CHAPTER - 3 WEB APPLICATION AND SECURITY
|
|
- Byron Farmer
- 8 years ago
- Views:
Transcription
1 CHAPTER - 3 WEB APPLICATION AND SECURITY 3.1 Introduction Web application or Wepapp is the general term that is normally used to refer to all distributed web-based applications. According to the more technical software engineering definition is described as an application accessible by the web through a network. Many companies are converting their computer programs into web-based applications. Web applications are similar to computer based programs but differ only in that they are accessible through the web, allowing the creation of dynamic websites and providing complete interaction with the end-user. Web applications are placed on the Internet and all processing is done on the server, the computer which hosts the application [65] Figure 3.1 Browser and Website The rapid growth of internet has created many services, which have become an integral part of our day to today life. Web applications are used for making reservations, paying bills, and shopping on-line. With advent of Business-to-Business (B2B) and Business- 45
2 to-consumer (B2C) interaction, it is has become a necessity that information be exchanged in a secure and accurate way. Most of the web applications contain security vulnerabilities which enable attackers to exploit them and launch attacks. As a result of the attacks confidentiality, integrity and availability of information are lost. Information that can be read or copied by unauthorized users is called loss of confidentiality. Confidential information should be stored properly so that they cannot be disclosed. Credit card numbers, bank records, medical records, social security etc are example of this kind of information. Loss of integrity takes place when data is modified in an unexpected way. Attackers would intentionally tamper information resulting in loss of integrity of information. The loss of availability takes place when information is erased so that the legitimate user or authorized user would not be able to read it or use it. Loss of availability affects service oriented business which depends upon data. These attacks which are at application level, cannot be prevented using packet inspection firewalls which analyze individual IP packets for signatures or allow specific ports. What is needed is a mechanism which analyses the whole message stream. Attacks at application level differ from network layer attacks. Application level attack exploit vulnerabilities present in web application code and limitations of protocol like HTTP. Attacks at the application level cannot be stopped by most network firewalls and antivirus software programs. A network firewall normally leaves port 80 open for web server. It is through this port that the web application communicates to the user. If the attacker is able to access applications he may launch attack which cannot be prevented by the firewall. For example, consider a user who has a legitimate account at a banking system. He connects to his account by authenticating and establishing a valid session. If the user is injecting code to access unauthorized information of other users, then the network firewall or Intrusion Detection Systems (IDSs) will not be able to stop him. SQL injection is a very serious application level attack on web applications. 3.2 Architecture of Web application A basic understanding of web application architecture is essential before a discussion on 46
3 database security within web applications can take place. A high level view of a web application consists of five primary parts: the user, the firewall, the web server, the database server, and the actual database [66]. The user of a web application is responsible for the manipulation and insertion of data across the internet and into the web application. For the sake of simplicity, the assumption of a browser-based web application will be made. Static HTML pages are manipulated by the user and the data is submitted via an HTML request into the web application. Data specific to the user is submitted within this request through the use of HTML forms. After traveling across the internet, the request sent by the client s browser is first encountered by the web application s firewall. Assuming the request is legitimate according to the rules of the firewall, the request is passed on to the web server for processing. Figure 3.2 Architecture of a Typical Web Based System 47
4 The primary job of the web server is to dynamically generate and send static HTML pages in response to client requests. When a request is permitted into the web application by the firewall, it is parsed by the web server to determine what type of processing must occur. If a non-dynamic HTML page has been requested, the page is sent back to the client and the transaction completes. A page with dynamic components, such as PHP or ASP code, however, requires further processing. These pages are generated by the web server to create a customized static HTML page which is in turn sent back to the client. The dynamic portions of these pages are generated based off user-specific data submitted via HTML forms within the request. Dynamic portions of these pages allow for the creation of web pages containing real-time data, and are the backbone of any data-driven web application. The majority of this dynamic content is stored within databases and must be requested from one of the most important components of a web application, the database server. The job of the database server is to accept requests for data from various components of the web application and retrieve this data from the database. The database itself is managed directly by the database management system, or DBMS, and is not directly accessible. Requests must be sent to the database server, a component of the DBMS, which retrieves and delivers data from the database. These requests are sent according to a certain style and syntax, known as the Structured Query Language, or more commonly by its acronym, SQL. SQL is an extensive language that allows for efficient retrieval of specific data from within the database. In the dynamic component of the web page, SQL queries are created based off of the data contained within the HTML request that was sent from client browsers. These SQL queries are passed to the database server, where the query is parsed and the resulting data is retrieved from within the database. 3.3 Who Needs Web Applications and Why? There are many entities that require applications for the Web-one example would be Business-to-Business interaction. Many companies in the world today demand to do business with each other over secure and private networks. This process is becoming increasingly popular with a lot of overseas companies who outsource projects to each 48
