
legal action if an intruder successfully violates the
confidentiality
of their data
• Hackers could compromise web server security by:
• defacing organizations’ web site or otherwise affecting
integrity
• executing unauthorized commands on the host OS
• launching attacks on external sites from the web server
50. • using the server to deliver attacks against vulnerable clients
• using the server to distribute illegally copied software
14
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-44ver2.pdf
Need for Server Security (contd.)
• As per the EdgeScan (2019) Vulnerability Statistics
Report, the most common infrastructure
vulnerabilities include the following server-related
issues:
• 44.70% – SSL / TLS Version & Configuration Issues
• 29.53% – SMB Security Issues
• 8.61% – OpenSSH Vulnerabilities & Configuration Issues
• 6.25% – Windows Remote Desktop Protocol Server
MITM
• 4.15% – Unencrypted Telnet Services
• 1.69% – Unsupported & Unpatched Server Detection
15
https://www.edgescan.com/wp-
content/uploads/2019/02/edgescan-Vulnerability-Stats-Report-
2019.pdf
Need for Server Security (contd.)
• As per the EdgeScan (2019) Vulnerability Statistics Report:
• 33.33% of all high and critical risk vulnerabilities discovered
in
51. 2018 were in relation to unsupported Windows Server 2003
systems (no patching, support, end-of-life systems)
• 7.53% of all high and critical risk vulnerabilities discovered in
2018
related to exposure to NotPetya CVEs (CVE-2017-0144, CVE-
2017-
0145) – Windows Server Message Block (SMB) Remote Code
Execution Vulnerability
• Systems using Apache and PHP also contributed to the Top 10
due
to weak component security and traditional patch management
of
exposed systems
16
https://www.edgescan.com/wp-
content/uploads/2019/02/edgescan-Vulnerability-Stats-Report-
2019.pdf
https://www.cisa.gov/uscert/ncas/alerts/TA17-181A
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0145
Need for Server Security (contd.)
• Hackers are increasingly using servers to cause data breaches
(Privacy
Rights Clearinghouse, 2020)
17
https://privacyrights.org/data-breaches
52. Server Security
Fundamentals
18
Server Security Fundamentals• What is the Apache HTTP
Server? – CBT Nuggets
19
Source: CBT Nuggets – What is the Apache HTTP Server? –
https://www.youtube.com/watch?v=fRLJ3bnbHmE
https://www.youtube.com/watch?v=fRLJ3bnbHmE
Server Security Fundamentals (contd.)
• A basic Apache web server architecture includes the
following components (Kew, 2007):
• Modules
• Multi-Processing Modules
(MPM)
• Apache Portable Runtime (APR)
Libraries
20
http://ptgmedia.pearsoncmg.com/images/9780132409674/sample
chapter/kew_ch02.pdf
53. Server Security Fundamentals (contd.)
• Apache web server architecture:
• Modules
• Functionality that can be used to do things such as
authentication, dynamic
content generation, encryption, virus scanning, file
compression, email
services, file transfer services, etc.
• Multi Processing Modules (MPM)
• Special module which allows Apache to be configured as a
pure process-
based server, a pure threaded server, or both
• Apache Portable Runtime (APR) Libraries
• Provides for platform-specific tuning and optimization
21
Source: Apache – Apache HTTP Server Version 2.4
Documentation –
https://httpd.apache.org/docs/2.4/
https://httpd.apache.org/docs/2.4/mod/
https://httpd.apache.org/docs/2.4/mod/
http://apr.apache.org/
https://httpd.apache.org/docs/2.4/
Server Security Fundamentals (contd.)
• Apache web server security:
• Modular architecture
• Allows modules to be enabled or disabled to add and remove
54. web server
functionality
• Only MPM modules can interact directly with the Operating
System
• Authentication
• Modules can authenticate against plain text files and database
files
including Oracle, MySQL, PostgreSQL, etc.
• E.g. mod_auth_basic, mod_auth_digest, mod_auth_form,
mod_authn_dbd, etc.
22
Source: Apache – Apache HTTP Server Version 2.4
Documentation –
https://httpd.apache.org/docs/2.4/
https://httpd.apache.org/docs/2.4/mod/mod_auth_basic.html
https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html
https://httpd.apache.org/docs/2.4/mod/mod_auth_form.html
https://httpd.apache.org/docs/2.4/mod/mod_authn_dbd.html
https://httpd.apache.org/docs/2.4/
Server Security Fundamentals (contd.)
• Apache web server security (continued):
• Access Control
• The mod_access_compat module can restrict access to
resources based on
IP address or hostname of the client
• SSL / TLS
55. • The mod_ssl module provides strong encryption to protect
data
transmitted between the web server and the client
• Proxy
• Apache supports both a traditional HTTP proxy and a reverse
proxy
• Reverse proxy can be used for load balancing
• Virtual Hosting Support and XML Security
23
Source: TLDP.org – Apache Overview HOWTO –
https://www.tldp.org/HOWTO/pdf/Apache-Overview-
HOWTO.pdf
https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
http://santuario.apache.org/
https://www.tldp.org/HOWTO/pdf/Apache-Overview-
HOWTO.pdf
Server Security Fundamentals (contd.)
• Apache web server security (continued):
• Configuration Settings
• Modules come with several directives related to timeouts,
resource
consumption, request processing, concurrent connections, etc.
• Common Gateway Interface (CGI) & Server Side Includes
(SSI)
• The suEXEC feature can reduce considerably the security risks
56. involved with
allowing users to develop and run private CGI or SSI programs
• Logs
• The mod_log_config, mod_log_forensic modules can be used
to log
everything that happens on the server
24
Source: Apache.org – Apache HTTP Server Documentation
Version 2.4 –
https://archive.apache.org/dist/httpd/docs/httpd-docs-
2.4.33.en.pdf
https://httpd.apache.org/docs/2.4/mod/mod_log_config.html
https://httpd.apache.org/docs/2.4/mod/mod_log_forensic.html
https://archive.apache.org/dist/httpd/docs/httpd-docs-
2.4.33.en.pdf
Server Security Issues
25
Server Security Issues
• As per NIST SP 800-123 (pg. 7), server security issues
include:
26
Source: NIST SP 800-123 – Guide to General Server Security –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
57. on800-123.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-123.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-123.pdf
Server Security Issues (contd.)
