SlideShare a Scribd company logo
Advanced Application
Architecture Review and
Threats
Technology Trends
Enterprise Technology Trend
• 2007. Web services would rocket from $1.6
billion in 2004 to $34 billion. [IDC]
• 2008. Web Services or Service-Oriented
Architecture (SOA) would surge ahead.
• 2009-10. Enterprise 2.0 in action and
penetrating deeper into the corporate
environment
• 2011-13. Flex/Cloud/API era.
• 2015. Mobile/HTML5 era.
Mobile Infrastructure
www mail
intranet
router
DMZ
Internet
VPN
Dial-up
Other
Offices
Exchange
firewall
Database
RAS
Enterprise 2.0/ Mobile
HTML / JS / DOM
RIA (Flash)
Ajax
Browser
Internet
Blog
Web 2.0 Start
Database Authentication
Application
Infrastructure
Web Services
End point
Internet
Mails
News
Documents
Weather
Bank/Trade
RSS feeds
Web 2.0 Environment
Web
Server
Static pages only
(HTML,HTM, etc.)Web
Client
Scripted
Web
Engine
Dynamic pages
(ASP,DHTML, PHP,
CGI, etc.)
ASP.NET on
.Net Framework,
J2EE App Server,
Web Services,
etc.
Application
Servers
And
Integrated
Framework
Internet DMZ Trusted
WW
EE
BB
SS
EE
RR
VV
II
CC
EE
SS
Mobile
Web 2.0
Services
SOAP/JSON etc.
DB
X
Internal/Corporate
Stack/Logic - Layers
Presentation Layer
Business Layer
Data Access Layer
Authentication
Communication etc.
Runtime, Platform, Operating System Components
Server side
Components
Client side
Components
(Browser)
• HTML 5
• DOM
• XHR
• WebSocket
• Storage
• WebSQL
• Flash
• Flex
• AMF
• Silverlight • WCF
• XAML
• NET
• Storage
• JS
• Android
• iPhone/Pad
• Other
Mobile
HTML5 in nutshell - Specs
Source:
http://en.wikipedia.org/wiki/File:HTML5-APIs-and-related-technologies-by-Sergey-Mavrody.png
Source: http://html5demos.com/
Evolution going on by Web Hypertext Application Technology Working Group
(WHATWG)
API (Media, Geo etc.) & Messaging Plug-In
Browser & Mobile – Arch.
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
Ajax Flash / RIA
HTML/CSS JavaScript
Widget DOM
SOAP XML-RPC
HTTP/HTTPS
JSON XML
RSS/ATOM Text
JS-Objects Custom
SOA/WOA SaaS
Web Services Ajax
Traditional APIs
REST
Client Layer
Protocol Layer
Structure Layer
Server Layer
Components
Vulnerable
State
Expected
State
Exception
Handler
Decision
Integer/
Number
Special
Characters
A-Z Characters
Input
Potential
Exploitation
Enterprise level bugs
Types of bugs
• Design and Architect layer bug
– Hard to fix
– Architecture or design layer is having some issues
• Validation layer bug –
– This layer of bugs are at development layer when an input
taken and consumed by application without any
sanitizations
• Logical layer bug –
– Logical coding error
– Access level issue or flaw in business logic
Generic Vulnerability numbers
Source – Web Application Security Consortium
Enterprise Standards
• As such there are no firm standards
• Some drivers out there
– PCI-DSS
– OWASP
– CVE/CWE
• Industry is following it
CVE/CWE - Errors
• Insecure Interaction Between Components
– These weaknesses are related to insecure ways in which data is sent and
received between separate components, modules, programs, processes,
threads, or systems.
– CWE-20: Improper Input Validation
– CWE-116: Improper Encoding or Escaping of Output
– CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
– CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
– CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command
Injection')
– CWE-319: Cleartext Transmission of Sensitive Information
– CWE-352: Cross-Site Request Forgery (CSRF)
– CWE-362: Race Condition
– CWE-209: Error Message Information Leak
Source – CWE/CVE -
http://cwe.mitre.org/top25/index.html
CVE/CWE - Errors
• Risky Resource Management
– The weaknesses in this category are related to ways in which software does
not properly manage the creation, usage, transfer, or destruction of
important system resources.
– CWE-119: Failure to Constrain Operations within the Bounds of a Memory
Buffer
– CWE-642: External Control of Critical State Data
– CWE-73: External Control of File Name or Path
– CWE-426: Untrusted Search Path
– CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
– CWE-494: Download of Code Without Integrity Check
– CWE-404: Improper Resource Shutdown or Release
– CWE-665: Improper Initialization
– CWE-682: Incorrect Calculation
Source – CWE/CVE -
http://cwe.mitre.org/top25/index.html
CVE/CWE - Errors
• Porous Defenses
– The weaknesses in this category are related to defensive techniques
that are often misused, abused, or just plain ignored.
– CWE-285: Improper Access Control (Authorization)
– CWE-327: Use of a Broken or Risky Cryptographic Algorithm
– CWE-259: Hard-Coded Password
– CWE-732: Insecure Permission Assignment for Critical Resource
– CWE-330: Use of Insufficiently Random Values
– CWE-250: Execution with Unnecessary Privileges
– CWE-602: Client-Side Enforcement of Server-Side Security
Source – CWE/CVE -
http://cwe.mitre.org/top25/index.html
Conclusion

