Cyber security at the application level involves protecting applications from vulnerabilities through proper security measures implemented during the software development lifecycle. This includes securing applications from flaws introduced during design, development, deployment, upgrade or maintenance. Application security aims to prevent exceptions to the security policy by addressing vulnerabilities in the application or underlying system. Key aspects of application security include input validation, access controls, and output encoding.

1. CYBER SECURITY AT APPLICATION LEVEL
SANTOSH KHADSARE

3.  INVOLVES ALTERING THE RAW DATA JUST BEFORE A
COMPUTER PROCESSES IT AND THEN CHANGING IT
BACK AFTER PROCESSING IS COMPLETED
 SECONDARY STATE BOARD
 PRIVATE STUDENTS TOPPED OVER GOV T STUDENTS
 6 DIGIT ROLL NUMBER
 GOV T STUDENTS STARTS WITH 3
 PRIVATE STUDENTS STARTS WITH 4
 SOFT WARE MANIPULATION
 FOR ROLL_ NO 3 if marks between 68 & 100
DEDUCT 9
 FOR ROLL_ NO 4 if marks between 68 & 88 ADD
3
9

4. 4

5. 5

6.  Data
 Information we keep on computers (product
design, financial records, personnel data)
 Lost time, lost sales, lost confidence
 Resources
 Unauthorized use of computer time & space
 Reputation
 Misrepresentation, forgery, negative
publicity

7. Confidentiality
Integrity
Avalaibility

8.  Confidentiality - Protection from
unauthorized persons
 Integrity - consistency of data; no
unauthorized creation, alteration or
destruction
 Availability - ensuring access to legitimate
users
 Legitimate use - ensuring appropriate use
by authorized users

9. Functionality
Moving Ball
Security Ease of Use

10.  Intrusion - unauthorized access and use of
systems
 Denial of ser vice - an attack aimed at
preventing use of company computers
 email bomb or flooding/Internet worm
 disabled, rerouted or replaced services
 Information thef t - network taps, database
access, hacking into sites to give out more info
or to wrong parties

11. • Scanners
• Key-loggers.
• Trojans.
• Remote Admin
Toolkits.
• Spyware.
• Backdoors.
• Worms.
• Remote Sniffers.
• Distributed Denial of
Service.

12.  Security Services
 Authentication (entity, data origin)
 Access control (prevent unauthorized access)
 Confidentiality (disclosure, encryption)
 Data integrity (value of data item)
 Non-repudiation (falsely denying a
transaction)

13.  No Security - not an option
 Security thru Obscurity - don’t tell anyone
where your site is
 Host Security - enforced security on each
host; progressively difficult to manage as
number of hosts increase
 Network Security - control network access to
hosts and services; firewalls, strong
authentication, and encryption

14. Biometrics, Cryptography,
Smartcards, Confidentiality
Confidentiality VPNs,
Voice based Systems PKI
Authentication
Authentication Availability
Availability
Clustering,
Redundancy,
Digital Signatures,
Hot Standby, Port
PKI
Mirroring
Integrity
Integrity Assurability
Assurability
Availability
+
Digital Signatures, Non-Repudiation
Non-Repudiation Reliability
PKI

15. Information Security
Info Security Measures
States Components
IN
PROCESSING
IN
STORAGE
IN
TRANSMISSION
As Strong As The Weakest Link …

17. WAN /
NETWORK BASED INTRANET
FIREWALL MOBILE
USER
ROUTER
ROUTER
SWITCH
PCs HQ ABC CORPS
HQ XYZ CORPS SERVERS

18. INTERNET
Red Zone Fm ISP
Layer 3 Switch WAN
IP
DMZ (Orange
DMZ (Orange
IDS Zone)
Zone)
WebServer
FW IP 192.168.3.
2 DNS Server
Cop
L 2 SW
192.168.1.1
Green Zone Mail Server
Green Zone
L 2 SW
To another L2
SW

