SlideShare a Scribd company logo

Web security

Download as PPTX, PDF
Padam Banthia
Padam Banthia

Web-security with the help of J2EE(Java Enterprise Edition) Cryptography Authentication of Internet

Technology
1 of 24
Web Security Presentation Speaker: Padam Banthia
What is web security? Almost everything relies on computers and the Internet now  Communication  transportation  medicine  shopping  Entertainment Web Security, also known as “Cyber security” involves protecting that information by preventing, detecting, and responding to attacks.
Web Security Issues  Malicious websites:- Malicious websites China - 67% US - 15% Russia - 4% Malaysia- 2.2% Korea - 2%  SPAM:-Spam is unsolicited e-mail on the Internet.  Phishing:-This is a method of luring an unsuspecting user into giving out their username and password for a secure web resource, usually a bank or credit card account.  DDOS-Web server can handle a few hundred connections/sec before performance begins to degrade. Web servers fail almost instantly under five or six thousand connections/sec  Botnets:-A botnet is a collection of compromised computers (called zombie computers) running programs, usually installed via worms, Trojan horses, or backdoors, under a common command and control infrastructure.
Develop: Role-based security • Java EE security uses roles to determine categories of users that can access a particular enterprise application – A role is an abstract group mapped to a set of security identities during deployment. – Groups are similar to roles, but apply to all enterprise projects in the application server. /reportcardInfo.jsp /maintainUsersInfo.jsp Web application Role = Administrator Role = Student
Define security roles for Web applications 1. Define security roles in the Security details section of the Web Deployment Descriptor editor – Roles represent categories of users that can access the Web application
Constrain access based on security role 2. Set Security Constraints details for the Web application: a. List which Web resources apply to the security constraint in the Web resource collection b. Define which roles are authorized to use the Web resource collection in the Authorized Roles
Gather roles in the enterprise application 3. In the Enterprise Application Deployment Descriptor editor, click the Open WebSphere Bindings link 4. Add Security Role and specify name in the details section
Web container client authentication • Authentication methods for a Web application client: – Basic authentication • Client sends user name and password in the HTTP header using base64 encoding. – Form-based authentication • Client sends user name and password in an HTML form • Sent in an HTTP Post request in plain text. – Digest authentication • Client sends an MD5 (Message-Digest algorithm 5) hash based on the user name, password, URI resource, and other information. – Certificate-based authentication • Client uses a digital certificate to uniquely identify itself – A trusted third-party, known as a certificate authority (CA) issues digital certificates. – Digital certificates include a unique serial number, identification information, and the user’s public key.
Configure client authentication method 1. In the Web Deployment Descriptor, add Login Configuration item and specify the following details. a. For basic authentication, enter an arbitrary realm name b. For form authentication, specify both a Login page and an Error page
Declarative and programmatic security • Web application security configured using a declarative model • Web applications can view security information programmatically – The following three methods from HttpServletRequest provides information on the security context: • getRemoteUser() – Returns the user name that the client used for authentication – Returns null if no user is authenticated • isUserInRole(String name) – Returns true if the remote user is granted the specified security role – If the remote user is not granted the specified role, or if no user is authenticated, it returns false • getUserPrincipal() – Returns the java.security.Principal object containing the remote user name – If no user is authenticated, it returns null
Define security role references • Use security role references to avoid hard-coding Java EE security role names into programmatic security calls – Reference acts as an alias to the actual security role name – Per servlet setting, set in the Security Role Reference list within the Servlets section in the Web Deployment Descriptor
Enterprise application security overview • WebSphere Application Server is built upon several layers of security: – The operating system protects WebSphere configuration files, and provides user authentication when using the local OS user registry – The Java Virtual Machine (JVM) provides standard Java security – Java™ 2 Security builds upon standard Java security • Fine-grained access control • Configurable security policy • Security checks for all Java applications – Java™ EE Security provides standard, container-level security • Insulates enterprise applications from the actual security implementation • Classifies clients into roles, each with different access levels for a given resource
WebSphere environment security layers Platform Security Operating System Java Security Java Virtual Machine Java 2 Security JCE JAAS JSSE Java EE Security Java EE Security WebSphere Security Transport Security HTTP IIOP LDAP Client Security Client application / external component
Don’t we all wish it was that easy!!!!
Penetrate : OWASP  The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software.  At OWASP you’ll find free and open Application security tools, complete books, standard security controls and libraries, cutting edge research  http://www.owasp.org
7 Security (Mis)Configurations in web.xml 1. Error pages not configured 2. Authentication & Authorization Bypass 3. SSL Not Configured 4. Not Using the Secure Flag 5. Not Using the HttpOnly Flag 6. Using URL Parameters for Session Tracking 7. Not Setting a Session Timeout
Protect • [SWAT] Checklist • Firewalls • IDS and IDPs • Audits • Penetration Tests • Code Reviews with Static • Analysis Tools
Relax • Web App Firewalls: Imperva, F5, Breach • Open Source: WebNight and ModSecurity • Stateful Firewalls: Juniper, Check Point, Palo Alto • IDP/IDS: Sourcefire, TippingPoint • Open Source: Snort • Audits: ENY, PWC, Grant Thornton • Pen Testing: WhiteHat, Trustwave, Electric Alchemy • Open Source: OWASP ZAP • Static Analysis: Fortify, Veracode
Decide!!! Who you are….
Thank You “Security is a quality, and as all other quality, it is important that we build it into our apps while we are developing them, not patching it on afterwards like many people do.” - Erlend Oftedal Speaker:- Padam Banthia