More Related Content

What's hot

Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
Blueinfy Solutions
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
Shreeraj Shah
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Shreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
Shreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh Ummer
OWASP-Qatar Chapter
 
Automation In Android & iOS Application Review
Automation In Android & iOS 	Application Review�Automation In Android & iOS 	Application Review�
Automation In Android & iOS Application Review
Blueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
Adeel Javaid
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
Blueinfy Solutions
 
Workshop : Application Security
Workshop : Application SecurityWorkshop : Application Security
Workshop : Application Security
Priyanka Aash
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Craig Dickson
 

What's hot (20)

Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh Ummer
 
Automation In Android & iOS Application Review
Automation In Android & iOS 	Application Review�Automation In Android & iOS 	Application Review�
Automation In Android & iOS Application Review
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Workshop : Application Security
Workshop : Application SecurityWorkshop : Application Security
Workshop : Application Security
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 

Similar to Advanced applications-architecture-threats

EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
Larry Ball
 
Web Security
Web SecurityWeb Security
Web Security
Ali Habeeb
 
JulianSerna2016
JulianSerna2016JulianSerna2016
JulianSerna2016
Julian Serna
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
Bhargav Modi
 
SeniorNET Bhanu Resume
SeniorNET Bhanu ResumeSeniorNET Bhanu Resume
SeniorNET Bhanu Resume
(Actively Looking) Akunuru
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
Rajeev_Resume
Rajeev_ResumeRajeev_Resume
Rajeev_Resume
Rajeev Bhatnagar
 
The Middleware technology that connects the enterprise
The Middleware technology that connects the enterpriseThe Middleware technology that connects the enterprise
The Middleware technology that connects the enterprise
Kasun Indrasiri
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
 
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Shahrooz alavi
Shahrooz alaviShahrooz alavi
Shahrooz alavi
ShahroozAlavi
 
Shahrooz alavi
Shahrooz alaviShahrooz alavi
Shahrooz alavi
ShahroozAlavi
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
Rich Helton
 
Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers 
Jeff Suratt
 
Vazata Federal IaaS
Vazata Federal IaaSVazata Federal IaaS
Vazata Federal IaaS
ftculotta27
 
Malay Das Sharma_2017
Malay Das Sharma_2017Malay Das Sharma_2017
Malay Das Sharma_2017
Malay Das Sharma
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar
 
J2 ee archi
J2 ee archiJ2 ee archi
J2 ee archi
saurabhshertukde
 
Virtualization 2011 v1
Virtualization 2011 v1Virtualization 2011 v1
Virtualization 2011 v1
Pini Cohen
 

Similar to Advanced applications-architecture-threats (20)

EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
Web Security
Web SecurityWeb Security
Web Security
 
JulianSerna2016
JulianSerna2016JulianSerna2016
JulianSerna2016
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
 
SeniorNET Bhanu Resume
SeniorNET Bhanu ResumeSeniorNET Bhanu Resume
SeniorNET Bhanu Resume
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Rajeev_Resume
Rajeev_ResumeRajeev_Resume
Rajeev_Resume
 
The Middleware technology that connects the enterprise
The Middleware technology that connects the enterpriseThe Middleware technology that connects the enterprise
The Middleware technology that connects the enterprise
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Shahrooz alavi
Shahrooz alaviShahrooz alavi
Shahrooz alavi
 
Shahrooz alavi
Shahrooz alaviShahrooz alavi
Shahrooz alavi
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
 
Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers 
 
Vazata Federal IaaS
Vazata Federal IaaSVazata Federal IaaS
Vazata Federal IaaS
 
Malay Das Sharma_2017
Malay Das Sharma_2017Malay Das Sharma_2017
Malay Das Sharma_2017
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
 
J2 ee archi
J2 ee archiJ2 ee archi
J2 ee archi
 
Virtualization 2011 v1
Virtualization 2011 v1Virtualization 2011 v1
Virtualization 2011 v1
 

More from Blueinfy Solutions

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
Blueinfy Solutions
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
Blueinfy Solutions
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
Blueinfy Solutions
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
Blueinfy Solutions
 