5 other. From the simple process of transferring funds into a bank account, to deploying a large scale Web services network that updates pricing information globally, the adoption of a Web applications infrastructure is vital for many businesses [67]. 3.4 Web Application Model The Web application model, like many software development models, is constructed upon three tiers: User Services, Business Services and Data Services. This model breaks an application into a network of consumers and suppliers of services. The User Service tier creates a visual gateway for the consumer to interact with the application. This can range from basic HTML and DHTML to complex COM components and Java applets. The user services then grab business logic and procedures from the Business Services. This tier can range from Web scripting in ASP/PHP/JSP to server side programming such as TCL, CORBA and PERL, that allows the user to perform complex actions through a Web interface. The final tier is the Data Service layer. Data services store, retrieve and update information at a high level. Databases, file systems, and writeable media are all examples of Data storage and retrieval devices. For Web applications, however, databases are most practical. Databases allow developers to store, retrieve, add to, and update categorical information in a systematic and organized fashion [67]. 3.5 Phases in a Web Application Project The Web application development process has four phases: I. Envisioning the nature and direction of the project II. Devising the plan III. Development IV. Testing, support and stability Envisioning the Nature and Direction of the Project: In this phase, the management and developers assigned to the project come together and establish the goals that the solution must achieve. This includes recognizing the limitations that are placed on the project, scheduling, and versioning of the application. By the end of this phase, there should be clear documentation on what the application will achieve. 49
6 3.5.2 Devising the Plan: In this phase, team must determine the "how s" of the application. What scripting language is most appropriate, which features must be included, and how long will it take? These are some of the questions that must be answered through this planning phase. The main tangents at this point are the project plan and functional specification. The project plan determines a timeframe of events and tasks, while the functional specification outlines in detail how the application will function and flow Development: Once the project plan and functional specification are ready, a baseline is set for the development work to begin. The programmer/s or Web developer/s begin coding, testing and publishing data. This phase establishes the data variables, entities and coding procedures that will be used throughout the remainder of the project. A milestone document is prepared by the development team, which is then handed to management for review Testing, support and stability: The stability phase of the application project mainly focuses on testing and the removal of bugs, discrepancies and network issues that may otherwise cause the application to fail. It is here that policies and procedures are established for a successful support system. 3.6 Planning for a Successful Web Development Project In order to drastically minimize the risk of project failure, there are four approaches to minimize the risk [67] Identify Business Logic and Entities: Start by gathering information on everything you have. If you are going to be working with databases, begin by enumerating how many entities will be used in the business logic. For example, if your program implements sales data, a sales ticket would be an entity. Once you have identified all your entities, establish a clear guideline for their relationships. This can be done via presentations, flowcharts or even reports. 50
7 3.6.2 Create a Functional Specification and Project Plan: This part is the most important part of the project. Functional specifications are a map, or blueprint for how you want a particular Web application to look and work. The specification details what the finished product will do, user interaction, and its look and feel. An advantage of writing a functional specification is that it streamlines the development process. It takes discrepancies and guesswork out of the programming process, because the level of detail that goes into the plan makes it possible to minimize the misunderstanding that s usually associated with project mishaps. Once the functional specification is finished, a project plan must be devised. A project plan is a timeline of tasks and events that will take place during the project. The project or program manager is normally the person who creates a project plan, and their primary focus is to detail task notes while being able to accommodate scheduling and resource information Bring the Application Model into Play: As discussed above, the application model consists of 3 tiers The User, Business and Data service tiers, each of which serves a substantial purpose. It is always best to start with the data tier, because you have already identified your entities and understand their relationships. The data tier can be an SQL server database, a text file, or even the powerful and robust Oracle. Create tables, relationships, jobs, and procedures depending on what platform you have chosen. If the data is a warehouse (i.e. the data already exists and does not depend on real time interaction), then make sure that new and additional data can be added securely and in a scalable fashion. Using views in SQL server/oracle can improve dramatically the productivity and performance of your application. They increase speed because they are "stored queries" that do not have a physical existence. The Business services tier is the heart of the application. It involves the implementation of business logic into the scripting or programming language. At this stage, make sure you have already set up your environment for testing and debugging. Always test on at least two instances in your application, after all, what may work perfectly for you, may not do so well on other platforms or machines. ASP, XML, PHP, JSP and CGI are some 51
