Web applications can provide convenience and efficiency, however there are also a number of new security threats, which could potentially pose significant risks to an organisation's information technology infrastructure if not handled properly.
2. INTRODUCTION (1)
• Advances in web technologies coupled with a changing business
environment, mean that web applications are becoming more prevalent in
corporate, public and Government services today.
• Although web applications can provide convenience and efficiency, there
are also a number of new security threats, which could potentially pose
significant risks to an organisation's information technology infrastructure if
not handled properly.
• To ensure new security measures, both technical and administrative, need to
be implemented alongside the development of web applications.
2
NIMS University, Jaipur
3. INTRODUCTION (2)
• Many of the features that make web applications, services, and servers
attractive include greater accessibility of data, dynamic application-to-
application connections, and relative autonomy i.e. lack of human
intervention, are at odds with traditional security models and controls.
• Web Applications are the programs which can accept form submissions,
generate pages dynamically, communicate with database to do CRUD
(Create, Read, Update and Delete) processes and more.
• Some of the security tips for web applications generally are: Getting an SSL
(Secure Sockets Layer) certificate, Creating secure passwords, Keeping
backups, Updating websites to latest releases. SSL certificate refers to a file
hosted within the webpage's origin server, which holds the data that
browsers access when you are viewing and interacting with the page.
3
NIMS University, Jaipur
4. BASIC SECURITY FOR
HTTP APPLICATIONS AND SERVICES (1)
• The Hypertext Transfer Protocol (HTTP) is the foundation of the World Wide
Web, and is used to load webpages using hypertext links.
• HTTP is an application layer protocol designed to transfer information
between networked devices and runs on top of other layers of the network
protocol stack. HTTP encodes and transports information between a client
and a web server. HTTP is the primary protocol for transmission of information
across the Internet.
• HTTP is a protocol for fetching resources such as HTML documents. It is the
foundation of any data exchange on the Web and it is a client-server
protocol, which means requests are initiated by the recipient, usually the
Web browser.
4
NIMS University, Jaipur
5. BASIC SECURITY FOR
HTTP APPLICATIONS AND SERVICES (2)
• HTTPS uses an encryption protocol to encrypt communications. The protocol is
called Transport Layer Security (TLS), although formerly it was known as Secure
Sockets Layer (SSL). This protocol secures communications by using what's
known as an asymmetric public key infrastructure.
• HTTPS uses SSL/TLS protocols to authenticate both the web browser and the web
server, ensuring that data transmitted between them is encrypted and secure. In
contrast, HTTP doesn't use any encryption protocol, leaving data vulnerable to
interception and unauthorized access.
• SQL injections are one of the most prevailing types of web application security
vulnerability. Cross-site scripting involves targeting a user's application and
injecting malicious code, usually a client-side script such as JavaScript, into the
application's output.
5
NIMS University, Jaipur
6. BASIC SECURITY FOR
HTTP APPLICATIONS AND SERVICES (3)
• Security headers are directives used by web applications to configure security
defenses in web browsers. Based on these directives, browsers can make it
harder to exploit client-side vulnerabilities such as Cross-Site Scripting or
Clickjacking.
• To use HTTPS with your domain name, you need a SSL or TLS certificate installed
on your website. Your web host (Web Hosting Provider) may offer HTTPS security
or you can request a SSL/TLS certificate from Certificate Authorities and install it
yourself.
• Basic authentication is a built-in HTTP authentication method. When a client
sends an HTTP request to a server that requires Basic authentication, the server
will respond with a 401 HTTP response and a WWW-Authenticate header
containing the value Basic.
6
NIMS University, Jaipur
7. BASIC SECURITY FOR
HTTP APPLICATIONS AND SERVICES (4)
• The common security vulnerabilities of HTTP applications and services are:
Personal Information Leakage, File and Path Names Based Attack, DNS Spoofing,
Location Headers and Spoofing, Authentication Credentials, Proxies and
Caching (man-in-the-middle attacks).
• To reduce security risks associated with HTTP applications and services:
All the confidential information should be stored at the server in encrypted form.
The document should be restricted to the documents returned by HTTP requests to be only
those that were intended by the server administrators.
Clients need to be cautious in assuming the continuing validity of an IP address/DNS
name association and to make the use of password protection in screen savers.
Proxy operators should protect the systems on which proxies run, as they would protect
any system that contains or transports sensitive information.
7
NIMS University, Jaipur
8. BASIC SECURITY FOR SOAP SERVICES (1)
• SOAP (Simple Object Access Protocol) is a message protocol that enables
the distributed elements of an application to communicate. SOAP can be
carried over a variety of standard protocols, including the web-related
Hypertext Transfer Protocol (HTTP).
• SOAP was developed as an intermediate language for applications that
have different programming languages, enabling these applications to
communicate with each other over the internet.
• SOAP is flexible and independent, which enables developers to write SOAP
application programming interfaces (APIs) in different languages while also
adding features and functionality.
8
NIMS University, Jaipur
9. BASIC SECURITY FOR SOAP SERVICES (2)
• SOAP is a lightweight protocol used to create web APIs, usually with
Extensible Markup Language (XML). It supports a wide range of
communication protocols across the internet, HTTP, Simple Mail Transfer
Protocol (SMTP) and Transmission Control Protocol (TCP).