19. Gateway
INTERNE V.35 ROUTE 136.0.0.1 136.0.0.2 136.0.0.3
T R IPS
DMZ
136.0.0.4
L2 192.168.1.1 HW
SW FW
192.168.2.1/26
192.168.1.2 192.168.1.3 192.168.1.4 L2
192.168.2.X/28
SW To OTHER NW
SERVE
SERVER SERVER
VLAN
LOCAL NW
R
Domain users
. DNS . RAID . ANTI VIRUS
. HTTP . RDBMS . HIPS NW
TASK- TASK-
. SMTP . DATABACKUP . SCANNER PRINT E AWAN
1 2
R
BIOMETRIC 192.168.2.2 192.168.2.4
SENSOR
. Secure disk
BIOMETRIC . True Crypt
SENSOR

20. NETWORK BASED WAN
FIREWALL MOBILE
ANTI USER
HOST BASED
VIRUS
ROUTER
ROUTER
SWITCH
PCs HQ ABC CORPS
HQ XYZ CORPS SERVERS

21. Cyber Security is the set of "measures taken to protect a
Cyber Security is the set of "measures taken to protect a
computer or computer system (as on the Internet) against
computer or computer system (as on the Internet) against
unauthorized access or attack.“
unauthorized access or attack.“
This broad and all-encompassing cyber security definition
This broad and all-encompassing cyber security definition
poses a significant challenge for enterprises; therefore, it
poses a significant challenge for enterprises; therefore, it
is highly critical for enterprises to have an in-depth cyber
is highly critical for enterprises to have an in-depth cyber
security strategy and plan in place in order to provide the
security strategy and plan in place in order to provide the
maximum level of protection from cyber security risks at
maximum level of protection from cyber security risks at
not just the network perimeter but also the application
not just the network perimeter but also the application
layer.
layer.

24. An application is a program or group of programs
An application is a program or group of programs
designed for end users. Application software can be
designed for end users. Application software can be
divided into two general classes: systems software
divided into two general classes: systems software
and applications software ..
and applications software
 Systems software consists of low-level programs
 Systems software consists of low-level programs
that interact with the computer at a very basic level.
that interact with the computer at a very basic level.
This includes operating systems ,, compilers, and
This includes operating systems compilers, and
utilities for managing computer resources.
utilities for managing computer resources.
applications software (also called end-user
applications software (also called end-user
programs) includes database programs, word
programs) includes database programs, word
processors, and spreadsheets. Figuratively
processors, and spreadsheets. Figuratively
speaking, applications software sits on top of
speaking, applications software sits on top of

25. Application security encompasses measures taken
Application security encompasses measures taken
throughout the application's life-cycle to prevent
throughout the application's life-cycle to prevent
exceptions in the security policy of an application or the
exceptions in the security policy of an application or the
underlying system (vulnerabilities) through flaws in the
underlying system (vulnerabilities) through flaws in the
design,
design, development,
development, deployment,
deployment, upgrade,
upgrade, or
or
maintenance of the application.
maintenance of the application.

29. Most security Many software
The flaws within
professional are developers do not
the software cause
usually not have security as a
a majority of the
software main focus .
vulnerability
developers
Software venders
The computing
The computing are trying to rush
community is used
community is used their products to
to receiving
to receiving markets with their
software with
software with eyes set on
bugs and then
bugs and then functionality not
applying patches.
applying patches. security.

30. Hard and Soft and
Soft and
crunchy on chewy on
chewy on
the the inside
the inside
outside
PP e r m e t e r
eri ime
ter
ss e c u it y
e c u rr it
y In t t e r a l e
In e r nn a l e v ir o
is nn nment n
is
f f o r tf fe d
orti i i i aa r e ee s y t v ir o n m e n t aa n d ss o f w a r
r e aa o d oft
s y t o ee x p o i t o
xpl loi nc twa e
aa n d ss li d
n d oo
ed
hh a s bb e n
a s ee o t o n c e aa c c s s r e
e cce
li d b t a in e
e n o b t a in d . ess
ed.