8 examples of server side scripting languages used at the business service level. Whichever language you choose, make sure that it s capable of handling all the business logic presented in the functional specification Develop a support scheme: Being able to support and stabilize your application is very important. Define a procedure call for cases of failure, mishaps or even downtime. Give your customers the ability to contact you in the case of an emergency relating to the program. A good example of a support scheme is a ticket tracking system. This system allows users to file cases pertaining to a support request and the support team, then makes the case track able. This means that the request is identifiable by a unique code or number. Although ticket-tracking systems are normally used by hosting companies or large scale ASP s (Application Service Providers), they still serve a valuable purpose in helping keep the application stable. 3.7 Web Service Security Functions Web service security standards, functions, and technologies continue to evolve at a rapid pace, driven by changes in the types of software attacks, community stakeholders, and Web services policy decision makers. This section describes several current and emerging standards, initiatives, and techniques aimed at improving the security of Web services. Many of the concepts used in securing Web applications are useful for understanding the security of Web services [70] Service-to-Service Authentication: Authentication is required to limit access to resources, to identify participants in transactions, and to create seamless personalization of information based on identity. A means of sharing the fact that authentication has been performed successfully is necessary to support single sign-on, allowing users to authenticate with one system and use other services and applications within a Service Oriented Architecture (SOA). Service-to-service authentication can be performed using a variety of methods, from HTTP-based token authentication to SSL/TLS-certificate based authentication, or by passing tokens along with the SOAP request. The HTTP and SSL/TLS-based methods are performed below the SOAP message layer and are transparent to the Web services involved, while SOAP-based token protocols require interaction between Web services. 52
9 Token-based Web services authentication is usually performed using the Organization for Advancement of Structured Information Standards (OASIS) Web Services-Security standard which supports tokens based on a variety of authentication standards: usernames, X.509 PKI certificates, Kerberos tickets, or SAML assertions. Web Services-Security libraries are available for most of the widely used Java and.net Web services development platforms. When a service provider attempts to access a remote Web service on behalf of a user, it should send an authentication token within a Web Services-Security message. These tokens convey that the initiating entity (e.g., a user or requester) has been authenticated and provide information about the entity, such as the authentication mechanism, time, and possibly subject attributes that may be applicable. Often, these tokens take the form of a SAML assertion Identity Management: Identity management for Service Oriented Architecture (SOA) encompasses the full range of identity-related events, information, and documents by which an entity s identity is verified, identity documents and credentials are issued to the entity, and entity identities are authenticated at point of entry into the SOA. In the SOA, an entity s identity forms the basis for both authorization and trust [69]. An Identity Management System (IDMS), such as that pictured in Figure 3-3, is responsible for verifying the identities of entities, registering them, and issuing them digital identifiers. For example, users who wish to gain access to many e-commerce sites often need to provide only a valid address and a credit card number. Once an entity has been issued a digital identifier, that identifier can be used within that organization to associate other information with the entity, such as role and authorization attributes. The identifier may also become part of the digital credential that authorizes the entity to access different resources in the SOA. Once registered, an entity must provide a portion of its credentials sufficient to authenticate that entity s identity. Again, different organizations have different policies for what constitutes sufficient authentication credentials. Many e-commerce sites require the entity to supply a username and password; other organizations may require the entity to submit an X.509 certificate. 53
10 Figure 3.3. Identity Management Overview After the entity s identity has been authenticated, the policy decision point (PDP) of the system or resource to which it desires access must determine whether the nowauthenticated entity is also authorized to access the resource. To perform authorization, the PDP relies on privilege management and attribute management. Privilege management enforces the policies that govern entity access. The policy decision to allow or deny access may be based on a single entity attribute such as the entity s role, or it may require a combination of fine-grained attributes such as the physical location of the entity, its currently active role in the system, and its clearance level. The attribute management system uses the entity s digital identifier (issued by the IDMS) to locate 54
11 and retrieve those of the entity s attributes that are required by the privilege management policy Establishing Trust between Services: For Security Assertion Markup Language (SAML) or Web Services-Security to be useful on a large scale, trust relationships need to be established between remote Web services. A signed SAML assertion or Web Services-Security message is of no use if the receiver of the assertion cannot guarantee that the information asserted is trustworthy Describing Web Services Policies (WS-Policy): Web Services Description Language (WSDL) describes how to communicate with a Web service by detailing the protocol bindings and message formats the Web service expects. In many cases, knowledge of protocol bindings and message formats is not sufficient for requesters to dynamically bind to the provider. WSDL is limited to describing what needs to be placed in the message itself; it does not specify what type of metadata should be supplied, such as how the message will be authenticated or what portions of the message should be signed. To this end, Microsoft, IBM, BEA and others developed the Web Services Policy (WS-Policy) Framework, which allows providers to express the capabilities, requirements and characteristics of the Web service [70] Distributed Authorization and Access Management: Given the distributed nature of Web services architectures, managing authorization and access control credentials for users in a SOA environment can be challenging. This section describes a number of traditional and emerging models and practices that may be extended to capture, manage, and enforce access control decisions for authorized users Authorization Models: This section describe the authorization models most relevant to access management in a SOA, namely role-based, attribute-based, policy-based, and risk-adaptive access control. While role based access control models may be familiar to most software designers and developers, knowledge of the other models can provide a perspective on the direction in which Web services access management is heading. Role-based access control (RBAC): RBAC is an authorization mechanism that associates a set of access privileges with a particular role, often corresponding to a job 55
