The document provides an overview of web security. It discusses the internet and the World Wide Web, vulnerabilities and threats to web applications like phishing and SQL injection, as well as countermeasures. It also outlines a generic security model covering security policies, host security, network security, organizational security, and legal security. Finally, it examines the components of web application architecture like user interface elements, structural components involving web browsers, application servers, and database servers.

1. WEB SECURITY
CHAPTER-1.INTRODUCTION
Prof. Kirti Ahirrao
PROF. KIRTI AHIRRAO

2. Index:
Prof. Kirti Ahirrao 2
1. Internet & WWW
2. Vulnerabilities, threats and countermeasures.
3. Generic Security Model :
- Security policy,
- Host security,
- Network security,
- Organizational security,
- Legal Security
4. Web Application Architecture Components, Complex Web
Applications, Software Components

3. Internet
• Internet is a massive network of
networks
• It is networking infrastructure.
• It is a decentralized networks.
• It connects millions of
users/computers together globally.
• When any computer is connected in
network, that computer can
communicate with any other
computer on internet.
• Information can travel from network
in any language known as protocols.
Prof.KirtiAhirrao
3

4. • WWW stands for World Wide Web
• It is a way of accessing information
over the medium of the internet.
• It is the information-sharing model,
which is built on the top of internet.
• The web uses the HTTP protocol,
only one of the languages spoken
over the internet, to transmit data.
• The web also utilizes browsers, such
as Internet Explorer or Firefox, to
access Web documents
called webpages that are linked to
each other via hyperlinks. Web
documents also contain graphics,
sounds, text and video.
Prof.KirtiAhirrao
4
WWW

5. Vulnerabilities
P r o f . K i r t i A h i r r a o
1. It is a weakness in the application, which can be
a design flaw or an implementation bug,
2. It allows an attacker to cause harm to the
stakeholders of an application.
3. Stakeholders include the application owner,
application users, and other entities that rely on
the application.
Examples:
• Lack of input validation on user input
• Lack of sufficient logging mechanism
• Fail-open error handling
• Not closing the database connection properly
5

6. Threats
P R O F . K I R T I A H I R R A O
Web-based threats – or online threats – are malware programs that can target you when you’re
using the Internet. These browser-based threats include a range of malicious
software programs that are designed to infect victims’ computers.
Web security threats are constantly emerging and evolving, but a number of threats
consistently appear at the top of web security threat lists.
These include:
• Phishing
• Ransomware
• SQL injection
• Cross-site scripting
• Code injection
• CEO fraud and impersonation
• Viruses and worms
• Spyware
6

7. Countermeasures:
P R O F . K I R T I A H I R R A O
In computer security a countermeasure is an action, device, procedure, or technique that
reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing
the harm it can cause, or by discovering and reporting it so that corrective action can be taken.
1. Preventative – These work by keeping something from happening in the first place. ...
2. Reactive – Reactive countermeasures come into effect only after an event has already
occurred.
3. Detective – Examples of detective counter measures
It includes system monitoring, IDS, anti-virus, motion detectors and IPS.
7

8. Generic
Security
model
P R O F . K I R T I A H I R R A O 8
Security policy,
Host security,
Network security,
Organizational security,
Legal Security

9. Security Policy :
• Security policies are a formal set of rules which is issued by an organization to
ensure that the user who are authorized to access company technology and
information assets comply with rules and guidelines related to the security of
information.
• It is a written document in the organization which is responsible for how to protect
the organizations from threats and how to handles them when they will occur.
• A security policy also considered to be a "living document" which means that the
document is never finished, but it is continuously updated as requirements of the
technology and employee changes.
• Needs of security policy:
1) It increases efficiency
2) It upholds discipline and accountability
3) It can make or break a business deal
4) It helps to educate employees on security literacy
PROF. KIRTI AHIRRAO 9

10. Host Security
• It is easy to focus on the security of the software we use and forget about the
hardware and software that ‘hosts’ it – our desktops, laptops, mobile devices, their
operating systems and configurations.
• Strong host security addresses the key aspects of your hosts, including hardware,
software, server and storage components.
• It ensures you are equipped to defend yourself against, and appropriately respond to,
cyber-attacks, when they occur.
• Sense of Security’s host level security assessment provides insight into your host
security configuration.
• It also includes aspects that cannot be seen from the network.
• This allows us to identify, and address, your additional weaknesses and exposures to
cyber risk.
PROF. KIRTI AHIRRAO 10

11. Network Security
P R O F . K I R T I A H I R R A O
• Network security is a broad term that covers a multitude of technologies, devices and
processes.
• In its simplest term, it is a set of rules and configurations designed to protect the integrity,
confidentiality and accessibility of computer networks and data using both software and
hardware technologies.
• Every organization, regardless of size, industry or infrastructure, requires a degree of
network security solutions in place to protect it from the ever-growing landscape of cyber
threats in the wild today.
• Today's network architecture is complex and is faced with a threat environment that is
always changing and attackers that are always trying to find and exploit vulnerabilities.
These vulnerabilities can exist in a broad number of areas, including devices, data,
applications, users and locations.
• For this reason, there are many network security management tools and applications in use
today that address individual threats and exploits and also regulatory non-compliance.
When just a few minutes of downtime can cause widespread disruption and massive
damage to an organization's bottom line and reputation, it is essential that these protection
measures are in place.
11