Recommended

Web security
Web securityWeb security
Web security
kareem zock
 
Web security
Web securityWeb security
Web security
Jatin Grover
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
Web security
Web securityWeb security
Web security
Muhammad Usman
 
Web security ppt sniper corporation
Web security ppt sniper corporationWeb security ppt sniper corporation
Web security ppt sniper corporation
sharmaakash1881
 
Web security
Web securityWeb security
Web security
Subhash Basistha
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 

Recommended

Web security
Web securityWeb security
Web security
kareem zock
 
Web security
Web securityWeb security
Web security
Jatin Grover
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
Web security
Web securityWeb security
Web security
Muhammad Usman
 
Web security ppt sniper corporation
Web security ppt sniper corporationWeb security ppt sniper corporation
Web security ppt sniper corporation
sharmaakash1881
 
Web security
Web securityWeb security
Web security
Subhash Basistha
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptx
ANIKETKUMARSHARMA3
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
n|u - The Open Security Community
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Hajer alriyami
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
cyber security and threats.pptx
cyber security and threats.pptxcyber security and threats.pptx
cyber security and threats.pptx
VSAM Technologies India Private Limited
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
Dave Monahan
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Network Security
Network SecurityNetwork Security
Network Security
MAJU
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and Spywares
Ankit Mistry
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
Desktop Security
Desktop SecurityDesktop Security
Desktop Security
HardikBhandari7
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
krishh sivakrishna
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
Flood
FloodFlood
Flood
Padam Banthia
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web Security
Bill Condo
 

More Related Content

What's hot

Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptx
ANIKETKUMARSHARMA3
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Hajer alriyami
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
cyber security and threats.pptx
cyber security and threats.pptxcyber security and threats.pptx
cyber security and threats.pptx
VSAM Technologies India Private Limited
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
Dave Monahan
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Network Security
Network SecurityNetwork Security
Network Security
MAJU
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and Spywares
Ankit Mistry
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
Desktop Security
Desktop SecurityDesktop Security
Desktop Security
HardikBhandari7
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
krishh sivakrishna
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 

What's hot (20)

Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptx
 
Web application security
Web application securityWeb application security
Web application security
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
cyber security and threats.pptx
cyber security and threats.pptxcyber security and threats.pptx
cyber security and threats.pptx
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Network Security
Network SecurityNetwork Security
Network Security
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and Spywares
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
Desktop Security
Desktop SecurityDesktop Security
Desktop Security
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
 
Network attacks
Network attacksNetwork attacks
Network attacks
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printing
 