12 function. With RBAC, all user access is mediated through roles. RBAC simplifies security management by providing a role hierarchy structure. In addition, RBAC has extensive provisions for constraints on user access based on administrator-defined relationships. This feature makes it possible to implement complex controls such as separation of duty. Attribute Based Access Control: An access control approach in which access is mediated based on attributes associated with subjects (requesters) and the objects to be accessed. Each object and subject has a set of associated attributes, such as location, time of creation, access rights, etc. Access to an object is authorized or denied depending upon whether the required (e.g., policy-defined) correlation can be made between the attributes of that object and of the requesting subject [68]. Policy-Based Access Control: Policy-based access control (PBAC) is a logical and somewhat bounded extension of ABAC that is useful for enforcing strict environmentlevel access control policies. PBAC introduces the notion of a policy authority, which serves as the access decision point for the environment in question. PBAC leverages the granular policy rule functions inherent to ABAC; it focuses more on automatically enforcing mandatory access controls (MAC), which are traditionally much more bounded than discretionary controls [70] Enforcing Least Privilege for Services: Trust and privilege are not synonymous. This said, trusted objects are often used to perform privileged functions. Least privilege can and should be applied regardless of what access control methodology is in use. In a Web services environment, each Web service should be designed to not request or expect to obtain privileges that exceed the minimum privileges it needs to perform its current operation Confidentiality and Integrity of Service to Service Interchanges Although transport layer security mechanisms are provided through using secure transport protocols such as SSL/TLS, message layer security of XML is still needed for the following: End-to-End Security: Secure transport protocols can assure the security of messages only during transmission. Because messages are received and processed by 56
13 intermediaries, secure end-to-end communication is not possible if these intermediaries are not completely trusted Transport Independence: Even if all the communication links are secure and the intermediaries can be trusted, security information such as the authenticity of the originator of the message needs to be translated to the next secure transport protocol along the message path. This could be tedious and complex, which may lead to security breaches. It is important to deal with the security concerns at the message layer independently of the transport layers Security of Stored Messages: Once a transmission is received and decrypted, transport layer security does not protect data from illicit accesses and alterations. In situations where messages are stored and then forwarded, message layer security is necessary. 57
Introduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationWhite Paper Delivering Web Services Security: The Entrust Secure Transaction Platform
White Paper Delivering Web Services Security: September 2003 Copyright 2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.
More informationWhite Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution
White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution Federation and Attribute Based Access Control Page 2 Realization of the IAM (R)evolution Executive Summary Many organizations
More informationService Virtualization: Managing Change in a Service-Oriented Architecture
Service Virtualization: Managing Change in a Service-Oriented Architecture Abstract Load balancers, name servers (for example, Domain Name System [DNS]), and stock brokerage services are examples of virtual
More informationOpenHRE Security Architecture. (DRAFT v0.5)
OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2
More informationNetworkingPS Federated Identity Solution Solutions Overview
NetworkingPS Federated Identity Solution Solutions Overview OVERVIEW As the global marketplace continues to expand, new and innovating ways of conducting business are becoming a necessity in order for
More informationWEB SERVICES SECURITY
WEB SERVICES SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationThe Top 5 Federated Single Sign-On Scenarios
The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3
More informationApplication Firewall Overview. Published: February 2007 For the latest information, please see http://www.microsoft.com/iag
Application Firewall Overview Published: February 2007 For the latest information, please see http://www.microsoft.com/iag Contents IAG Application Firewall: An Overview... 1 Features and Benefits... 2
More informationCopyright 2012, Oracle and/or its affiliates. All rights reserved.
1 OTM and SOA Mark Hagan Principal Software Engineer Oracle Product Development Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 3 PARADIGM 4 Content What is SOA?
More informationSCHOOL DISTRICT OF ESCAMBIA COUNTY
SCHOOL DISTRICT OF ESCAMBIA COUNTY JOB DESCRIPTION Programmer Analyst I Web Technologies PROGRAMMER ANALYST I WEB TECHNOLOGIES QUALIFICATIONS: (1) Bachelor s Degree from an accredited educational institution
More informationNIST s Guide to Secure Web Services
NIST s Guide to Secure Web Services Presented by Gaspar Modelo-Howard and Ratsameetip Wita Secure and Dependable Web Services National Institute of Standards and Technology. Special Publication 800-95:
More informationLast Updated: July 2011. STATISTICA Enterprise Server Security
Last Updated: July 2011 STATISTICA Enterprise Server Security STATISTICA Enterprise Server Security Page 2 of 10 Table of Contents Executive Summary... 3 Introduction to STATISTICA Enterprise Server...