• As per NIST SP 800-44 (pg. 17-18), other server security
issues include
the following:
• Misconfiguration or other improper operation of the Web
server, which may
result, for example, in the disclosure or alteration of proprietary
or sensitive
information. This information can include items such as:
• Assets of the organization
• Configuration of the server or network that could be exploited
for subsequent attacks
• Credentials of the users or administrator(s) of the Web server
• Inadequate or unavailable defense mechanisms for the Web
server to prevent
certain classes of attacks, such as DoS attacks, which disrupt
the availability of
the Web server and prevent authorized users from accessing the
Web site when
required
27
Source: NIST SP 800-44 – Guidelines on Securing Public Web
Servers –
59. 29
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration.html
https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration.html
Server Security Issues (contd.)
• Common server security vulnerabilities:
30
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration.html
https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration.html
Server Security Issues (contd.)
• OWASP Top 10–A10:2017 – Insufficient Logging &
Monitoring
31
Source: OWASP Top 10 2017 A10 – Insufficient Logging &
Monitoring –
https://owasp.org/www-project-top-ten/2017/A10_2017-
Insufficient_Logging%2526Monitoring
60. https://owasp.org/www-project-top-ten/2017/A10_2017-
Insufficient_Logging%2526Monitoring
Server Security Issues (contd.)
• Common server security vulnerabilities:
32
Source: OWASP Top 10 2017 A10 – Insufficient Logging &
Monitoring –
https://owasp.org/www-project-top-ten/2017/A10_2017-
Insufficient_Logging%2526Monitoring
https://owasp.org/www-project-top-ten/2017/A10_2017-
Insufficient_Logging%2526Moni toring
Server Security Attacks
33
Server Security Attacks
• Most common server security attacks:
34
Attack Type Description
Denial of Service
(DoS)
61. Attacks may be directed to the server or its supporting
network infrastructure, denying or hindering valid users from
making use of its services.
Attacks may take advantage of the server’s account lockout
policy.
Attacks may involve uploading many large files
Attacks take advantage of simultaneous network connections.
Malware Malicious entities may gain unauthorized access to
resources
elsewhere in the organization’s network via a successful
attack on the server
Source: NIST SP 800-123 – Guide to General Server Security –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-123.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-123.pdf
Server Security Attacks (contd.)
• Most common server security attacks (continued):
35
Attack Type Description
Man-in-the Middle
(MITM)
Password information can be intercepted using network
sniffers and used by an attacker to masquerade as an
authorized user
SYN Flood If the maximum number of open connections (or
62. connections
that are half-open—that is, the first part of the TCP
handshake was successful) is set to a low number, an attacker
can easily consume the available connections with
illegitimate requests (often called a SYN flood)
Source: NIST SP 800-123 – Guide to General Server Security –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-123.pdf
https://www.sciencedirect.com/topics/computer-science/three-
way-handshake
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-123.pdf
Server Security Attacks (contd.)
• Most common server security attacks (continued):
36
Attack Type Description
Brute Force Attackers try every possible password to attempt to
gain
access to a user’s account
Command Injection Compromise of sensitive information on
backend databases
that are used to support a web application
Directory Traversal Unauthorized access including gaining
access to files or
folders and being able to execute commands and/or install
software on the web server
63. Replay Attack An impostor verifier replays the OTP
authenticator output to
the verifier and successfully authenticates to the web server
(NIST SP 800-63b)
Source: NIST SP 800-44 – Guidelines on Securing Public Web
Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-
44ver2.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-63b.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-44ver2.pdf
Server Security Attacks (contd.)
• Replay Attacks – Professor Messer
37
Source: Replay Attacks – CompTIA Security+ Sy0-401: 3.2 –
https://www.youtube.com/watch?v=Ar97HbWLijU
https://www.youtube.com/watch?v=Ar97HbWLijU
Server Security
Best Practices
38
64. Server Security Best Practices
• Best practices for web server security include :
• Planning and managing web servers (pg. 33)
• Plan the configuration and deployment of the web server
• Choose an appropriate Operating System (OS) for the web
server
• Choose an appropriate platform for the web server
• General purpose OS, Trusted OS, web server appliance,
virtualized platform, etc.
• Securing the web server OS (pg. 41)
• Patch and upgrade the OS
• Remove or disable unnecessary services and applications
• Configure OS user authentication
• Configure resource controls appropriately
• Install and configure additional security controls
• Test the security of the OS
39
Source: NIST SP 800-44 – Guidelines on Securing Public Web
Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-
44ver2.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-44ver2.pdf
Server Security Best Practices (contd.)
• Best practices for web server security include :
65. • Securing the web server (pg. 51)
• Securely install the web server
• Configure IS and web server access controls
• Configure a secure web content directory
• Securing web content (pg. 70)
• Ensure that sensitive information is not available on the web
server
• Establish an organizational-wide documented formal policy
and process for
approving public web content
• Maintain Web user privacy
• Mitigate indirect attacks on content
• Consider client-side active content security
• Maintain server-side active content security
40
Source: NIST SP 800-44 – Guidelines on Securing Public Web
Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-
44ver2.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-44ver2.pdf
Server Security Best Practices (contd.)
• Best practices for web server security include :
• Using authentication and encryption technologies (pg. 86)
• Configure web authentication and encryption technologies
• Configure SSL / TLS
66. • Protect against brute force attacks
• Implementing a secure network infrastructure (pg. 99)
• Identify a network location
• Assess firewall configuration
• Evaluate intrusion detection and prevention systems
• Assess network switches
• Evaluate load balancers
• Evaluate reverse proxies
41
Source: NIST SP 800-44 – Guidelines on Securing Public Web
Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-
44ver2.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-44ver2.pdf
Server Security Best Practices (contd.)
• Best practices for web server security include :
• Administering the web server (pg. 113)
• Perform logging
• Perform web server backups
• Recover from a compromise
• Test security
• Conduct remote administration and content updates
42
Source: NIST SP 800-44 – Guidelines on Securing Public Web
67. Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-
44ver2.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-44ver2.pdf
Server Security Best Practices (contd.)