Android attacks
Android attacksAndroid attacks
Android attacks
Blueinfy Solutions
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
Blueinfy Solutions
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
Blueinfy Solutions
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
Blueinfy Solutions
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
Blueinfy Solutions
 

More from Blueinfy Solutions (12)

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
Android attacks
Android attacksAndroid attacks
Android attacks
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 

Recently uploaded

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
maazsz111
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 

Recently uploaded (20)

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 

Advanced applications-architecture-threats

  • 3. Enterprise Technology Trend • 2007. Web services would rocket from $1.6 billion in 2004 to $34 billion. [IDC] • 2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. • 2009-10. Enterprise 2.0 in action and penetrating deeper into the corporate environment • 2011-13. Flex/Cloud/API era. • 2015. Mobile/HTML5 era.
  • 5. Enterprise 2.0/ Mobile HTML / JS / DOM RIA (Flash) Ajax Browser Internet Blog Web 2.0 Start Database Authentication Application Infrastructure Web Services End point Internet Mails News Documents Weather Bank/Trade RSS feeds
  • 6. Web 2.0 Environment Web Server Static pages only (HTML,HTM, etc.)Web Client Scripted Web Engine Dynamic pages (ASP,DHTML, PHP, CGI, etc.) ASP.NET on .Net Framework, J2EE App Server, Web Services, etc. Application Servers And Integrated Framework Internet DMZ Trusted WW EE BB SS EE RR VV II CC EE SS Mobile Web 2.0 Services SOAP/JSON etc. DB X Internal/Corporate
  • 7. Stack/Logic - Layers Presentation Layer Business Layer Data Access Layer Authentication Communication etc. Runtime, Platform, Operating System Components Server side Components Client side Components (Browser) • HTML 5 • DOM • XHR • WebSocket • Storage • WebSQL • Flash • Flex • AMF • Silverlight • WCF • XAML • NET • Storage • JS • Android • iPhone/Pad • Other Mobile
  • 8. HTML5 in nutshell - Specs Source: http://en.wikipedia.org/wiki/File:HTML5-APIs-and-related-technologies-by-Sergey-Mavrody.png Source: http://html5demos.com/ Evolution going on by Web Hypertext Application Technology Working Group (WHATWG)
  • 9. API (Media, Geo etc.) & Messaging Plug-In Browser & Mobile – Arch. HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 10. Ajax Flash / RIA HTML/CSS JavaScript Widget DOM SOAP XML-RPC HTTP/HTTPS JSON XML RSS/ATOM Text JS-Objects Custom SOA/WOA SaaS Web Services Ajax Traditional APIs REST Client Layer Protocol Layer Structure Layer Server Layer Components
  • 12. Types of bugs • Design and Architect layer bug – Hard to fix – Architecture or design layer is having some issues • Validation layer bug – – This layer of bugs are at development layer when an input taken and consumed by application without any sanitizations • Logical layer bug – – Logical coding error – Access level issue or flaw in business logic
  • 13. Generic Vulnerability numbers Source – Web Application Security Consortium
  • 14. Enterprise Standards • As such there are no firm standards • Some drivers out there – PCI-DSS – OWASP – CVE/CWE • Industry is following it
  • 15. CVE/CWE - Errors • Insecure Interaction Between Components – These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems. – CWE-20: Improper Input Validation – CWE-116: Improper Encoding or Escaping of Output – CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection') – CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') – CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection') – CWE-319: Cleartext Transmission of Sensitive Information – CWE-352: Cross-Site Request Forgery (CSRF) – CWE-362: Race Condition – CWE-209: Error Message Information Leak Source – CWE/CVE - http://cwe.mitre.org/top25/index.html
  • 16. CVE/CWE - Errors • Risky Resource Management – The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources. – CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer – CWE-642: External Control of Critical State Data – CWE-73: External Control of File Name or Path – CWE-426: Untrusted Search Path – CWE-94: Failure to Control Generation of Code (aka 'Code Injection') – CWE-494: Download of Code Without Integrity Check – CWE-404: Improper Resource Shutdown or Release – CWE-665: Improper Initialization – CWE-682: Incorrect Calculation Source – CWE/CVE - http://cwe.mitre.org/top25/index.html
  • 17. CVE/CWE - Errors • Porous Defenses – The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored. – CWE-285: Improper Access Control (Authorization) – CWE-327: Use of a Broken or Risky Cryptographic Algorithm – CWE-259: Hard-Coded Password – CWE-732: Insecure Permission Assignment for Critical Resource – CWE-330: Use of Insufficiently Random Values – CWE-250: Execution with Unnecessary Privileges – CWE-602: Client-Side Enforcement of Server-Side Security Source – CWE/CVE - http://cwe.mitre.org/top25/index.html