More informationData Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment
White Paper Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment Cisco Connected Analytics for Network Deployment (CAND) is Cisco hosted, subscription-based
More informationCopyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft
5.6 Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft logo, Jaspersoft ireport Designer, JasperReports Library, JasperReports Server, Jaspersoft
More informationSecuring Web Services With SAML
Carl A. Foster CS-5260 Research Project Securing Web Services With SAML Contents 1.0 Introduction... 2 2.0 What is SAML?... 2 3.0 History of SAML... 3 4.0 The Anatomy of SAML 2.0... 3 4.0.1- Assertion
More informationArchitecture Guidelines Application Security
Executive Summary These guidelines describe best practice for application security for 2 or 3 tier web-based applications. It covers the use of common security mechanisms including Authentication, Authorisation
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationAn Oracle White Paper Dec 2013. Oracle Access Management Security Token Service
An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,
More informationThe XACML Enabled Gateway The Entrance to a New SOA Ecosystem
The XACML Enabled Gateway The Entrance to a New SOA Ecosystem White Paper Intel SOA Expressway and Axiomatics Policy Server Solution Intel SOA Expressway and Axiomatics Policy Server combined provide a
More informationHow To Create A Single Sign On For Blackboard
1 Overview Single Sign-On Authentication Appendix Blackboard s authentication technology has been identified as a dynamic, adaptable factor to supporting elearning Systems Integration strategy and implementation.
More informationBase One's Rich Client Architecture
Base One's Rich Client Architecture Base One provides a unique approach for developing Internet-enabled applications, combining both efficiency and ease of programming through its "Rich Client" architecture.
More informationLDAP Authentication Configuration Appendix
1 Overview LDAP Authentication Configuration Appendix Blackboard s authentication technology is considered a focal point in the company s ability to provide true enterprise software. Natively, the Blackboard
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationChapter 10. Cloud Security Mechanisms
Chapter 10. Cloud Security Mechanisms 10.1 Encryption 10.2 Hashing 10.3 Digital Signature 10.4 Public Key Infrastructure (PKI) 10.5 Identity and Access Management (IAM) 10.6 Single Sign-On (SSO) 10.7 Cloud-Based
More informationStandards for Identity & Authentication. Catherine J. Tilton 17 September 2014
Standards for Identity & Authentication Catherine J. Tilton 17 September 2014 Purpose of these standards Wide deployment of authentication technologies that may be used in a global context is heavily dependent
More informationInternet File Management & HIPAA A Practical Approach towards Responding to the Privacy Regulation of the Act
White Paper Internet File Management & HIPAA A Practical Approach towards Responding to the Privacy Regulation of the Act The recent activation of the privacy requirement of the Health Insurance Portability
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationWhite Paper The Identity & Access Management (R)evolution
White Paper The Identity & Access Management (R)evolution Federation and Attribute Based Access Control Page 2 A New Perspective on Identity & Access Management Executive Summary Identity & Access Management
More informationAPI Management: Powered by SOA Software Dedicated Cloud
Software Dedicated Cloud The Challenge Smartphones, mobility and the IoT are changing the way users consume digital information. They re changing the expectations and experience of customers interacting
More informationModule 12: Microsoft Windows 2000 Clustering. Contents Overview 1 Clustering Business Scenarios 2 Testing Tools 4 Lab Scenario 6 Review 8
Module 12: Microsoft Windows 2000 Clustering Contents Overview 1 Clustering Business Scenarios 2 Testing Tools 4 Lab Scenario 6 Review 8 Information in this document is subject to change without notice.
More informationOPENIAM ACCESS MANAGER. Web Access Management made Easy
OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access
More informationChapter 8 A secure virtual web database environment
Chapter 8 Information security with special reference to database interconnectivity Page 146 8.1 Introduction The previous three chapters investigated current state-of-the-art database security services
More informationJOHN KNEILING APRIL 3-5, 2006 APRIL 6-7, 2006 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS JOHN KNEILING CREATING XML AND WEB SERVICES SOLUTIONS SECURING THE WEB SERVICES ENVIRONMENT APRIL 3-5, 2006 APRIL 6-7, 2006 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME
More informationW H IT E P A P E R. Salesforce CRM Security Audit Guide
W HITEPAPER Salesforce CRM Security Audit Guide Contents Introduction...1 Background...1 Security and Compliance Related Settings...1 Password Settings... 2 Audit and Recommendation... 2 Session Settings...