• Use the following server security best practices to protect
against security misconfiguration:
43
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration
https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration
Server Security Best Practices (contd.)
• Use the following server security best practices to protect
against insufficient logging and monitoring:
44
Source: OWASP Top 10 2017 A10 – Insufficient Logging &
Monitoring –
https://owasp.org/www-project-top-ten/2017/A10_2017-
68. Insufficient_Logging%2526Moni toring
https://owasp.org/www-project-top-ten/2017/A10_2017-
Insufficient_Logging%2526Monitoring
Recap
• Server security issues continue to be among the OWASP Top
10 list of
web application security risks
• This is due to weaknesses in server technologies such as
authentication, access controls, configuration, connections,
encryption, active content, logs, etc.
• Hackers are able to exploit the weaknesses using attacks such
as DoS,
malware, MITM, SYN flood, brute force, command injection,
directory
traversal, replay attacks, etc.
• Best practices to protect servers include planning and
managing web
servers, securing the web server OS, securing the web server,
securing
web content, using authentication and encryption technologies,
implementing a secure network infrastructure, administering the
web
server, etc.
45
69. Thank you!!!
46
Code Security – Issues and Best Practices
Outline
Intro to Code Security
Need for Code Security
Code Security Fundamentals
Code Security Issues
◦ OWASP Top 10 – A4:2017– XML External Entities (XXE)
◦ OWASP Top 10 – A8:2017– Insecure Deserialization
◦ OWASP Top 10 – A9:2017– Using Components with Known
Vulnerabilities
Attacks against Code Security Mechanisms
Code Security Best Practices
2
Intro to Code
Security
70. 3
Intro to Code Security
What is Code?
◦ Code refers to instructions issued to a computer that tells it
which
actions to perform and in what order
◦ Code is made of strings of typed letters, numbers, and figures,
which
constitute a language complete with spelling rules and syntax
◦ Code is used to do all sorts of activities including:
◦ Building websites
◦ Flying airplanes
◦ Running NASA satellites
◦ Making cars/cellphones/TVs/gaming consoles, etc. work
4
Source: Indeed.com – How to Write Code in 6 Steps? –
https://www.indeed.com/career-advice/career-development/how-
to-write-code
https://www.indeed.com/career-advice/career-development/how-
to-write-code
Intro to Code Security (contd.)
Code Types
◦ Markup Languages – Use start tags (<>) and end tags (</>)
71. to represent different
components
◦ Examples:
◦ HTML – Is the code that describes the structure and content of
a web application
◦ XML – Is code that is designed to store and transport data in
both human– and machine–readable format
◦ SAML – Is a framework for describing and exchanging
security information between online business partners
5
https://www.w3schools.com/html/default.asp
https://www.w3schools.com/xml/default.asp
https://wiki.oasis-open.org/security/FrontPage
Intro to Code Security (contd.)
Code Types (continued)
◦ Scripting Languages – Used to write small programs that are
usually
interpreted at runtime by a runtime environment
◦ Examples (client-side):
◦ JavaScript – Is a cross-platform scripting language that can be
embedded within
web pages to create interactive documents
◦ AJAX – Is a collection of technologies that allows web
developers to improve the
response times between web pages
6
72. Source: NIST SP 800-44 – Guidelines on Securing Public Web
Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-
44ver2.pdf
https://www.w3schools.com/js/default.asp
https://www.w3schools.com/xml/ajax_intro.asp
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-44ver2.pdf
Intro to Code Security (contd.)
Code Types (continued)
◦ Scripting Languages – Can also be used from server-side
◦ Examples (server-side):
◦ CGI – Is used to make web sites interact with databases and
other applications
◦ SSI – Is a limited scripting language supported by most web
servers
◦ ASP – Is used to create dynamic and interactive web
applications for servers that
serve “.asp” web pages using the .NET framework
◦ PHP – Is used to create dynamic web pages that extract data
from a database and
present it on a web page
7
Source: NIST SP 800-44 – Guidelines on Securing Public Web
Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
75. Intro to Code Security (contd.)
Code security refers to “a set of technologies and best practices
for
making software as secure and stable as possible. It
encompasses
everything from encryption, certificates, and federated identity
to
recommendations for moving sensitive data, accessing a file
system, and
managing memory” (Red Hat, 2020)
As per Apple (2016), code security involves writing software
that:
◦ Is resistant to attack by malicious or mischievous people or
programs
◦ Stops an attacker from accessing and taking control of a server
or a user’s computer
resulting in denial of service, compromise of secrets, or damage
to the systems of
thousands of users
◦ Protects a user’s data from theft or corruption
◦ Is secure regardless of whether it is a small script
or a
commercial application
11
https://developers.redhat.com/topics/secure-coding/
https://developer.apple.com/library/archive/documentation/Secu
rity/Conceptual/SecureCodingGuide/Introduction.html
Need for Code
76. Security
12
Need for Code Security
As per OWASP (2010):
◦ It is much less expensive to build secure software than to
correct
security issues after the software package has been completed,
not to
mention the costs that may be associated with a security breach
◦ Securing critical software resources is more important than
ever as the
focus of attackers has steadily moved toward the application
layer
◦ Failure to do secure coding can compromise:
◦ The software and its associated information
◦ The operating systems of the associated servers
◦ The backend database
◦ Other applications in a shared environment
13
https://owasp.org/www-pdf-
archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf
Need for Code Security (contd.)
As per Veracode (2020):
◦ Code security analysis is a must for competitive enterprises
◦ Most current threats are directed at the application layer
77. ◦ It is critical to search code for vulnerabilities such as
backdoors and
malicious code before hackers discover and exploit those
vulnerabilities using a variety of attacks
◦ Such code-targeted attacks on the enterprise can have severe
consequences:
◦ Reduce productivity
◦ Tie up valuable organizational resources
◦ Damage brand reputation
◦ Cut into profits
14
https://www.veracode.com/security/code-security-analysis
Need for Code Security (contd.)
As per the Veracode (2019) State of Software Security Report,
web applications coded in most common languages have at
least 1 vulnerability:
15
https://www.veracode.com/sites/default/files/pdf/resources/soss
reports/state-of-software-security-volume-10-veracode-
report.pdf
Need for Code Security (contd.)