12. Network Security
P R O F . K I R T I A H I R R A O
Types of network security:
• Physical network security
• Technical network security
• Administrative network security
12

13. Types of Network Security
P R O F . K I R T I A H I R R A O 13
Physical Network Security : Physical security controls are designed to
prevent unauthorized personnel from gaining physical access to network
components such as routers, cabling cupboards and so on. Controlled
access, such as locks, biometric authentication and other devices, is
essential in any organization.
Technical Network Security : Technical security controls protect data that
is stored on the network or which is in transit across, into or out of the
network. Protection is twofold; it needs to protect data and systems from
unauthorized personnel, and it also needs to protect against malicious
activities from employees.
Administrative Network Security : Administrative security controls consist
of security policies and processes that control user behavior, including
how users are authenticated, their level of access and also how IT staff
members implement changes to the infrastructure.

14. Organizational Security
P R O F . K I R T I A H I R R A O
• Organizational security as a sustained, appropriate level of security in team communication
and information management practices.
• When more than one person works together to achieve a goal, they need to be able to
communicate and manage information to get things done.
• Organizational security has much more to do with the social and political decision-making
of an organization. Security isn’t about the perfect technical fix.
• It’s about working with all members of the team to make sure that they understand the
issues and the value of protecting information.
• Supporting awareness raising activities to encourage individual thinking about security (in
addition to how-to’s, instructions, and policies) is key to supporting longer term growth and
more organic adaptation to new threats.
14

15. Legal Security
P R O F . K I R T I A H I R R A O
• To make cybersecurity measures explicit, the written norms are required. These norms are
known as cybersecurity standards: the generic sets of prescriptions for an ideal execution of
certain measures.
• The standards may involve methods, guidelines, reference frameworks, etc. It ensures
efficiency of security, facilitates integration and interoperability, enables meaningful
comparison of measures, reduces complexity, and provide the structure for new
developments.
• A security standard is "a published specification that establishes a common language &
contains a technical specification or other precise criteria and is designed to be used
consistently, as a rule, a guideline, or a definition.“
• The goal of security standards is to improve the security of information technology (IT)
systems, networks, and critical infrastructures.
• The Well-Written cybersecurity standards enable consistency among product developers
and serve as a reliable standard for purchasing security products.
• Security standards are generally provided for all organizations regardless of their size or the
industry and sector in which they operate. This section includes information about each
standard that is usually recognized as an essential component of any cybersecurity strategy.
15

16. Web Application Architecture
Components:
PROF. KIRTI AHIRRAO
1
6

17. Web
Application
Architecture
Components:
(contd.)
User interface app components
• This is a reference to the web pages that
have a role that is related to the display,
settings and configurations.
• It is related the interface/experience,
rather than the development, and
consequently it deals with display
dashboards, configuration settings,
notifications, and logs etc.
Structural components
• The structural components of a web
application basically refer to the
functionality of the web application with
which a user interacts, the control and
the database storage.
• In other words, it has got more to do
with the structural aspects of the
architecture, as the name suggests.
• This basically comprises (1) The web
browser or client, (2) The web
application server and (3) The database
server.
PROF.KIRTIAHIRRAO
17

18. Structural
Components:
P R O F . K I R T I A H I R R A O 18
The web browser or
client permits the users to
interact with the functions of the
web apps and is generally
developed using HTML, CSS,
and JavaScript.
The web application
server handles the central hub
that supports business logic and
multi-layer applications, and is
generally developed using
Python, PHP, Java, .NET, Ruby,
and Node.js.
The database server offers
business logic and relevant
information/data that is stored
and managed by the web
application server. It stores,
retrieves and provides the
information.

19. References:
• https://www.webopedia.com/DidYouKnow/Internet/Web_vs_Internet.asp
• https://owasp.org/www-
community/vulnerabilities/#:~:text=A%20vulnerability%20is%20a%20hole,that%20
rely%20on%20the%20application.
• https://www.senseofsecurity.com.au/cyber-security-services/host-level-security-
assessment/#:~:text=Strong%20host%20security%20addresses%20the,%2Dattacks%
2C%20when%20they%20occur.
• https://www.javatpoint.com/cyber-security-
policies#:~:text=Security%20policies%20are%20a%20formal,to%20the%20security
%20of%20information.
• https://www.forcepoint.com/cyber-edu/network-security
• https://www.theengineroom.org/what-weve-learned-about-organizational-security-in-
2014/
• https://www.peerbits.com/blog/web-application-architecture.html
PROF. KIRTI AHIRRAO 19

20. THANK
YOU
P R O F . K I R T I A H I R R A O
20