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationSecurity Issues with Distributed Web Applications
Security Issues with Distributed Web Applications Device Connectivity We are entering the era of Device Connectivity, which is the fourth wave of evolution for Internet-enabled applications. The first
More informationBarracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper
Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Securing Web Applications As hackers moved from attacking the network to attacking the deployed applications, a category
More informationBM482E Introduction to Computer Security
BM482E Introduction to Computer Security Lecture 7 Database and Operating System Security Mehmet Demirci 1 Summary of Lecture 6 User Authentication Passwords Password storage Password selection Token-based
More informationSecurely Managing and Exposing Web Services & Applications
Securely Managing and Exposing Web Services & Applications Philip M Walston VP Product Management Layer 7 Technologies Layer 7 SecureSpan Products Suite of security and networking products to address the
More informationWeb Pages. Static Web Pages SHTML
1 Web Pages Htm and Html pages are static Static Web Pages 2 Pages tagged with "shtml" reveal that "Server Side Includes" are being used on the server With SSI a page can contain tags that indicate that
More informationCore Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems
Core Feature Comparison between XML / SOA Gateways and Web Application Firewalls Jason Macy jmacy@forumsys.com CTO, Forum Systems XML Gateway vs Competitive XML Gateways or Complementary? and s are Complementary
More informationWireless VPN White Paper. WIALAN Technologies, Inc. http://www.wialan.com
Wireless VPN White Paper WIALAN Technologies, Inc. http://www.wialan.com 2014 WIALAN Technologies, Inc. all rights reserved. All company and product names are registered trademarks of their owners. Abstract
More informationDefense In-Depth to Achieve Unbreakable Database Security
Defense In-Depth to Achieve Unbreakable Database Security Qiang Lin, Ph.D Abstract Enterprises realize that sole reliance on generic security mechanisms does not provide the protection they need for their
More informationMiddleware- Driven Mobile Applications
Middleware- Driven Mobile Applications A motwin White Paper When Launching New Mobile Services, Middleware Offers the Fastest, Most Flexible Development Path for Sophisticated Apps 1 Executive Summary
More informationSpring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious
Spring Security 3 Secure your web applications against malicious intruders with this easy to follow practical guide Peter Mularien rpafktl Pen source cfb II nv.iv I I community experience distilled
More informationIdentity Security Using Authentication and Authorization in Cloud Computing
Identity Security Using Authentication and Authorization in Cloud Computing D.Ranjith #1, J.Srinivasan *2 # Department of Computer Science and Applications, Adhiparasakthi College of Arts and Science,Kalavai,Vellore-632506
More informationSecurity Issues In Cloud Computing and Countermeasures
Security Issues In Cloud Computing and Countermeasures Shipra Dubey 1, Suman Bhajia 2 and Deepika Trivedi 3 1 Department of Computer Science, Banasthali University, Jaipur, Rajasthan / India 2 Department
More informationSecurity Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those
More informationDatabase Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions
Database Auditing & Security Brian Flasck - IBM Louise Joosse - BPSolutions Agenda Introduction Drivers for Better DB Security InfoSphere Guardium Solution Summary Netherlands Case Study The need for additional
More informationIJMIE Volume 2, Issue 9 ISSN: 2249-0558
Survey on Web Application Vulnerabilities Prevention Tools Student, Nilesh Khochare* Student,Satish Chalurkar* Professor, Dr.B.B.Meshram* Abstract There are many commercial software security assurance
More informationICTN 4040. Enterprise Database Security Issues and Solutions
Huff 1 ICTN 4040 Section 001 Enterprise Information Security Enterprise Database Security Issues and Solutions Roger Brenton Huff East Carolina University Huff 2 Abstract This paper will review some of
More informationVidder PrecisionAccess
Vidder PrecisionAccess Security Architecture February 2016 910 E HAMILTON AVENUE. SUITE 410 CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM Table of Contents I. Overview... 3 II. Components...
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationExtending the Benefits of SOA beyond the Enterprise
Extending the Benefits of SOA beyond the Enterprise 2 TABLE OF CONTENTS 1 SOA The Right Approach for Application Integration...3 2 SOA outside the Firewall: An Opportunity to Improve Collaboration...4
More informationWeb Services Implementation: The Beta Phase of EPA Network Nodes
Web Services Implementation: The Beta Phase of EPA Network Nodes Connie Dwyer and Chris Clark U.S. Environmental Protection Agency, 1200 Pennsylvania Avenue, N. W., Washington, D.C. dwyer.connie@epa.gov
More informationNovell Access Manager SSL Virtual Private Network
White Paper www.novell.com Novell Access Manager SSL Virtual Private Network Access Control Policy Enforcement Compliance Assurance 2 Contents Novell SSL VPN... 4 Product Overview... 4 Identity Server...
