SlideShare a Scribd company logo

Securing Web Application, Services and Servers

D
Dr.S.Jagadeesh Kumar

Web applications can provide convenience and efficiency, however there are also a number of new security threats, which could potentially pose significant risks to an organisation's information technology infrastructure if not handled properly.

Education
1 of 17
SECURING WEB APPLICATION, SERVICES AND SERVERS By Dr.S.Jagadeesh Kumar NIMS University, Jaipur
INTRODUCTION (1) • Advances in web technologies coupled with a changing business environment, mean that web applications are becoming more prevalent in corporate, public and Government services today. • Although web applications can provide convenience and efficiency, there are also a number of new security threats, which could potentially pose significant risks to an organisation's information technology infrastructure if not handled properly. • To ensure new security measures, both technical and administrative, need to be implemented alongside the development of web applications. 2 NIMS University, Jaipur
INTRODUCTION (2) • Many of the features that make web applications, services, and servers attractive include greater accessibility of data, dynamic application-to- application connections, and relative autonomy i.e. lack of human intervention, are at odds with traditional security models and controls. • Web Applications are the programs which can accept form submissions, generate pages dynamically, communicate with database to do CRUD (Create, Read, Update and Delete) processes and more. • Some of the security tips for web applications generally are: Getting an SSL (Secure Sockets Layer) certificate, Creating secure passwords, Keeping backups, Updating websites to latest releases. SSL certificate refers to a file hosted within the webpage's origin server, which holds the data that browsers access when you are viewing and interacting with the page. 3 NIMS University, Jaipur
BASIC SECURITY FOR HTTP APPLICATIONS AND SERVICES (1) • The Hypertext Transfer Protocol (HTTP) is the foundation of the World Wide Web, and is used to load webpages using hypertext links. • HTTP is an application layer protocol designed to transfer information between networked devices and runs on top of other layers of the network protocol stack. HTTP encodes and transports information between a client and a web server. HTTP is the primary protocol for transmission of information across the Internet. • HTTP is a protocol for fetching resources such as HTML documents. It is the foundation of any data exchange on the Web and it is a client-server protocol, which means requests are initiated by the recipient, usually the Web browser. 4 NIMS University, Jaipur
BASIC SECURITY FOR HTTP APPLICATIONS AND SERVICES (2) • HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL). This protocol secures communications by using what's known as an asymmetric public key infrastructure. • HTTPS uses SSL/TLS protocols to authenticate both the web browser and the web server, ensuring that data transmitted between them is encrypted and secure. In contrast, HTTP doesn't use any encryption protocol, leaving data vulnerable to interception and unauthorized access. • SQL injections are one of the most prevailing types of web application security vulnerability. Cross-site scripting involves targeting a user's application and injecting malicious code, usually a client-side script such as JavaScript, into the application's output. 5 NIMS University, Jaipur
BASIC SECURITY FOR HTTP APPLICATIONS AND SERVICES (3) • Security headers are directives used by web applications to configure security defenses in web browsers. Based on these directives, browsers can make it harder to exploit client-side vulnerabilities such as Cross-Site Scripting or Clickjacking. • To use HTTPS with your domain name, you need a SSL or TLS certificate installed on your website. Your web host (Web Hosting Provider) may offer HTTPS security or you can request a SSL/TLS certificate from Certificate Authorities and install it yourself. • Basic authentication is a built-in HTTP authentication method. When a client sends an HTTP request to a server that requires Basic authentication, the server will respond with a 401 HTTP response and a WWW-Authenticate header containing the value Basic. 6 NIMS University, Jaipur
BASIC SECURITY FOR HTTP APPLICATIONS AND SERVICES (4) • The common security vulnerabilities of HTTP applications and services are: Personal Information Leakage, File and Path Names Based Attack, DNS Spoofing, Location Headers and Spoofing, Authentication Credentials, Proxies and Caching (man-in-the-middle attacks). • To reduce security risks associated with HTTP applications and services:  All the confidential information should be stored at the server in encrypted form.  The document should be restricted to the documents returned by HTTP requests to be only those that were intended by the server administrators.  Clients need to be cautious in assuming the continuing validity of an IP address/DNS name association and to make the use of password protection in screen savers.  Proxy operators should protect the systems on which proxies run, as they would protect any system that contains or transports sensitive information. 7 NIMS University, Jaipur
BASIC SECURITY FOR SOAP SERVICES (1) • SOAP (Simple Object Access Protocol) is a message protocol that enables the distributed elements of an application to communicate. SOAP can be carried over a variety of standard protocols, including the web-related Hypertext Transfer Protocol (HTTP). • SOAP was developed as an intermediate language for applications that have different programming languages, enabling these applications to communicate with each other over the internet. • SOAP is flexible and independent, which enables developers to write SOAP application programming interfaces (APIs) in different languages while also adding features and functionality. 8 NIMS University, Jaipur
BASIC SECURITY FOR SOAP SERVICES (2) • SOAP is a lightweight protocol used to create web APIs, usually with Extensible Markup Language (XML). It supports a wide range of communication protocols across the internet, HTTP, Simple Mail Transfer Protocol (SMTP) and Transmission Control Protocol (TCP). • In the context of APIs, the word Application refers to any software with a distinct function. Interface can be thought of as a contract of service between two applications. This contract defines how the two communicate with each other using requests and responses. • SOAP uses the XML Information Set as a message format and relies on application layer protocols, like HTTP, for message transmission and negotiation. 9 NIMS University, Jaipur