As per the Veracode (2019) State of Software Security Report,
the flaw intensity vs flaw prevalence are:
16
78. https://www.veracode.com/sites/default/files/pdf/resources/soss
reports/state-of-software-security-volume-10-veracode-
report.pdf
Need for Code Security (contd.)
As per the Veracode (2019) State of Software Security Report,
the flaw intensity vs flaw prevalence are :
17
https://www.veracode.com/sites/default/files/pdf/resources/soss
reports/state-of-software-security-volume-10-veracode-
report.pdf
Need for Code Security (contd.)
As per the Veracode (2019) State of Software Security Report,
the flaw debt types by language are :
18
https://www.veracode.com/sites/default/files/pdf/resources/soss
reports/state-of-software-security-volume-10-veracode-
report.pdf
Need for Code Security (contd.)
Poor code security continues to be a major cause data breaches
(Privacy
Rights Clearinghouse, 2020)
19
https://privacyrights.org/data-breaches
79. Code Security
Fundamentals
20
Code Security Fundamentals
Secure Coding Standards – SEI | CMU | CERT
21
Source: SEI | CMU | CERT – Secure Coding Standards –
https://www.youtube.com/watch?v=WYKSivnp3gA
https://www.youtube.com/watch?v=WYKSivnp3gA
Code Security Fundamentals (contd.)
Code security (by code type):
◦ Markup language security
◦ HTML security
◦ XML security
◦ SAML security
◦ Scripting language (client-side) security
◦ JavaScript security (in Firefox)
◦ AJAX security
22
https://html.spec.whatwg.org/multipage/introduction.html
https://www.w3.org/standards/xml/security.html
https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_
81. Code Security
Issues
24
Code Security Issues
Specific code security issues include the following:
◦ Vulnerabilities in C amounted to 50% of all reported
vulnerabilities
◦ The most common CWEs across most programming languages
are Cross-Site-
Scripting (XSS), Input Validation, Permissions, Privileges, and
Access Control,
and Information Leak / Disclosure
◦ A significant rise was seen in reported vulnerabilities as a
result of the use of
automated tools and the trend of bug bounty programs
◦ While there was a spike in the number of reported security
vulnerabilities in
the past couple of years, the number of high severity
vulnerabilities has
decreased in most languages.
25
Source: Whitesource – Most Secure Programming Languages –
https://www.whitesourcesoftware.com/most-secure-
programming-languages/
82. https://www.whitesourcesoftware.com/most-secure-
programming-languages/
Code Security Issues (contd.)
Specific code security issues include the following:
◦ Total reported vulnerabilities per language
26
Source: Whitesource – Most Secure Programming Languages –
https://www.whitesourcesoftware.com/most-secure-
programming-languages/
https://www.whitesourcesoftware.com/most-secure-
programming-languages/
Code Security Issues (contd.)
Top 3 vulnerabilities per language
27
Source: Whitesource – Most Secure Programming Languages –
https://www.whitesourcesoftware.com/most-secure-
programming-languages/
https://www.whitesourcesoftware.com/most-secure-
programming-languages/
Code Security Issues (contd.)
Top 3 vulnerabilities per language
28
83. Source: Whitesource – Most Secure Programming Languages –
https://www.whitesourcesoftware.com/most-secure-
programming-languages/
https://www.whitesourcesoftware.com/most-secure-
programming-languages/
Code Security Issues (contd.)
OWASP Top 10–A4:2017 – XML External Entities (XXE)
29
Source: OWASP Top 10 2017 A4 – XML External Entities
(XXE) –
https://owasp.org/www-project-top-ten/2017/A4_2017-
XML_External_Entities_(XXE).html
https://owasp.org/www-project-top-ten/2017/A4_2017-
XML_External_Entities_(XXE).html
Code Security Issues (contd.)
Common code security vulnerabilities:
30
Source: OWASP Top 10 2017 A4 – XML External Entities
(XXE) –
https://owasp.org/www-project-top-ten/2017/A4_2017-
XML_External_Entities_(XXE).html
https://owasp.org/www-project-top-ten/2017/A4_2017-
XML_External_Entities_(XXE).html
84. Code Security Issues (contd.)
OWASP Top 10–A8:2017 – Insecure Deserialization
31
Source: OWASP Top 10 2017 A8 – Insecure Deserialization –
https://owasp.org/www-project-top-ten/2017/A8_2017-
Insecure_Deserialization
https://owasp.org/www-project-top-ten/2017/A8_2017-
Insecure_Deserialization
Code Security Issues (contd.)
Common code security vulnerabilities:
32
Source: OWASP Top 10 2017 A8 – Insecure Deserialization –
https://owasp.org/www-project-top-ten/2017/A8_2017-
Insecure_Deserialization
https://owasp.org/www-project-top-ten/2017/A8_2017-
Insecure_Deserialization
Code Security Issues (contd.)
OWASP Top 10–A9:2017 – Using Components with Known
Vulnerabilities
33
85. Source: OWASP Top 10 2017 A9 – Using Components with
Known Vulnerabilities –
https://owasp.org/www-project-top-ten/2017/A9_2017-
Using_Components_with_Known_Vulnerabilities
https://owasp.org/www-project-top-ten/2017/A9_2017-
Using_Components_with_Known_Vulnerabilities
Code Security Issues (contd.)
Common code security vulnerabilities:
34
Source: OWASP Top 10 2017 A9 – Using Components with
Known Vulnerabilities –
https://owasp.org/www-project-top-ten/2017/A9_2017-
Using_Components_with_Known_Vulnerabilities
https://owasp.org/www-project-top-ten/2017/A9_2017-
Using_Components_with_Known_Vulnerabilities
Code Security
Attacks
35
Code Security Attacks
Most common code security attacks:
36
86. Attack Type Description
Billion Laughs
Attack / XML Bomb
A block of XML that is both well-formed and valid according
to the rules of an XML schema but which crashes or hangs a
program when that program attempts to parse it (Microsoft,
2015)
Buffer Overflow An attack which consists of overwriting
memory fragments of
a process resulting in errors that end execution of the
application in an unexpected way
Code Injection An attack which consists of injecting code that
is then
interpreted/executed by the application
https://owasp.org/www-pdf-archive/XML_Based_Attacks_-
_OWASP.pdf
https://docs.microsoft.com/en-us/archive/msdn-
magazine/2009/november/xml-denial-of-service-attacks-and-
defenses
https://owasp.org/www-
community/attacks/Buffer_overflow_attack
https://owasp.org/www-community/attacks/Code_Injection
Code Security Attacks (contd.)