Viewers also liked

Flood
FloodFlood
Flood
Padam Banthia
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web Security
Bill Condo
 
Web security
Web securityWeb security
Web security
rakesh bandaru
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
rajakhurram
 
Web Security
Web SecurityWeb Security
Web Security
ADIEFEH
 
Web Security
Web SecurityWeb Security
Web Security
Tripad M
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
 
Facebook Attacks
Facebook AttacksFacebook Attacks
Facebook Attacks
n|u - The Open Security Community
 
Pollution, Disaster Management
Pollution, Disaster ManagementPollution, Disaster Management
Pollution, Disaster Management
saurabhran
 
Crisis migratoria europea
Crisis migratoria europeaCrisis migratoria europea
Crisis migratoria europea
Steve Jobs
 
phising netiqueta
phising netiquetaphising netiqueta
phising netiqueta
ticteresabravo
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
jakobkorherr
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
ITDogadjaji.com
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security
Cisco Canada
 
Web Security
Web SecurityWeb Security
Web Security
Randy Connolly
 

Viewers also liked (20)

Flood
FloodFlood
Flood
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web Security
 
Web security
Web securityWeb security
Web security
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
 
Web Security
Web SecurityWeb Security
Web Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Facebook Attacks
Facebook AttacksFacebook Attacks
Facebook Attacks
 
Pollution, Disaster Management
Pollution, Disaster ManagementPollution, Disaster Management
Pollution, Disaster Management
 
Crisis migratoria europea
Crisis migratoria europeaCrisis migratoria europea
Crisis migratoria europea
 
phising netiqueta
phising netiquetaphising netiqueta
phising netiqueta
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Web Security
Web SecurityWeb Security
Web Security
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar to Web security

ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
Aleksandar Bozinovski
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
Ben Abdallah Helmi
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
Ben Abdallah Helmi
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Richard Sullivan
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
Pankaj Kumar Sharma
 
T04505103106
T04505103106T04505103106
T04505103106
IJERA Editor
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
WebStackAcademy
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
Ravikumar Paghdal
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application Security
IMC Institute
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
Bassam Al-Khatib
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
Editor IJCATR
 

Similar to Web security (20)

ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 
Security testing
Security testingSecurity testing
Security testing
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
T04505103106
T04505103106T04505103106
T04505103106
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application Security
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
C01461422
C01461422C01461422
C01461422
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
 

Recently uploaded

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 

Recently uploaded (20)