BASIC SECURITY FOR SOAP SERVICES (3) • Security is crucial in SOAP-based applications to protect sensitive data, ensure message integrity, authenticate and authorize users, and prevent unauthorized access. • Common security threats in SOAP-based applications include code injections, breached or leaked access/authorization, denial-of-service (DoS) attacks, cross-site scripting (XSS), and session hijacking. • SOAP security involves implementing measures such as access control, limiting privileges, length and volume restrictions for messages, and adherence to WS-Security (Web Standard Security) protocols. 10 NIMS University, Jaipur
BASIC SECURITY FOR SOAP SERVICES (4) • WS-Security is a set of principles/guidelines for standardizing SOAP messages using authentication and confidentiality processes. WSS-compliant security methods include digital signatures, XML encryption, and X.509 certificates. XML encryption prevents unauthorized users from reading data when accessing it. • In cryptography, the X.509 certificate securely associates cryptographic key pairs of public and private keys with websites, individuals or organizations. • SOAP uses XML format that must be parsed to be read. It defines many standards that must be followed while developing the SOAP applications. So it is slow and consumes more bandwidth and resource. SOAP web services can be written in any programming language and executed in any platform. 11 NIMS University, Jaipur
IDENTITY MANAGEMENT AND WEB SERVICES (1) • Identity management systems enable administrators to automate many user account–related tasks, including onboarding new employees and adding new devices to the network, granting them access to the appropriate systems and applications based on their role. • The main goal of identity management (also referred to as ID management or IDM) is to ensure that only authenticated users, whether individuals or devices, are granted access to the specific applications, components and systems for which they are authorised. • A key function of identity management is to assign a digital identity to each network entity. Once that digital identity has been established, an identity management system enables those identities to be maintained, modified and monitored throughout each user's or device's access life cycle. 12 NIMS University, Jaipur
IDENTITY MANAGEMENT AND WEB SERVICES (2) • ID management determines whether a user has access to systems and sets the level of access and permissions a user has on a particular system. For instance, a user may be authorized to access a system but be restricted from some of its components. • Identity and Access Management (IAM) solutions are designed to provide with centralized visibility and control, allowing to actively measure and monitor the risks inherent in a system that must match up users and resources. • IDM forms the basis for most types of access control and for establishing accountability online. Thus, it contributes to the protection of privacy by reducing the risks of unauthorized access to personal information, data breaches, and identity theft. 13 NIMS University, Jaipur
AUTHORIZATION PATTERNS (1) • The Authorization pattern takes the form of a set of relationships between resources and the privileges that they possess in regard to a given process. • The simplest authorization pattern models a set of roles as properties of the user. These roles can be configured in the identity provider (IDP) and are often embedded as scopes in the access token generated by the IDP. • Adding an explicit authorization system lets the application check in real-time whether the user still has a role or permission. The type of authorization pattern shall be based on roles or groups to organise users. • Each API can have a different authorization policy that contains the logic used to authorize the operation. An example policy could be “Allow the operation if the user has the ‘admin’ or ‘editor’ roles, or the ‘create’ permission.” 14 NIMS University, Jaipur
AUTHORIZATION PATTERNS (2) • The role-to-permission mapping can be done in the authorization system. As a result, the IDP only has to know about user-to-role mappings, not about permissions. This helps decouple the application from the IDP. • These roles are typically assigned by making a user a member of a group. The group membership means that the user has been granted a role. Groups can be organized into hierarchies. For example, the “auditor” group can include “internal-auditors” and “external-auditors.” These two groups can in turn include specific users. • This is essentially the model that LDAP (Lightweight Directory Access Protocol) and Active Directory are built around. As a consequence, most authorization systems support groups as a core part of their model. 15 NIMS University, Jaipur
SECURITY CONSIDERATIONS AND CHALLENGES (1) • Security challenges are additional security measures to verify a user's identity. There two important security considerations and challenges are: • Login challenge—If we suspect that an unauthorized user is trying to sign in to a Google Workspace account, we present them with a login challenge. If the user can't enter the requested information, we won't let them sign in to the account. • Verify-it's-you challenge—If a user is attempting actions that are considered sensitive, we present them with a verify-it's-you challenge. If the user can't enter the requested information, we disallow the sensitive action (they can keep using their account as normal). 16 NIMS University, Jaipur
SECURITY CONSIDERATIONS AND CHALLENGES (2) • How to overcome security challenges in the digital era? 1. Adopt a security mindset. (always be aware of the potential risks and measures) 2. Implement a security framework. (a set of policies, tools, and controls) 3. Conduct a security assessment. (a process of evaluating your current security) 4. Develop a security plan. (a security plan outlines your security strategy) 5. Build a security culture. (security culture is a set of beliefs, attitudes, behaviors) 6. Learn from others. (share information, knowledge, and experiences on security) 17 NIMS University, Jaipur