Most common code security attacks (continued):
37
Attack Type Description
87. JSON Injection A simple server-side attack that could be
performed in PHP to
grant admin privileges to a regular user
SSI Injection An attack allows the exploitation of a web
application by
injecting scripts in HTML pages or executing arbitrary codes
remotely
XXE Attack The attacker breaks out of the usual processing
schema and
bypasses the security verification and reads locally stored files
https://www.acunetix.com/blog/web-security-zone/what-are-
json-injections/
https://owasp.org/www-community/attacks/Server-
Side_Includes_(SSI)_Injection
http://sso-attacks.org/XML_External_Entity_Attack
Code Security Attacks (contd.)
What is an XXE Attack – Hacksplaining
38
Source: Hacksplaining – What is an XXE Attack? –
https://www.youtube.com/watch?v=hIHrGuG3r5w
https://www.youtube.com/watch?v=hIHrGuG3r5w
Code Security
Best Practices
39
88. Code Security Best Practices
Best practices for code security include :
◦ Establishing coding standards and conventions
◦ Select languages based on security issues they inherit
◦ Use built-in security features
◦ Use loosely coupled frameworks / libraries / components
◦ Enforce standards
◦ Using safe functions / APIs only
◦ Provide guidance to developers on what functions / APIs to
avoid
◦ Use appropriate tools to assist in identifying and reviewing the
usage of dangerous functions
◦ Use the latest versions of compliers / interpreters / runtime
environments
40
Source: SAFEcode.org – Fundamental Practices for Secure
Software Development –
https://safecode.org/wp-
content/uploads/2018/03/SAFECode_Fundamental_Practices_for
_Secure_Software_Develo
pment_March_2018.pdf
https://safecode.org/wp-
content/uploads/2018/03/SAFECode_Fundamental_Practices_for
_Secure_Software_Development_March_2018.pdf
Code Security Best Practices (contd.)
89. Best practices for code security include (continued):
◦ Using code analysis tools to find security issues early
◦ Use tools to analyze code to identify deviation from
requirements
◦ Use tools that plug in directly into the IDE
◦ Use secure code review to identify logical errors in the source
code
◦ Handling data safely / handling errors gracefully
◦ Use input validation techniques to begin with
◦ Enforce data segregation to prevent data from becoming
application logic
◦ Use encoding so that data is interpreted in the context in
which it is used
◦ Use data binding which prevents data from being interpreted
as control logic
◦ Use sanitization techniques to remove, replace, or encode
unwanted characters
41
Source: SAFEcode.org – Fundamental Practices for Secure
Software Development –
https://safecode.org/wp-
content/uploads/2018/03/SAFECode_Fundamental_Practices_for
_Secure_Software_Develo
pment_March_2018.pdf
https://safecode.org/wp-
content/uploads/2018/03/SAFECode_Fundamental_Practices_for
_Secure_Software_Development_March_2018.pdf
Code Security Best Practices (contd.)
90. Best practices for code security include the following:
◦ Take Security Requirements and Risk Information into
Account During
Software Design
◦ Review the Software Design to Verify Compliance with
Security
Requirements and Risk Information
◦ Verify Third-Party Software Complies with Security
Requirements
◦ Reuse Existing, Well-Secured Software When Feasible Instead
of Duplicating
Functionality
◦ Create Source Code Adhering to Secure Coding Practices
42
Source: NIST – Cybersecurity White Paper –
https://csrc.nist.gov/CSRC/media/Publications/white-
paper/2019/06/07/mitigating-risk-of-
software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-
mitigating-risk-of-software-
vulns-draft.pdf
https://csrc.nist.gov/CSRC/media/Publications/white-
paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-
with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-
vulns-draft.pdf
Code Security Best Practices (contd.)
Best practices for code security include the following:
◦ Configure the Compilation and Build Processes to Improve
91. Executable
Security
◦ Review and/or Analyze Human-Readable Code to Identify
Vulnerabilities and
Verify Compliance with Security Requirements
◦ Test Executable Code to Identify Vulnerabilities and Verify
Compliance with
Security Requirements
◦ Configure the Software to Have Secure Settings by Default
43
Source: NIST – Cybersecurity White Paper –
https://csrc.nist.gov/CSRC/media/Publications/white-
paper/2019/06/07/mitigating-risk-of-
software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-
mitigating-risk-of-software-
vulns-draft.pdf
https://csrc.nist.gov/CSRC/media/Publications/white-
paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-
with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-
vulns-draft.pdf
Code Security Best Practices (contd.)
Use the following code security best practices to protect against
XML
External Entities (XXE):
44
92. Source: OWASP Top 10 2017 A4 – XML External Entities
(XXE) –
https://owasp.org/www-project-top-ten/2017/A4_2017-
XML_External_Entities_(XXE).html
https://owasp.org/www-project-top-ten/2017/A4_2017-
XML_External_Entities_(XXE).html
Code Security Best Practices (contd.)
Use the following code security best practices to protect against
insecure
deserialization:
45
Source: OWASP Top 10 2017 A8 – Insecure Deserialization –
https://owasp.org/www-project-top-ten/2017/A8_2017-
Insecure_Deserialization.html
https://owasp.org/www-project-top-ten/2017/A8_2017-
Insecure_Deserialization.html
Code Security Best Practices (contd.)
Use the following code security best practices to protect against
using
components with known vulnerabilities:
46
Source: OWASP Top 10 2017 A9 – Using Components with
Known Vulnerabilities –
https://owasp.org/www-project-top-ten/2017/A9_2017-
93. Using_Components_with_Known_Vulnerabilities.html
https://owasp.org/www-project-top-ten/2017/A9_2017-
Using_Components_with_Known_Vulnerabilities.html
Recap
Code security issues are among the OWASP Top 10 list of web
application
security risks
This is due to weaknesses in coding technologies such as
markup
languages, scripting languages (client- and server-side),
programming
languages, etc.