31. Software
controls –
implemented
by
Operating Combination
System of three

32. Aplns and Cmptr systems are usually devp for functionality first,
not security.
To get the best of both, security and functionality will have to be
designed and devp at the same time
Developing aplns first and then trying to add security can
cause problems:
May reduce overall func
Can open security holes when the apln is to be integrated
with other aplns

33. Security solns today look to solve problems through controls
such as IDS, IPS, FWs, Avs, Vulnerability scanners, etc.
This is because our SW contains many vulnerabilities.
Our systems are hard on the outside and soft inside. Why?
We have implemented strong perimeter defences, however our
internal environment and SW is easy to exploit once access has
been gained.
Why are perimeter devices more often considered rather than
developing secure SW?

34. In the past, SW was devp for func and not security.
Mainframe era.
Many programmers do not have experience of secure coding.
Most security professionals are not SW developers.
Many SW developers do not have security as the main focus.
SW vendors under tight deadlines to get products into market;
security suffers.
Customers cannot control flaws in the SW they purchase,
so they must depend on perimeter protection. Thus the present
day over-reliance on perimeter defences.

35. Traditionally, we consumers have always demanded
functionality from the aplns, with little thought to security.
Only in the last 6 – 8 yrs, the focus is slowly shifting to
functionality coupled with security.

36. Security controls can be used for:
Inputs
Processing
Output
Devp controls with potential risks in mind.
SW to be used in a closed trusted environment versus an
open environment.
.

37. Goal is to:
Prevent data corruption
Prevent security compromises
Reduce vulnerabilities.
Controls can be preventive, detective and corrective.
Can be in the form of administrative or physical controls; but are
mostly technical in nature.

38. Buggy SW is rel
Buggy SW is rel
Hackers find SW
Hackers find SW
vulnerabilities
vulnerabilities
Web sites post these vulnerabilities on
Web sites post these vulnerabilities on
Internet and methods of exploiting them
Internet and methods of exploiting them
SW vendor develops and releases SW
SW vendor develops and releases SW
patches to fix these vulnerabilities
patches to fix these vulnerabilities
The new patch goes on the stack of SW
The new patch goes on the stack of SW
patches that all NW admin need to test
patches that all NW admin need to test
and install
and install

39. NW admin today has to integrate various aplns and different
computer systems.
Coys today are rushing to devp aplns capable of taking on-line
orders, storing credit card info and est extranets with business
partners.
All of this is an extremely complex activity.
On top of all this security is expected and demands.
As the complexity of the environment grows, tracking
compromises and errors becomes a difficult task.

40. SW controls are usually implemented nowadays through a mix of:
OS controls
Apln controls
DB controls
OS controls can control a subject’s access to an object.
These controls do not restrict a subject’s action within an apln.
Apln controls can ensure
 only valid inputs are inserted,
data is processed in the correct sequence, and
only certain subjects can view data in sensitive fields.

41. Aplns must draw a balance between Functionality and Security.
Out of the box installation is always insecure.
If an apln is extremely user friendly, it is probably not secure.
Why?
User friendly implies – extra lines of code.
More lines of code – more the potential vulnerabilities.

42. SDLC – Security Issues

43. Also once vendors iden vulnerabilities and rel patches,
NW admin may not apply them. Why?
NW admin may not be up to date on current vulnerabilities
and patches.
They may not fully understand the imp of patches.
They may be afraid that patches may cause other
problems
Bottomline – Insecure systems
Also, If an apln fails – it must fail secure.

44. Software Development Life Cycle
SDLC stands for Software Development Life Cycle. A
Software Development Life Cycle is essentially a series of
steps, or phases, that provide a model for the development
and lifecycle management of an application or piece of
software.
The methodology within the SDLC process can vary
across industries and organizations, but standards such as
ISO/IEC 12207 represent processes that establish a lifecycle
for software, and provide a mode for the development,
acquisition, and configuration of software systems.

45. The intent of a SDLC process it to help produce a
product that is cost-efficient, effective, and of high
quality. Once an application is created, the SDLC
maps the proper deployment and decommissioning
of the software once it becomes a legacy.