Recommended

Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfDigital Auxilio Technologies
 
Ledingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersLedingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersMukesh Singh
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersRishabh Gupta
 
Communications Technologies
Communications TechnologiesCommunications Technologies
Communications TechnologiesSarah Jimenez
 
Internet security
Internet securityInternet security
Internet securityTapan Khilar
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Case study
Case studyCase study
Case studyShehrevar Davierwala
 

Recommended

Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfDigital Auxilio Technologies
 
Ledingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersLedingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersMukesh Singh
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersRishabh Gupta
 
Communications Technologies
Communications TechnologiesCommunications Technologies
Communications TechnologiesSarah Jimenez
 
Internet security
Internet securityInternet security
Internet securityTapan Khilar
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Case study
Case studyCase study
Case studyShehrevar Davierwala
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Bluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security ModelBluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security Modeltom termini
 
International Journal on Web Service Computing (IJWSC)
International Journal on Web Service Computing (IJWSC)International Journal on Web Service Computing (IJWSC)
International Journal on Web Service Computing (IJWSC)ijwscjournal
 
A Literature Review on Trust Management in Web Services Access Control
A Literature Review on Trust Management in Web Services Access ControlA Literature Review on Trust Management in Web Services Access Control
A Literature Review on Trust Management in Web Services Access Controlijwscjournal
 
A Literature Review on Trust Management in Web Services Access Control
A Literature Review on Trust Management in Web Services Access ControlA Literature Review on Trust Management in Web Services Access Control
A Literature Review on Trust Management in Web Services Access Controlijwscjournal
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentityFredBrandonAuthorMCP
 