• In the context of APIs, the word Application refers to any software with a
distinct function. Interface can be thought of as a contract of service
between two applications. This contract defines how the two communicate
with each other using requests and responses.
• SOAP uses the XML Information Set as a message format and relies on
application layer protocols, like HTTP, for message transmission and
negotiation.
9
NIMS University, Jaipur
10. BASIC SECURITY FOR SOAP SERVICES (3)
• Security is crucial in SOAP-based applications to protect sensitive data,
ensure message integrity, authenticate and authorize users, and prevent
unauthorized access.
• Common security threats in SOAP-based applications include code
injections, breached or leaked access/authorization, denial-of-service (DoS)
attacks, cross-site scripting (XSS), and session hijacking.
• SOAP security involves implementing measures such as access control,
limiting privileges, length and volume restrictions for messages, and
adherence to WS-Security (Web Standard Security) protocols.
10
NIMS University, Jaipur
11. BASIC SECURITY FOR SOAP SERVICES (4)
• WS-Security is a set of principles/guidelines for standardizing SOAP messages
using authentication and confidentiality processes. WSS-compliant security
methods include digital signatures, XML encryption, and X.509 certificates.
XML encryption prevents unauthorized users from reading data when
accessing it.
• In cryptography, the X.509 certificate securely associates cryptographic key
pairs of public and private keys with websites, individuals or organizations.
• SOAP uses XML format that must be parsed to be read. It defines many
standards that must be followed while developing the SOAP applications. So
it is slow and consumes more bandwidth and resource. SOAP web services
can be written in any programming language and executed in any platform.
11
NIMS University, Jaipur
12. IDENTITY MANAGEMENT AND
WEB SERVICES (1)
• Identity management systems enable administrators to automate many user
account–related tasks, including onboarding new employees and adding
new devices to the network, granting them access to the appropriate
systems and applications based on their role.
• The main goal of identity management (also referred to as ID management
or IDM) is to ensure that only authenticated users, whether individuals or
devices, are granted access to the specific applications, components and
systems for which they are authorised.
• A key function of identity management is to assign a digital identity to each
network entity. Once that digital identity has been established, an identity
management system enables those identities to be maintained, modified
and monitored throughout each user's or device's access life cycle.
12
NIMS University, Jaipur
13. IDENTITY MANAGEMENT AND
WEB SERVICES (2)
• ID management determines whether a user has access to systems and sets
the level of access and permissions a user has on a particular system. For
instance, a user may be authorized to access a system but be restricted from
some of its components.
• Identity and Access Management (IAM) solutions are designed to provide
with centralized visibility and control, allowing to actively measure and
monitor the risks inherent in a system that must match up users and
resources.
• IDM forms the basis for most types of access control and for establishing
accountability online. Thus, it contributes to the protection of privacy by
reducing the risks of unauthorized access to personal information, data
breaches, and identity theft.
13
NIMS University, Jaipur
14. AUTHORIZATION PATTERNS (1)
• The Authorization pattern takes the form of a set of relationships between resources
and the privileges that they possess in regard to a given process.
• The simplest authorization pattern models a set of roles as properties of the user.
These roles can be configured in the identity provider (IDP) and are often embedded
as scopes in the access token generated by the IDP.
• Adding an explicit authorization system lets the application check in real-time
whether the user still has a role or permission. The type of authorization pattern shall
be based on roles or groups to organise users.
• Each API can have a different authorization policy that contains the logic used to
authorize the operation. An example policy could be “Allow the operation if the user
has the ‘admin’ or ‘editor’ roles, or the ‘create’ permission.”
14
NIMS University, Jaipur
15. AUTHORIZATION PATTERNS (2)
• The role-to-permission mapping can be done in the authorization system. As
a result, the IDP only has to know about user-to-role mappings, not about
permissions. This helps decouple the application from the IDP.
• These roles are typically assigned by making a user a member of a group.
The group membership means that the user has been granted a role. Groups
can be organized into hierarchies. For example, the “auditor” group can
include “internal-auditors” and “external-auditors.” These two groups can in
turn include specific users.
• This is essentially the model that LDAP (Lightweight Directory Access
Protocol) and Active Directory are built around. As a consequence, most
authorization systems support groups as a core part of their model.
15
NIMS University, Jaipur
16. SECURITY CONSIDERATIONS AND
CHALLENGES (1)
• Security challenges are additional security measures to verify a user's
identity. There two important security considerations and challenges are:
• Login challenge—If we suspect that an unauthorized user is trying to sign in
to a Google Workspace account, we present them with a login challenge. If
the user can't enter the requested information, we won't let them sign in to
the account.
• Verify-it's-you challenge—If a user is attempting actions that are considered
sensitive, we present them with a verify-it's-you challenge. If the user can't
enter the requested information, we disallow the sensitive action (they can
keep using their account as normal).
16
NIMS University, Jaipur
17. SECURITY CONSIDERATIONS AND
CHALLENGES (2)
• How to overcome security challenges in the digital era?
1. Adopt a security mindset. (always be aware of the potential risks and measures)
2. Implement a security framework. (a set of policies, tools, and controls)
3. Conduct a security assessment. (a process of evaluating your current security)
4. Develop a security plan. (a security plan outlines your security strategy)
5. Build a security culture. (security culture is a set of beliefs, attitudes, behaviors)
6. Learn from others. (share information, knowledge, and experiences on security)
17
NIMS University, Jaipur