Hackers are able to exploit the weaknesses using attacks such as
billion
laughs, buffer overflow, code/SSI/JSON injection, XXE attacks,
etc.
Best practices to protect code include establishing coding
standards,
protecting data, performing input validation/error
handling/logging,
ensuring proper memory management, using code analysis tools
to do
secure code review, etc.
47
Thank you!!!
94. 48
Cloud Security – Issues and Best Practices
Outline
Intro to Cloud Security
Need for Cloud Security
Cloud Security Fundamentals
Cloud Security Issues
◦ OWASP Top 10 – A6:2017– Security Misconfiguration
◦ OWASP Cloud-Native Application Security Top 10
Attacks against Cloud Security Mechanisms
Cloud Security Best Practices
2
Intro to Cloud
Security
3
95. Intro to Cloud Security
What is the cloud?
◦ According to Microsoft (2022) the cloud refers to “a vast
network of
remote servers around the globe which are hooked together and
meant to operate as a single ecosystem”
◦ Cloud servers are designed to:
◦ Store and manage data
◦ Run applications
◦ Deliver content/service such as streaming videos, web mail,
office productivity
software, social media to any Internet-connected device
◦ According to NSA (2018), cloud browsers can be used to
completely
separate the web browser from the user’s O/S by hosting the
browser
in a remote cloud environment
4
https://azure.microsoft.com/en-us/overview/what-is-the-cloud/
https://www.nsa.gov/portals/75/documents/what-we-
do/cybersecurity/professional-resources/csi-steps-to-secure-
web-browsing.pdf
Intro to Cloud Security (contd.)
What is the cloud? – PowerCert Animated Videos
5
96. Source: PowerCert Animated Videos – Cloud Computing
Explained –
https://www.youtube.com/watch?v=_a6us8kaq0g/
https://www.youtube.com/watch?v=_a6us8kaq0g/
Intro to Cloud Security (contd.)
Cloud deployment methods
◦ Public cloud – shares resources and offers services over the
public
Internet
◦ Private cloud – does not share resources and offers services
over a
private internal network typically hosted in an on-premise
datacenter
◦ Hybrid cloud – shares resources between public and private
clouds
depending on their purpose
◦ Community cloud – shares resources only between specific
organizations such as government institutions
6
Source: Microsoft.com – What is the Cloud? –
https://azure.microsoft.com/en-us/overview/what-is-the-cloud/
https://azure.microsoft.com/en-us/overview/what-is-a-public-
cloud/
https://azure.microsoft.com/en-us/overview/what-is-a-private-
cloud/
https://azure.microsoft.com/en-us/overview/what-is-hybrid-
97. cloud-computing/
https://azure.microsoft.com/en-us/overview/what-is-the-cloud/
Intro to Cloud Security (contd.)
Cloud service models:
◦ SaaS
◦ Examples: Amazon SaaS Factory, Office 365, Google
Kubernetes Engine
◦ PaaS
◦ Examples: Elastic Beanstalk, Azure App Service, Google
Cloud Run
◦ IaaS
◦ Examples: Amazon EC2, Azure IaaS, Google Compute Engine
7
Cloud Service
Model
Hardware Operating
System
Applications Data
SaaS
PaaS
IaaS
SP – Service Provider C – Customer
99. • Netflix
• Airbnb
• Lyft
• FDA
• Coinbase
Customers:
• Starbucks
• Walgreens
• 3M
• HP
• CDC
Customers:
• Toyota
• Spotify
• Target
• Twitter
• UPS
https://www.bmc.com/blogs/aws-vs-azure-vs-google-cloud-
platforms/
Intro to Cloud Security (contd.)
Cloud security refers to “a broad set of technologies, policies,
and
applications that are applied to defend online IP, services,
applications,
and other imperative data against cyber threats and malicious
activity”
(Cisco, 2022)
As per Cisco, 2022, cloud security involves securing data and
applications
in the cloud by:
100. ◦ Protecting apps, data, and users in the cloud against
compromised accounts,
malware, and data breaches
◦ Stopping malware before it spreads across the network
◦ Decreasing the time spent remediating data breaches
◦ Improving security without impacting end-user productivity
◦ Extending protection by securing users anywhere and anytime
10
https://www.cisco.com/c/en/us/products/security/cloud-
security/what-is-cloud-security.html
https://www.cisco.com/c/en/us/products/security/cloud-
security/what-is-cloud-security.html
Intro to Cloud Security (contd.)
Cloud security can enable better business outcomes by being:
11
Source: Secure Cloud – Accenture –
https://www.accenture.com/_acnmedia/PDF-143/Accenture-
Secure-Cloud.pdf
https://www.accenture.com/_acnmedia/PDF-143/Accenture-
Secure-Cloud.pdf
Need for Cloud
Security
12
101. Need for Cloud Security
As per IBM (2022):
◦ Organizations need cloud security as they incorporate cloud-
based
tools and services as a part of their digital strategy
◦ Organizations must make their own considerations when
protecting
data and applications on the cloud since the responsibility of
data
asset security and accountability does not necessarily shift to
the
cloud service provider
◦ Threats targeting cloud providers continues to evolve
◦ Lack of cloud security can make organizations face significant
governance and compliance risks
◦ Cloud security is a necessity to ensure continuity of business
operations
13
https://www.ibm.com/topics/cloud-security
Need for Cloud Security (contd.)
As per the Accenture (2021) Cyber Threat Intelligence Report:
◦ Spending on public cloud services are expected to rise 21.7%
from
2021 ($396B) to 2022 ($482B)
◦ Cloud centricity prompts new attack vectors
102. ◦ Public-facing cloud environments serve as initial entry vectors
through
which threat actors can gain access to individual endpoint
devices
◦ Some organizations do not monitor cloud platforms as closely
as they
do their own on-premise servers
14
https://www.accenture.com/_acnmedia/PDF-173/Accenture-
Cyber-Threat-Intelligence-Report-Vol-2.pdf
Need for Cloud Security (contd.)