HTTPI BASED WEB SERVICE SECURITY OVER SOAP
HTTPI BASED WEB SERVICE SECURITY OVER SOAP HTTPI BASED WEB SERVICE SECURITY OVER SOAP
HTTPI BASED WEB SERVICE SECURITY OVER SOAP IJNSA Journal
 
A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...ijdpsjournal
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM DatapowerSigortam.net
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
A Survey on Authorization Systems for Web Applications
A Survey on Authorization Systems for Web ApplicationsA Survey on Authorization Systems for Web Applications
A Survey on Authorization Systems for Web Applicationsiosrjce
 
A017310105
A017310105A017310105
A017310105IOSR Journals
 
Firewalls and proxies are both use for security
Firewalls and proxies are both use for securityFirewalls and proxies are both use for security
Firewalls and proxies are both use for securityAyan974999
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionAustina Francis
 
Chap 5 software as a service (saass)
Chap 5 software as a service (saass)Chap 5 software as a service (saass)
Chap 5 software as a service (saass)Raj Sarode
 
Web services
Web servicesWeb services
Web servicesVinay Kumar
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Web Services Security - Short Report
Web Services Security - Short ReportWeb Services Security - Short Report
Web Services Security - Short ReportMuhammad Jawaid Shamshad
 
IRJET - Study Paper on Various Security Mechanism of Cloud Computing
IRJET - Study Paper on Various Security Mechanism of Cloud ComputingIRJET - Study Paper on Various Security Mechanism of Cloud Computing
IRJET - Study Paper on Various Security Mechanism of Cloud ComputingIRJET Journal
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 

More Related Content

Similar to Securing Web Application, Services and Servers

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Bluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security ModelBluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security Modeltom termini
 
International Journal on Web Service Computing (IJWSC)
International Journal on Web Service Computing (IJWSC)International Journal on Web Service Computing (IJWSC)
International Journal on Web Service Computing (IJWSC)ijwscjournal
 
A Literature Review on Trust Management in Web Services Access Control
A Literature Review on Trust Management in Web Services Access ControlA Literature Review on Trust Management in Web Services Access Control
A Literature Review on Trust Management in Web Services Access Controlijwscjournal
 
A Literature Review on Trust Management in Web Services Access Control
A Literature Review on Trust Management in Web Services Access ControlA Literature Review on Trust Management in Web Services Access Control
A Literature Review on Trust Management in Web Services Access Controlijwscjournal
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentityFredBrandonAuthorMCP
 
HTTPI BASED WEB SERVICE SECURITY OVER SOAP
HTTPI BASED WEB SERVICE SECURITY OVER SOAP HTTPI BASED WEB SERVICE SECURITY OVER SOAP
HTTPI BASED WEB SERVICE SECURITY OVER SOAP IJNSA Journal
 
A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...ijdpsjournal
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM DatapowerSigortam.net
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
A Survey on Authorization Systems for Web Applications
A Survey on Authorization Systems for Web ApplicationsA Survey on Authorization Systems for Web Applications
A Survey on Authorization Systems for Web Applicationsiosrjce
 
Firewalls and proxies are both use for security
Firewalls and proxies are both use for securityFirewalls and proxies are both use for security
Firewalls and proxies are both use for securityAyan974999
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionAustina Francis
 
Chap 5 software as a service (saass)
Chap 5 software as a service (saass)Chap 5 software as a service (saass)
Chap 5 software as a service (saass)Raj Sarode
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
IRJET - Study Paper on Various Security Mechanism of Cloud Computing
IRJET - Study Paper on Various Security Mechanism of Cloud ComputingIRJET - Study Paper on Various Security Mechanism of Cloud Computing
IRJET - Study Paper on Various Security Mechanism of Cloud ComputingIRJET Journal
 

Similar to Securing Web Application, Services and Servers (20)

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Bluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security ModelBluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security Model
 
International Journal on Web Service Computing (IJWSC)
International Journal on Web Service Computing (IJWSC)International Journal on Web Service Computing (IJWSC)
International Journal on Web Service Computing (IJWSC)
 
