Downloaded 50 times
Uploaded byPace IT at Edmonds Community College
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
The document discusses application security controls and emphasizes the importance of secure coding practices to prevent vulnerabilities during software development. Key concepts include error and exception handling, input validation, and protections against threats like cross-site scripting and request forgery. It also highlights the need for proper application configuration and regular patch management to ensure ongoing security.
More Related Content
Similar to PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
- 1.
- 2. Page 2 Instructor, PACE-ITProgram – Edmonds Community College Areas of expertise Industry Certifications PC Hardware Network Administration IT Project Management Network Design User Training IT Troubleshooting Qualifications Summary Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.
- 3. Page 3 PACE-IT. – Securecoding concepts. – Other security controls, techniques, and concepts.
- 4. Page 4 Application securitycontrols and techniques.
- 5. Page 5 Hackers willoften focus on applications (software) when they are attempting to breach network security. Because of this, application developers need to focus on security controls right from the beginning of developing the application. This is the idea of using secure coding concepts. An application designed with security in mind is much easier to defend than an application that doesn’t use such methods. Two of the main concepts of secure coding are: error and exception handling and input validation. Application security controls and techniques.
- 6. Page 6 Application securitycontrols and techniques. – Error handling. » Thoroughly testing applications will catch most errors, with the possible exception of some runtime errors. • Runtime errors are problems that occur during the operation of an application. • Many things can cause a runtime error. They include poor programming, conflicts with other software (including malicious applications), and conflicts with hardware. » The developer should put processes in place that trap all runtime errors before such an error crashes the application. • Trapping a runtime error requires that the developer intercept the error and display a warning message before the error causes the application to crash. – Exception handling. » A more advanced method of error handling. • An exception is a different term for a runtime error. » Exception handling code will use a try/catch block—try this code and catch any errors that occur. • Usually will provide a means of looping the program until the error condition subsides.
- 7. Page 7 A majorcause of runtime errors and other security issues in applications is users inputting invalid data into the application. Secure coding requires that input validation be done before that data is actually placed into the application. Input validation is when the user supplied data is examined against a set of rules that outline what type of data the application is expecting. One method of testing input validation rules is to use fuzzing. During the testing phase of the application, the developer will input invalid or random data into the input fields in order to test the input validation rules. Application security controls and techniques.
- 8. Page 8 Application securitycontrols and techniques.
- 9. Page 9 Application securitycontrols and techniques. – Client-side and server-side validation. » Initial input validation should occur on the client (requesting machine) before it is sent to the application on the server. • This can help to prevent a runtime error or exploit on the server and reduces the amount of traffic that is crossing a network. » Additional input validation should occur at the server (receiving machine) before the input is passed on to the application— further reducing the chances of a runtime error or an exploit occurring. – Cross-site scripting (XSS) prevention. » XSS occurs when a hacker inserts script code into a form on a website so that when other users access the form, the script is executed. • Proper input validation of data is usually an effective means of preventing XSS from occurring.
- 10. Page 10 Application securitycontrols and techniques. – Cross-site request forgery (XSRF) prevention. » XSRF is when a user is automatically directed to a linked Web page and logged in using data supplied by a cookie from the original page—when this was not the Web developer’s intent. • Web developers can help to prevent XSRF from occurring by setting a short expiration time for cookies. • User can help prevent XSRF by choosing not to have a website automatically log them in when they visit the site. – Application configuration baseline. » The initial setting up of an application (the baseline) should be done with security in mind. • The baseline should be as secure as possible. – Application hardening. » Disabling all features and functions that users should not be allowed to use (e.g., disabling an application’s ability to use FTP). • Should initially be done during the configuration process.
- 11. Page 11 Application securitycontrols and techniques. – Application patch management. » New exploits and threats against applications are created all the time, requiring that applications be updated on a regular basis. • Patches are used to fix problems (e.g., security issues) that were unknown at the time the application was developed. » Caution: just as with operating system patches, application patches must be tested before being deployed into a production setting. – SQL vs. NoSQL databases. » SQL databases are the most common relational database management system used today. • They are optimized for the inserting and updating of records in a database. » NoSQL databases are designed to store and retrieve large amounts of data—big data. • They must be optimized for the retrieval of big data, and require different methods of input validation than a SQL database.
- 12. Page 12 Application securitycontrols and techniques. Application security controls need to begin with the application’s developer using secure coding methods. The two main concepts used in secure coding are: error and exception handling and input validation. Error and exception handling are how an application will deal with a runtime error. Input validation is a method used to prevent users from inputting invalid data into an application, which may cause a security issue or runtime error. Topic Secure coding concepts. Summary Client-side and server-side validation should both be used to prevent application problems. Input validation can be used to prevent XSS from occurring. XSRF prevention requires actions from both the user and the Web developer. An application’s configuration baselines should be set to the highest level of security and include application hardening techniques. All applications should be patched as required to maintain security. SQL databases and NoSQL databases are used to perform different functions and require different methods of application security controls. Other security controls, techniques, and concepts.
- 13.
- 14. This workforce solutionwas 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53. PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.