As per the Accenture (2021) Cyber Threat Intelligence Report
(contd.):
◦ Ransomware attacks on cloud infrastructure is on the rise
◦ Cloud malware has evolved faster than traditional ones
◦ Cloud-centric toolset threats are escalating
◦ Expanding cloud infrastructure also creates highly scalable
and reliable
command-and-control infrastructure and botnets
◦ Moving to the cloud has increased both the risk and
consequences of
supply chain attacks
15
https://www.accenture.com/_acnmedia/PDF-173/Accenture-
Cyber-Threat-Intelligence-Report-Vol-2.pdf
103. Need for Cloud Security (contd.)
According to the McAfee (2019) Cloud Adoption and Risk
Report:
16
• Sharing of sensitive data in the cloud
has increased 53%
• An average organization has 2,269
IaaS misconfiguration incidents per
month
• 80% of organizations will experience
at least 1 compromised account
threat in the cloud each month
• 92% of organizations currently have
stolen cloud credentials for sale on
the Dark Web
https://www.mcafee.com/blogs/enterprise/cloud-security/5-key-
findings-from-2019-cloud-adoption-and-risk-report/
Need for Cloud Security (contd.)
According to the McAfee (2019) Cloud Adoption and Risk
Report:
17
https://www.mcafee.com/blogs/enterprise/cloud-security/5-key-
findings-from-2019-cloud-adoption-and-risk-report/
104. Need for Cloud Security (contd.)
Poor cloud security continues to be a major cause data breaches
(Privacy
Rights Clearinghouse, 2020)
18
https://privacyrights.org/data-breaches
Need for Cloud Security (contd.)
Poor cloud security continues to be a major cause data breaches
(Privacy
Rights Clearinghouse, 2020)
19
https://privacyrights.org/data-breaches
Cloud Security
Fundamentals
20
Cloud Security Fundamentals
What is AWS Security? – Amazon Web Services
21
Source: Amazon Web Services – What is AWS Security? –
https://www.youtube.com/watch?v=_2HFqANE4gw
https://www.youtube.com/watch?v=_2HFqANE4gw
105. Cloud Security Fundamentals (contd.)
AWS cloud architecture for web application hosting:
22
Source: AWS – Web Application Hosting in the AWS Cloud –
https://docs.aws.amazon.com/whitepapers/latest/web-
application-hosting-best-
practices/web-application-hosting-best-practices.pdf
https://docs.aws.amazon.com/whitepapers/latest/web-
application-hosting-best-practices/web-application-hosting-
best-practices.pdf
Cloud Security Fundamentals (contd.)
AWS cloud security includes:
◦ Infrastructure security
◦ AWS WAF defends against XSS, SQL injection, & DDoS
◦ AWS Shield provides DDoS mitigation technologies available
for layer 3, 4, and 7 protection
◦ Amazon VPC offers built-in network firewalls
◦ Inventory and configuration management
◦ Deployment tools offered
◦ Inventory and configuration management tools available
◦ Template tools exist to create standard, preconfigured,
hardened VMs for EC2 instances
23
https://aws.amazon.com/waf/
106. https://aws.amazon.com/shield/
https://aws.amazon.com/vpc/
Cloud Security Fundamentals (contd.)
AWS cloud security includes:
◦ Data encryption
◦ At rest built into EBS, S3, RDS, and most other services
◦ AWS Key Management Service available
◦ AWS CloudHSM for secure key storage
◦ Identity and access control
◦ AWS IAM allows account and permission management
◦ AWS MFA available for privileged accounts
◦ AWS SSO allows central management of SSO access
24
https://aws.amazon.com/ebs/
https://aws.amazon.com/s3/
https://aws.amazon.com/rds/
https://aws.amazon.com/kms/
https://aws.amazon.com/cloudhsm/
https://aws.amazon.com/iam/
https://aws.amazon.com/iam/features/mfa/
https://aws.amazon.com/single-sign-on/
Cloud Security Fundamentals (contd.)
AWS cloud security includes:
◦ Monitoring and logging
◦ AWS CloudTrail can monitor AWS deployments including
API call history
◦ Amazon CloudWatch provides a reliable, scalable, and
107. flexible monitoring solution
◦ Amazon GuardDuty available for intelligent threat detection
and notification
◦ AWS Nitro System
25
https://aws.amazon.com/cloudtrail/
https://aws.amazon.com/cloudwatch/
https://aws.amazon.com/guardduty/
https://aws.amazon.com/ec2/nitro/
Cloud Security
Issues
26
Cloud Security Issues
Specific cloud security issues include the following:
◦ Lack of visibility
◦ Multitenancy
◦ Access management and shadow IT
◦ Access control may be more challenging in cloud
environments
◦ Compliance
◦ Accountability for data privacy and security still rests with the
enterprise
◦ Misconfigurations
◦ Accounted for 86% of breached records in 2019
108. 27
Source: IBM – What is Cloud Security? –
https://www.ibm.com/topics/cloud-security
https://www.ibm.com/topics/cloud-security
Cloud Security Issues (contd.)
Specific cloud security issues include the following:
28
Source: Accenture – State of Cybersecurity Resilience 2021 –
https://www.accenture.com/_acnmedia/PDF-165/Accenture-
State-Of-
Cybersecurity-2021.pdf
• More than 66% of workloads will shift
to the cloud
• 32% of organizations
• will move more than 75% into the cloud
• say security is not part of the cloud
discussion to begin with
• say poor governance and compliance
practices are an issue
• say cloud security is too complex
• do not have the skills needed
https://www.accenture.com/_acnmedia/PDF-165/Accenture-
State-Of-Cybersecurity-2021.pdf
109. Cloud Security Issues (contd.)
OWASP Top 10–A6:2017 – Security Misconfiguration
29
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration.html
https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration.html
Cloud Security Issues (contd.)
Common cloud security vulnerabilities:
30
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration.html
https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration.html
Cloud Security Issues (contd.)