A Literature Review on Trust Management in Web Services Access Control
A Literature Review on Trust Management in Web Services Access ControlA Literature Review on Trust Management in Web Services Access Control
A Literature Review on Trust Management in Web Services Access Control
 
A Literature Review on Trust Management in Web Services Access Control
A Literature Review on Trust Management in Web Services Access ControlA Literature Review on Trust Management in Web Services Access Control
A Literature Review on Trust Management in Web Services Access Control
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
 
HTTPI BASED WEB SERVICE SECURITY OVER SOAP
HTTPI BASED WEB SERVICE SECURITY OVER SOAP HTTPI BASED WEB SERVICE SECURITY OVER SOAP
HTTPI BASED WEB SERVICE SECURITY OVER SOAP
 
A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM Datapower
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
A Survey on Authorization Systems for Web Applications
A Survey on Authorization Systems for Web ApplicationsA Survey on Authorization Systems for Web Applications
A Survey on Authorization Systems for Web Applications
 
A017310105
A017310105A017310105
A017310105
 
Firewalls and proxies are both use for security
Firewalls and proxies are both use for securityFirewalls and proxies are both use for security
Firewalls and proxies are both use for security
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protection
 
Chap 5 software as a service (saass)
Chap 5 software as a service (saass)Chap 5 software as a service (saass)
Chap 5 software as a service (saass)
 
Web services
Web servicesWeb services
Web services
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Web Services Security - Short Report
Web Services Security - Short ReportWeb Services Security - Short Report
Web Services Security - Short Report
 
IRJET - Study Paper on Various Security Mechanism of Cloud Computing
IRJET - Study Paper on Various Security Mechanism of Cloud ComputingIRJET - Study Paper on Various Security Mechanism of Cloud Computing
IRJET - Study Paper on Various Security Mechanism of Cloud Computing
 

Recently uploaded

ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfUmakantAnnand
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 

Recently uploaded (20)

ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 

Securing Web Application, Services and Servers

  • 1. SECURING WEB APPLICATION, SERVICES AND SERVERS By Dr.S.Jagadeesh Kumar NIMS University, Jaipur
  • 2. INTRODUCTION (1) • Advances in web technologies coupled with a changing business environment, mean that web applications are becoming more prevalent in corporate, public and Government services today. • Although web applications can provide convenience and efficiency, there are also a number of new security threats, which could potentially pose significant risks to an organisation's information technology infrastructure if not handled properly. • To ensure new security measures, both technical and administrative, need to be implemented alongside the development of web applications. 2 NIMS University, Jaipur
  • 3. INTRODUCTION (2) • Many of the features that make web applications, services, and servers attractive include greater accessibility of data, dynamic application-to- application connections, and relative autonomy i.e. lack of human intervention, are at odds with traditional security models and controls. • Web Applications are the programs which can accept form submissions, generate pages dynamically, communicate with database to do CRUD (Create, Read, Update and Delete) processes and more. • Some of the security tips for web applications generally are: Getting an SSL (Secure Sockets Layer) certificate, Creating secure passwords, Keeping backups, Updating websites to latest releases. SSL certificate refers to a file hosted within the webpage's origin server, which holds the data that browsers access when you are viewing and interacting with the page. 3 NIMS University, Jaipur
  • 4. BASIC SECURITY FOR HTTP APPLICATIONS AND SERVICES (1) • The Hypertext Transfer Protocol (HTTP) is the foundation of the World Wide Web, and is used to load webpages using hypertext links. • HTTP is an application layer protocol designed to transfer information between networked devices and runs on top of other layers of the network protocol stack. HTTP encodes and transports information between a client and a web server. HTTP is the primary protocol for transmission of information across the Internet. • HTTP is a protocol for fetching resources such as HTML documents. It is the foundation of any data exchange on the Web and it is a client-server protocol, which means requests are initiated by the recipient, usually the Web browser. 4 NIMS University, Jaipur
  • 5. BASIC SECURITY FOR HTTP APPLICATIONS AND SERVICES (2) • HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL). This protocol secures communications by using what's known as an asymmetric public key infrastructure. • HTTPS uses SSL/TLS protocols to authenticate both the web browser and the web server, ensuring that data transmitted between them is encrypted and secure. In contrast, HTTP doesn't use any encryption protocol, leaving data vulnerable to interception and unauthorized access. • SQL injections are one of the most prevailing types of web application security vulnerability. Cross-site scripting involves targeting a user's application and injecting malicious code, usually a client-side script such as JavaScript, into the application's output. 5 NIMS University, Jaipur
  • 6. BASIC SECURITY FOR HTTP APPLICATIONS AND SERVICES (3) • Security headers are directives used by web applications to configure security defenses in web browsers. Based on these directives, browsers can make it harder to exploit client-side vulnerabilities such as Cross-Site Scripting or Clickjacking. • To use HTTPS with your domain name, you need a SSL or TLS certificate installed on your website. Your web host (Web Hosting Provider) may offer HTTPS security or you can request a SSL/TLS certificate from Certificate Authorities and install it yourself. • Basic authentication is a built-in HTTP authentication method. When a client sends an HTTP request to a server that requires Basic authentication, the server will respond with a 401 HTTP response and a WWW-Authenticate header containing the value Basic. 6 NIMS University, Jaipur
  • 7. BASIC SECURITY FOR HTTP APPLICATIONS AND SERVICES (4) • The common security vulnerabilities of HTTP applications and services are: Personal Information Leakage, File and Path Names Based Attack, DNS Spoofing, Location Headers and Spoofing, Authentication Credentials, Proxies and Caching (man-in-the-middle attacks). • To reduce security risks associated with HTTP applications and services:  All the confidential information should be stored at the server in encrypted form.  The document should be restricted to the documents returned by HTTP requests to be only those that were intended by the server administrators.  Clients need to be cautious in assuming the continuing validity of an IP address/DNS name association and to make the use of password protection in screen savers.  Proxy operators should protect the systems on which proxies run, as they would protect any system that contains or transports sensitive information. 7 NIMS University, Jaipur
  • 8. BASIC SECURITY FOR SOAP SERVICES (1) • SOAP (Simple Object Access Protocol) is a message protocol that enables the distributed elements of an application to communicate. SOAP can be carried over a variety of standard protocols, including the web-related Hypertext Transfer Protocol (HTTP). • SOAP was developed as an intermediate language for applications that have different programming languages, enabling these applications to communicate with each other over the internet. • SOAP is flexible and independent, which enables developers to write SOAP application programming interfaces (APIs) in different languages while also adding features and functionality. 8 NIMS University, Jaipur
  • 9. BASIC SECURITY FOR SOAP SERVICES (2) • SOAP is a lightweight protocol used to create web APIs, usually with Extensible Markup Language (XML). It supports a wide range of communication protocols across the internet, HTTP, Simple Mail Transfer Protocol (SMTP) and Transmission Control Protocol (TCP). • In the context of APIs, the word Application refers to any software with a distinct function. Interface can be thought of as a contract of service between two applications. This contract defines how the two communicate with each other using requests and responses. • SOAP uses the XML Information Set as a message format and relies on application layer protocols, like HTTP, for message transmission and negotiation. 9 NIMS University, Jaipur