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 

Web security

  • 2. What is web security? Almost everything relies on computers and the Internet now  Communication  transportation  medicine  shopping  Entertainment Web Security, also known as “Cyber security” involves protecting that information by preventing, detecting, and responding to attacks.
  • 3.
  • 4. Web Security Issues  Malicious websites:- Malicious websites China - 67% US - 15% Russia - 4% Malaysia- 2.2% Korea - 2%  SPAM:-Spam is unsolicited e-mail on the Internet.  Phishing:-This is a method of luring an unsuspecting user into giving out their username and password for a secure web resource, usually a bank or credit card account.  DDOS-Web server can handle a few hundred connections/sec before performance begins to degrade. Web servers fail almost instantly under five or six thousand connections/sec  Botnets:-A botnet is a collection of compromised computers (called zombie computers) running programs, usually installed via worms, Trojan horses, or backdoors, under a common command and control infrastructure.
  • 5.
  • 6.
  • 7. Develop: Role-based security • Java EE security uses roles to determine categories of users that can access a particular enterprise application – A role is an abstract group mapped to a set of security identities during deployment. – Groups are similar to roles, but apply to all enterprise projects in the application server. /reportcardInfo.jsp /maintainUsersInfo.jsp Web application Role = Administrator Role = Student
  • 8. Define security roles for Web applications 1. Define security roles in the Security details section of the Web Deployment Descriptor editor – Roles represent categories of users that can access the Web application
  • 9. Constrain access based on security role 2. Set Security Constraints details for the Web application: a. List which Web resources apply to the security constraint in the Web resource collection b. Define which roles are authorized to use the Web resource collection in the Authorized Roles
  • 10. Gather roles in the enterprise application 3. In the Enterprise Application Deployment Descriptor editor, click the Open WebSphere Bindings link 4. Add Security Role and specify name in the details section
  • 11. Web container client authentication • Authentication methods for a Web application client: – Basic authentication • Client sends user name and password in the HTTP header using base64 encoding. – Form-based authentication • Client sends user name and password in an HTML form • Sent in an HTTP Post request in plain text. – Digest authentication • Client sends an MD5 (Message-Digest algorithm 5) hash based on the user name, password, URI resource, and other information. – Certificate-based authentication • Client uses a digital certificate to uniquely identify itself – A trusted third-party, known as a certificate authority (CA) issues digital certificates. – Digital certificates include a unique serial number, identification information, and the user’s public key.
  • 12. Configure client authentication method 1. In the Web Deployment Descriptor, add Login Configuration item and specify the following details. a. For basic authentication, enter an arbitrary realm name b. For form authentication, specify both a Login page and an Error page
  • 13. Declarative and programmatic security • Web application security configured using a declarative model • Web applications can view security information programmatically – The following three methods from HttpServletRequest provides information on the security context: • getRemoteUser() – Returns the user name that the client used for authentication – Returns null if no user is authenticated • isUserInRole(String name) – Returns true if the remote user is granted the specified security role – If the remote user is not granted the specified role, or if no user is authenticated, it returns false • getUserPrincipal() – Returns the java.security.Principal object containing the remote user name – If no user is authenticated, it returns null
  • 14. Define security role references • Use security role references to avoid hard-coding Java EE security role names into programmatic security calls – Reference acts as an alias to the actual security role name – Per servlet setting, set in the Security Role Reference list within the Servlets section in the Web Deployment Descriptor
  • 15. Enterprise application security overview • WebSphere Application Server is built upon several layers of security: – The operating system protects WebSphere configuration files, and provides user authentication when using the local OS user registry – The Java Virtual Machine (JVM) provides standard Java security – Java™ 2 Security builds upon standard Java security • Fine-grained access control • Configurable security policy • Security checks for all Java applications – Java™ EE Security provides standard, container-level security • Insulates enterprise applications from the actual security implementation • Classifies clients into roles, each with different access levels for a given resource
  • 16. WebSphere environment security layers Platform Security Operating System Java Security Java Virtual Machine Java 2 Security JCE JAAS JSSE Java EE Security Java EE Security WebSphere Security Transport Security HTTP IIOP LDAP Client Security Client application / external component
  • 17. Don’t we all wish it was that easy!!!!
  • 18.
  • 19. Penetrate : OWASP  The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software.  At OWASP you’ll find free and open Application security tools, complete books, standard security controls and libraries, cutting edge research  http://www.owasp.org
  • 20. 7 Security (Mis)Configurations in web.xml 1. Error pages not configured 2. Authentication & Authorization Bypass 3. SSL Not Configured 4. Not Using the Secure Flag 5. Not Using the HttpOnly Flag 6. Using URL Parameters for Session Tracking 7. Not Setting a Session Timeout
  • 21. Protect • [SWAT] Checklist • Firewalls • IDS and IDPs • Audits • Penetration Tests • Code Reviews with Static • Analysis Tools
  • 22. Relax • Web App Firewalls: Imperva, F5, Breach • Open Source: WebNight and ModSecurity • Stateful Firewalls: Juniper, Check Point, Palo Alto • IDP/IDS: Sourcefire, TippingPoint • Open Source: Snort • Audits: ENY, PWC, Grant Thornton • Pen Testing: WhiteHat, Trustwave, Electric Alchemy • Open Source: OWASP ZAP • Static Analysis: Fortify, Veracode
  • 23. Decide!!! Who you are….
  • 24. Thank You “Security is a quality, and as all other quality, it is important that we build it into our apps while we are developing them, not patching it on afterwards like many people do.” - Erlend Oftedal Speaker:- Padam Banthia

Editor's Notes

  1. 7
  2. 8
  3. 9
  4. 10
  5. 11
  6. 12
  7. 13
  8. 14
  9. 15
  10. 16