46. Project Initiation
Functional Design Analysis and Plg
System Design Specs
SW Devp
Installation/Implementation
Operations / Maintenance
Disposal

47. Problems with
Database Security

48. Risks to databases
Today more and more coys holding sensitive data (credit
card info, stock inventory, etc) in DBs.
Earlier employees only accessed DBs. Today DB
connectivity provided to customers also (Eg – check online
availability of an item).
How do you secure DBs?
Group users in different roles and assign rights and
permissions to various roles.
Customers are assigned a role to only view data; and
that too only specific fields of data.
Customers interact with the DB through a middleware
(apln).
Middleware checks roles and presents data as per
permissions assigned to that role.

49. Risks to databases – DB Integrity
Concurrency Problem
Occurs when a DB is accessed by more than one
apln/users at the same time.
SW lock used to overcome this. Processes lock tables
within DB, make changes and then rel the SW lock. Next
process can access DB only after the 1st process has rel the
SW lock.

50. Risks to databases – DB Integrity
DB SW performs three main types of integrity services:
Entity Integrity: Every row (record) is uniquely iden by a
primary key.
Referential Integrity: All foreign keys reference existing
primary keys.
Semantic Integrity: Rules pertaining to data types, logical
values are enforced.

51. Risks to databases – DB Integrity
Other Operations in DB SW to protect integrity of data:
Rollback:
An operation that ends a current transaction and cancels
current changes to a DB. The DB reverts to its previous
state.
Could be changes to the data / schema.
Roll back occurs when the DB experiences a glitch or if
processing sequence is disrupted.

52. Risks to databases – DB Integrity
Other Operations in DB SW to protect integrity of data:
Commit:
This operation completes a transaction and executes all
changes just made by the user. DB is updated to reflect the
latest changes.
If commit cannot complete correctly, a rollback is
performed.
Ensures that partial changes do not take place and data is
not corrupted.

53. Risks to databases – DB Integrity
Other Operations in DB SW to protect integrity of data:
Savepoints:
Same like system restore in Win OS.
If a system failure takes place, the DB attempts to revert to
the previous savepoint.
Setting savepoints consumes resources. Bal to be stuck
between No of Savepoints and not enough of them.
Savepoints can be initiated by a time interval, user action,
or No of transactions.
Savepoint restores data by enabling user to go back in
time before the system crashed.

54. Risks to databases – DB Integrity
Other Operations in DB SW to protect integrity of data:
Checkpoints:
Similar to Savepoints.
When a specific amt of mem is filled, a checkpoint is
triggered.
This saves data from mem to a temp file.
If system crashes, the DB will attempt to restore data from
this temp file.

55. A few Database Attacks
Brute Force attacks against Passwords
Default Username and passwords not changed by the sys admin
Eg: “scott”; “tiger” - username/password combination in
Oracle DB till 11g ver.
Microsoft SQL Server – came with default (publically known)
passwords.
Easily guessable passwords chosen by sys admin..

56. A few Database Attacks
Privilege Escalation
Gen happens due to mis-configuration of database or underlying
OS.
Eg: A low privilege user has read rights only.
However, he can read all colns in the DB incl colns holding
credit card info.
(mis-configuration – Restd DB views were not enforced).

57. A few Database Attacks
Exploiting unused / un-necessary services
Eg: Listener service in Oracle DB.
It seeks out and fwds network connection requests to Oracle DB.
When an apln has to access a DB – poorly written aplns can
cause connections w/o authentication and authorisation.
Install only those features that you need to use.
If you don’t install a feature, you don’t have to patch it up later.

58. A few Database Attacks
Exploiting unused / un-necessary services.
Very Imp: Patch up DBs as and when patches are rel by the
vendor.
Gen sys admins avoid patching. Why?:
Prevent downtime of the DB.
Does not understand patches and what they do
Do not have time to test patches
May fear that patches may cause some other problems.

59. A few Database Attacks
Stolen Backups
Gen an insider attack.
If backup data is un-encypted, the attacker does not need to
hack into a DB.
Another problem with backups – too many versions of backups.
Problem in tracking all ver.

60. A few Database Attacks
SQL Injection
Occurs when the fields available for user input allows
SQL stmts to be inputted.
Gen, this attack takes place on the middleware; which connects
to the backend DB.
Eg: If an attacker gets a username/password screen, he can
input an SQL stmt which is passed by the apln server to the DB
and gets executed toentry to the DB.
Gen the result of poor programming practices.