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationE-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)
E-Commerce Security An e-commerce security system has four fronts: LECTURE 7 (SECURITY) Web Client Security Data Transport Security Web Server Security Operating System Security A safe e-commerce system
More informationClient/server is a network architecture that divides functions into client and server
Page 1 A. Title Client/Server Technology B. Introduction Client/server is a network architecture that divides functions into client and server subsystems, with standard communication methods to facilitate
More informationSoftware Requirement Specification Web Services Security
Software Requirement Specification Web Services Security Federation Manager 7.5 Version 0.3 (Draft) Please send comments to: dev@opensso.dev.java.net This document is subject to the following license:
More information1 What Are Web Services?
Oracle Fusion Middleware Introducing Web Services 11g Release 1 (11.1.1) E14294-04 January 2011 This document provides an overview of Web services in Oracle Fusion Middleware 11g. Sections include: What
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationEVALUATION OF SERVER-SIDE TECHNOLOGY FOR WEB DEPLOYMENT
EVALUATION OF SERVER-SIDE TECHNOLOGY FOR WEB DEPLOYMENT Dr. Alexander Pons, University of Miami, apons@miami.edu ABSTRACT The deployment of Web applications consisting of dynamic content requires the selection
More informationDatabase Security Guide
Institutional and Sector Modernisation Facility ICT Standards Database Security Guide Document number: ISMF-ICT/3.03 - ICT Security/MISP/SD/DBSec Version: 1.10 Project Funded by the European Union 1 Document
More informationService management White paper. Manage access control effectively across the enterprise with IBM solutions.
Service management White paper Manage access control effectively across the enterprise with IBM solutions. July 2008 2 Contents 2 Overview 2 Understand today s requirements for developing effective access
More informationThis Working Paper provides an introduction to the web services security standards.
International Civil Aviation Organization ATNICG WG/8-WP/12 AERONAUTICAL TELECOMMUNICATION NETWORK IMPLEMENTATION COORDINATION GROUP EIGHTH WORKING GROUP MEETING (ATNICG WG/8) Christchurch New Zealand
More informationWebLogic Server 7.0 Single Sign-On: An Overview
WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of
More informationWhat Is the Java TM 2 Platform, Enterprise Edition?
Page 1 de 9 What Is the Java TM 2 Platform, Enterprise Edition? This document provides an introduction to the features and benefits of the Java 2 platform, Enterprise Edition. Overview Enterprises today
More informationWICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise
WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Corporation http://www.wicksoft.com Copyright WICKSoft 2007. WICKSoft Mobile Documents
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationSecure, private, and trustworthy: enterprise cloud computing with Force.com
Secure, private, and trustworthy: enterprise cloud computing with Force.com WHITE PAPER Contents Abstract... 1 Introduction to security, privacy, and trust... 1 Cloud computing and information security
More informationChapter 13 Computer Programs and Programming Languages. Discovering Computers 2012. Your Interactive Guide to the Digital World
Chapter 13 Computer Programs and Programming Languages Discovering Computers 2012 Your Interactive Guide to the Digital World Objectives Overview Differentiate between machine and assembly languages Identify
More informationVirtual Credit Card Processing System
The ITB Journal Volume 3 Issue 2 Article 2 2002 Virtual Credit Card Processing System Geraldine Gray Karen Church Tony Ayres Follow this and additional works at: http://arrow.dit.ie/itbj Part of the E-Commerce
More information> Please fill your survey to be eligible for a prize draw. Only contact info is required for prize draw Survey portion is optional
Web Access Management May 2008 CA Canada Seminar > Please fill your survey to be eligible for a prize draw Only contact info is required for prize draw Survey portion is optional > How to Transform Tactical
More informationThe presentation explains how to create and access the web services using the user interface. WebServices.ppt. Page 1 of 14
The presentation explains how to create and access the web services using the user interface. Page 1 of 14 The aim of this presentation is to familiarize you with the processes of creating and accessing
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationLeverage Active Directory with Kerberos to Eliminate HTTP Password
Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website: www.pistolstar.com
More informationOracle Access Manager. An Oracle White Paper
Oracle Access Manager An Oracle White Paper NOTE: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any
More informationChapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security
Chapter 12 Network Security Security Policy Life Cycle A method for the development of a comprehensive network security policy is known as the security policy development life cycle (SPDLC). Network Security
More information2012 LABVANTAGE Solutions, Inc. All Rights Reserved.