  • 10. BASIC SECURITY FOR SOAP SERVICES (3) • Security is crucial in SOAP-based applications to protect sensitive data, ensure message integrity, authenticate and authorize users, and prevent unauthorized access. • Common security threats in SOAP-based applications include code injections, breached or leaked access/authorization, denial-of-service (DoS) attacks, cross-site scripting (XSS), and session hijacking. • SOAP security involves implementing measures such as access control, limiting privileges, length and volume restrictions for messages, and adherence to WS-Security (Web Standard Security) protocols. 10 NIMS University, Jaipur
  • 11. BASIC SECURITY FOR SOAP SERVICES (4) • WS-Security is a set of principles/guidelines for standardizing SOAP messages using authentication and confidentiality processes. WSS-compliant security methods include digital signatures, XML encryption, and X.509 certificates. XML encryption prevents unauthorized users from reading data when accessing it. • In cryptography, the X.509 certificate securely associates cryptographic key pairs of public and private keys with websites, individuals or organizations. • SOAP uses XML format that must be parsed to be read. It defines many standards that must be followed while developing the SOAP applications. So it is slow and consumes more bandwidth and resource. SOAP web services can be written in any programming language and executed in any platform. 11 NIMS University, Jaipur
  • 12. IDENTITY MANAGEMENT AND WEB SERVICES (1) • Identity management systems enable administrators to automate many user account–related tasks, including onboarding new employees and adding new devices to the network, granting them access to the appropriate systems and applications based on their role. • The main goal of identity management (also referred to as ID management or IDM) is to ensure that only authenticated users, whether individuals or devices, are granted access to the specific applications, components and systems for which they are authorised. • A key function of identity management is to assign a digital identity to each network entity. Once that digital identity has been established, an identity management system enables those identities to be maintained, modified and monitored throughout each user's or device's access life cycle. 12 NIMS University, Jaipur
  • 13. IDENTITY MANAGEMENT AND WEB SERVICES (2) • ID management determines whether a user has access to systems and sets the level of access and permissions a user has on a particular system. For instance, a user may be authorized to access a system but be restricted from some of its components. • Identity and Access Management (IAM) solutions are designed to provide with centralized visibility and control, allowing to actively measure and monitor the risks inherent in a system that must match up users and resources. • IDM forms the basis for most types of access control and for establishing accountability online. Thus, it contributes to the protection of privacy by reducing the risks of unauthorized access to personal information, data breaches, and identity theft. 13 NIMS University, Jaipur
  • 14. AUTHORIZATION PATTERNS (1) • The Authorization pattern takes the form of a set of relationships between resources and the privileges that they possess in regard to a given process. • The simplest authorization pattern models a set of roles as properties of the user. These roles can be configured in the identity provider (IDP) and are often embedded as scopes in the access token generated by the IDP. • Adding an explicit authorization system lets the application check in real-time whether the user still has a role or permission. The type of authorization pattern shall be based on roles or groups to organise users. • Each API can have a different authorization policy that contains the logic used to authorize the operation. An example policy could be “Allow the operation if the user has the ‘admin’ or ‘editor’ roles, or the ‘create’ permission.” 14 NIMS University, Jaipur
  • 15. AUTHORIZATION PATTERNS (2) • The role-to-permission mapping can be done in the authorization system. As a result, the IDP only has to know about user-to-role mappings, not about permissions. This helps decouple the application from the IDP. • These roles are typically assigned by making a user a member of a group. The group membership means that the user has been granted a role. Groups can be organized into hierarchies. For example, the “auditor” group can include “internal-auditors” and “external-auditors.” These two groups can in turn include specific users. • This is essentially the model that LDAP (Lightweight Directory Access Protocol) and Active Directory are built around. As a consequence, most authorization systems support groups as a core part of their model. 15 NIMS University, Jaipur
  • 16. SECURITY CONSIDERATIONS AND CHALLENGES (1) • Security challenges are additional security measures to verify a user's identity. There two important security considerations and challenges are: • Login challenge—If we suspect that an unauthorized user is trying to sign in to a Google Workspace account, we present them with a login challenge. If the user can't enter the requested information, we won't let them sign in to the account. • Verify-it's-you challenge—If a user is attempting actions that are considered sensitive, we present them with a verify-it's-you challenge. If the user can't enter the requested information, we disallow the sensitive action (they can keep using their account as normal). 16 NIMS University, Jaipur
  • 17. SECURITY CONSIDERATIONS AND CHALLENGES (2) • How to overcome security challenges in the digital era? 1. Adopt a security mindset. (always be aware of the potential risks and measures) 2. Implement a security framework. (a set of policies, tools, and controls) 3. Conduct a security assessment. (a process of evaluating your current security) 4. Develop a security plan. (a security plan outlines your security strategy) 5. Build a security culture. (security culture is a set of beliefs, attitudes, behaviors) 6. Learn from others. (share information, knowledge, and experiences on security) 17 NIMS University, Jaipur