OWASP Cloud-Native Application Security Top 10:
31
Source: OWASP Foundation – OWASP CNAS Top 10 –
110. https://www.youtube.com/watch?v=BG4Kn6dcGtI
https://www.youtube.com/watch?v=BG4Kn6dcGtI
Cloud Security Issues (contd.)
OWASP Cloud-Native Application Security Top 10:
1. Insecure cloud, container or orchestration configuration
2. Injection flaws
3. Improper authentication & authorizatio n
4. CI/CD pipeline & software supply chain flaws
5. Insecure secrets storage
6. Over-permissive or insecure network policies
7. Using components with known vulnerabilities
8. Improper assets management
9. Inadequate compute resource quota limits
10. Ineffective logging & monitoring
32
https://owasp.org/www-project-cloud-native-application-
security-top-10/
Cloud Security
Attacks
33
Cloud Security Attacks
Most common cloud security attacks:
34
111. Attack Type Description
Cross-Site Scripting
(XSS)
A type of injection in which malicious scripts are injected into
otherwise benign and trusted websites
SQL Injection An untrusted source uses an application’s user
input features
to enter data that is used to dynamically construct a SQL
query to read sensitive database data
DDoS The attacker floods the server with so many requests
from
compromised computers that act as a part of a larger botnet
that the server can no longer fulfill requests from legitimate
users
Human Error Accidents, weak passwords, password sharing, and
other
unwise or uninformed user behaviors
https://owasp.org/www-community/attacks/xss/
https://owasp.org/www-community/attacks/SQL_Injection
Cloud Security Attacks (contd.)
Most common cloud security attacks (continued):
35
Attack Type Description
Ransomware The attacker encrypts and locks the victim’s data
112. and then
demands a ransom to unlock and decrypt the data.
Ransomware operators abused cloud infrastructure and
introduced new encryption techniques to better evade
detection (Accenture, 2021).
Malware Software written specifically to exploit vulnerabilities.
Cloud-
related malware has evolved faster than more traditional
malware (Accenture, 2021).
Server-Side Request
Forgery (SSRF)
The attacker can abuse functionality on the server to read or
update internal resources
http://owasp-stl.org/guides/owasp_ransomware.pdf
https://www.accenture.com/_acnmedia/PDF-173/Accenture-
Cyber-Threat-Intelligence-Report-Vol-2.pdf
https://www.accenture.com/_acnmedia/PDF-173/Accenture-
Cyber-Threat-Intelligence-Report-Vol-2.pdf
https://owasp.org/www-
community/attacks/Server_Side_Request_Forgery
Cloud Security Attacks (contd.)
What is an SSRF Attack? – Professor Messer
36
Source: Professor Messer – Request Forgeries – SY0-601
CompTIA Security+: 1.3 –
https://www.youtube.com/watch?v=fmtqMzP7aXI
https://www.youtube.com/watch?v=fmtqMzP7aXI
113. Cloud Security
Best Practices
37
Cloud Security Best Practices
Best practices for cloud security include :
◦ Implementing a strong identity foundation
◦ Enabling traceability
◦ Applying security at all layers
◦ Automating security best practices
◦ Protecting data in transit and at rest
◦ Keeping people away from data
◦ Preparing for security events
38
Source: AWS – Well-Architected Framework –
https://docs.aws.amazon.com/wellarchitected/latest/security-
pillar/wellarchitected-security-
pillar.pdf
https://docs.aws.amazon.com/wellarchitected/latest/security-
pillar/wellarchitected-security-pillar.pdf
Cloud Security Best Practices (contd.)
Best practices for cloud security include :
◦ Implementing a cloud-based secure web gateway (SWG) so
corporate devices are
114. protected against web-based threats without routing through
VPN
◦ Protecting data with a cloud access security broker (CASB)
◦ Setting CASB policy to include device checks, data controls,
and protection for SaaS
accounts
◦ Implementing MFA to reduce the risk of stolen credentials
being used to access
accounts
◦ Letting employees use their personal devices to access SaaS
applications for
productivity with conditional access to sensitive data
39
Source: McAfee – Cloud Adoption and Risk Report –
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-
cloud-adoption-and-risk-
report-work-from-home-edition.pdf
https://www.mcafee.com/blogs/enterprise/cloud-security/what-
to-expect-from-the-next-generation-of-secure-web-gateways/
https://www.gartner.com/en/information-
technology/glossary/cloud-access-security-brokers-casbs
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-
cloud-adoption-and-risk-report-work-from-home-edition.pdf
Cloud Security Best Practices (contd.)
Best practices for cloud security include (continued):
◦ Taking a risk-based view
◦ Understanding the shared responsibility model
115. ◦ Driving a collaborative culture between application, IT/ops,
and
security teams
◦ Considering security as a forethought and not an afterthought
◦ Monitoring continuously for security and compliance
◦ Planning proactively for cybersecurity events
40
Source: IBM – Cloud Security White Paper –
https://www.ibm.com/cloud/architecture/files/ibm-cloud-
security-white-paper.pdf
https://www.ibm.com/cloud/architecture/files/ibm-cloud-
security-white-paper.pdf
Cloud Security Best Practices (contd.)
Use the following cloud security best practices to protect
against security misconfiguration:
41
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration
https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration
Recap
Cloud security issues are among the OWASP Top 10 list of web
116. application security risks
This is due to issues in cloud security such as misconfiguration,
lack of
visibility, multitenancy, identity and access management,
compliance,
monitoring and logging, etc.
Hackers are able to exploit the weaknesses using attacks such as
XSS, SQL
injection, DDoS, human error, ransomware, malware, SSRF, etc.
Cloud security best practices include understanding the shared
responsibility model, using strong IAM policies, implementing
MFA, using
CASBs, using SWGs, encrypting data in transit and at rest,
enabling
traceability, preparing proactively for security events, etc.
42
Thank you!!!
43
1 Database Security - Issues and Best Practices2
BrowserSecurity-IssuesandBestPractices3 ServerSecurity-
IssuesandBestPractices4 CodeSecurity-IssuesandBestPractices5
CloudSecurity-IssuesandBestPractices
Question 1: [NOTE: Answer each part of the question in
paragraph format]
a. What is Transparent Data Encryption? Why is it transparent?
What types of encryption does it support? Explain how TDE