The presentation by Padam Banthia on web security discusses the critical need for protecting information online as various sectors increasingly rely on digital systems. It outlines several key web security issues such as malicious websites, spam, phishing, DDoS attacks, and the importance of role-based security in web applications. Additionally, it highlights various authentication methods and emphasizes integrating security into applications during development rather than as an afterthought.

1. Web Security
Presentation Speaker:
Padam Banthia

2. What is web security?
Almost everything relies on computers and the Internet
now
 Communication
 transportation
 medicine
 shopping
 Entertainment
Web Security, also known as “Cyber security” involves
protecting that information by preventing, detecting,
and responding to attacks.

4. Web Security Issues
 Malicious websites:- Malicious websites
China - 67%
US - 15%
Russia - 4%
Malaysia- 2.2%
Korea - 2%
 SPAM:-Spam is unsolicited e-mail on the Internet.
 Phishing:-This is a method of luring an unsuspecting user into
giving out their username and password for a secure web resource,
usually a bank or credit card account.
 DDOS-Web server can handle a few hundred connections/sec before
performance begins to degrade. Web servers fail almost instantly
under five or six thousand connections/sec
 Botnets:-A botnet is a collection of compromised computers (called
zombie computers) running programs, usually installed via worms,
Trojan horses, or backdoors, under a common command and control
infrastructure.

7. Develop: Role-based security
• Java EE security uses roles to determine categories of users
that can access a particular enterprise application
– A role is an abstract group mapped to a set of security
identities during deployment.
– Groups are similar to roles, but apply to all enterprise
projects in the application server.
/reportcardInfo.jsp
/maintainUsersInfo.jsp
Web application
Role = Administrator
Role = Student

8. Define security roles for Web
applications
1. Define security roles in the Security details section
of the Web Deployment Descriptor editor
– Roles represent categories of users that can
access the Web application

9. Constrain access based on security role
2. Set Security Constraints
details for the Web
application:
a. List which Web
resources apply to the
security constraint in the
Web resource
collection
b. Define which roles are
authorized to use the
Web resource collection
in the Authorized Roles

10. Gather roles in the enterprise application
3. In the Enterprise Application Deployment
Descriptor editor, click the Open WebSphere
Bindings link
4. Add Security Role and specify name in the details
section

11. Web container client authentication
• Authentication methods for a Web application client:
– Basic authentication
• Client sends user name and password in the HTTP header using base64
encoding.
– Form-based authentication
• Client sends user name and password in an HTML form
• Sent in an HTTP Post request in plain text.
– Digest authentication
• Client sends an MD5 (Message-Digest algorithm 5) hash based on the user
name, password, URI resource, and other information.
– Certificate-based authentication
• Client uses a digital certificate to uniquely identify itself
– A trusted third-party, known as a certificate authority (CA) issues
digital certificates.
– Digital certificates include a unique serial number, identification
information, and the user’s public key.

12. Configure client authentication method
1. In the Web Deployment Descriptor, add Login
Configuration item and specify the following details.
a. For basic authentication, enter an arbitrary realm name
b. For form authentication, specify both a Login page and
an Error page

13. Declarative and programmatic security
• Web application security configured using a declarative model
• Web applications can view security information programmatically
– The following three methods from HttpServletRequest provides information on
the security context:
• getRemoteUser()
– Returns the user name that the client used for authentication
– Returns null if no user is authenticated
• isUserInRole(String name)
– Returns true if the remote user is granted the specified security role
– If the remote user is not granted the specified role, or if no user is
authenticated, it returns false
• getUserPrincipal()
– Returns the java.security.Principal object containing the remote user
name
– If no user is authenticated, it returns null

14. Define security role references
• Use security role references to avoid hard-coding Java EE security role names into
programmatic security calls
– Reference acts as an alias to the actual security role name
– Per servlet setting, set in the Security Role Reference list within the Servlets
section in the Web Deployment Descriptor

15. Enterprise application security overview
• WebSphere Application Server is built upon several layers of security:
– The operating system protects WebSphere configuration files, and
provides user authentication when using the local OS user registry
– The Java Virtual Machine (JVM) provides standard Java security
– Java™ 2 Security builds upon standard Java security
• Fine-grained access control
• Configurable security policy
• Security checks for all Java applications
– Java™ EE Security provides standard, container-level security
• Insulates enterprise applications from the actual security
implementation
• Classifies clients into roles, each with different access levels for a
given resource

16. WebSphere environment security layers
Platform Security
Operating System
Java Security
Java Virtual Machine
Java 2 Security
JCE JAAS JSSE
Java EE Security
Java EE Security
WebSphere Security
Transport Security
HTTP IIOP LDAP
Client Security
Client application / external component

17. Don’t we
all wish it
was that
easy!!!!

19. Penetrate : OWASP
 The Open Web Application Security Project
(OWASP) is a worldwide not-for-profit
charitable organization focused on
improving the security of software.
 At OWASP you’ll find free and open
Application security tools, complete books,
standard security controls and libraries,
cutting edge research
 http://www.owasp.org

20. 7 Security (Mis)Configurations
in web.xml
1. Error pages not configured
2. Authentication & Authorization
Bypass
3. SSL Not Configured
4. Not Using the Secure Flag
5. Not Using the HttpOnly Flag
6. Using URL Parameters for
Session Tracking
7. Not Setting a Session Timeout

21. Protect
• [SWAT] Checklist
• Firewalls
• IDS and IDPs
• Audits
• Penetration Tests
• Code Reviews with Static
• Analysis Tools

22. Relax
• Web App Firewalls: Imperva, F5, Breach
• Open Source: WebNight and ModSecurity
• Stateful Firewalls: Juniper, Check Point, Palo Alto
• IDP/IDS: Sourcefire, TippingPoint
• Open Source: Snort
• Audits: ENY, PWC, Grant Thornton
• Pen Testing: WhiteHat, Trustwave, Electric Alchemy
• Open Source: OWASP ZAP
• Static Analysis: Fortify, Veracode

23. Decide!!! Who you are….

24. Thank You
“Security is a quality, and as
all other quality, it is
important that we build it
into our apps while we are
developing them, not
patching it on afterwards
like many people do.”
- Erlend Oftedal
Speaker:-
Padam Banthia