LABVANTAGE Architecture 2012 LABVANTAGE Solutions, Inc. All Rights Reserved. DOCUMENT PURPOSE AND SCOPE This document provides an overview of the LABVANTAGE hardware and software architecture. It is written
More informationLesson 4 Web Service Interface Definition (Part I)
Lesson 4 Web Service Interface Definition (Part I) Service Oriented Architectures Module 1 - Basic technologies Unit 3 WSDL Ernesto Damiani Università di Milano Interface Definition Languages (1) IDLs
More informationAuthentication and Authorization Systems in Cloud Environments
Authentication and Authorization Systems in Cloud Environments DAVIT HAKOBYAN Master of Science Thesis Stockholm, Sweden 2012 TRITA-ICT-EX-2012:203 Abstract The emergence of cloud computing paradigm offers
More informationMULTICULTURAL CONTENT MANAGEMENT SYSTEM
MULTICULTURAL CONTENT MANAGEMENT SYSTEM AT A GLANCE Language Partner s Multilingual Content Management System Meridium is multilingual content management system designed to fast track the process of multilingual
More informationSQL Injection January 23, 2013
Web-based Attack: SQL Injection SQL Injection January 23, 2013 Authored By: Stephanie Reetz, SOC Analyst Contents Introduction Introduction...1 Web applications are everywhere on the Internet. Almost Overview...2
More informationBrocade Virtual Traffic Manager and Oracle EBS 12.1 Deployment Guide
September 2015 Brocade Virtual Traffic Manager and Oracle EBS 12.1 Deployment Guide 2015 Brocade Communications Systems, Inc. All Rights Reserved. ADX, Brocade, Brocade Assurance, the B-wing symbol, DCX,
More informationIntroduction to IT Security
Marek Rychly mrychly@strathmore.edu Strathmore University, @ilabafrica & Brno University of Technology, Faculty of Information Technology Enterprise Security 30 November 2015 Marek Rychly ES, 30 November
More informationat the Advanced Photon Source Debby Quock, ANL Advanced Photon Source ICALEPCS 2007 Control System Cyber-Security Workshop
Control System Cyber Security Measures at the Advanced Photon Source Debby Quock, ANL Advanced Photon Source ICALEPCS 2007 Control System Cyber-Security Workshop Introduction Advanced Photon Source (APS)
More informationEffective End-to-End Cloud Security
Effective End-to-End Cloud Security Securing Your Journey to the Cloud Trend Micro SecureCloud A Trend Micro & VMware White Paper August 2011 I. EXECUTIVE SUMMARY This is the first paper of a series of
More informationSecure Authentication and Session. State Management for Web Services
Lehman 0 Secure Authentication and Session State Management for Web Services Clay Lehman CSC 499: Honors Thesis Supervised by: Dr. R. Michael Young Lehman 1 1. Introduction Web services are a relatively
More informationSecure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics
Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics B.Prasanalakshmi Assistant Professor Department of CSE Thirumalai Engineering College
More informationInstallation Guide Access Manager 4.0 SP2
Installation Guide Access Manager 4.0 SP2 June 2015 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF
More informationPervasive Software + NetSuite = Seamless Cloud Business Processes
Pervasive Software + NetSuite = Seamless Cloud Business Processes Successful integration solution between cloudbased ERP and on-premise applications leveraging Pervasive integration software. Prepared
More informationDEPARTMENT OF INFORMATION TECHNOLOGY GOVERNMENT OF GOA TECHNICAL SPECIFICATIONS FOR GOA GOVERNMENT WEBSITES
DEPARTMENT OF INFORMATION TECHNOLOGY GOVERNMENT OF GOA TECHNICAL SPECIFICATIONS FOR GOA GOVERNMENT WEBSITES February 2010 Page 1 of 9 Contents 1. Introduction 3 2. Development 4 3. Website Hosting 6 4.
More informationTake Control of Identities & Data Loss. Vipul Kumra
Take Control of Identities & Data Loss Vipul Kumra Security Risks - Results Whom you should fear the most when it comes to securing your environment? 4. 3. 2. 1. Hackers / script kiddies Insiders Ex-employees
More informationSecuring access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001
Securing access to Citrix applications using Citrix Secure Gateway and SafeWord PremierAccess App Note December 2001 DISCLAIMER: This White Paper contains Secure Computing Corporation product performance
More informationPrinciples and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)
Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards) Michael P. Papazoglou (INFOLAB/CRISM, Tilburg University, The Netherlands)
More informationCisco Application Networking for BEA WebLogic
Cisco Application Networking for BEA WebLogic Faster Downloads and Site Navigation, Less Bandwidth and Server Processing, and Greater Availability for Global Deployments What You Will Learn To address
More information