TWO. Secure Web-Enabled Application Deployment and Social Networking
by Mike Harwood
Security Strategies in Web Applications and Social Networking
- Copyright
- Preface
- Acknowledgments
- ONE. Evolution of Computing, Communications, and Social Networking
- 1. From Mainframe to Client/Server to World Wide Web
- The Evolution of Data Processing
- Mainframe Computers
- Client/Server Computing
- Distributed Computing
- Transformation of Brick-and-Mortar Businesses to E-commerce Businesses
- World Wide Web Revolution
- Groupware and Gopher
- The Changing States of the World Wide Web
- Cloud Computing and Virtualization
- Lack of Inherent Security Within Protocols, Systems, Applications, and Coding Itself
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 1 ASSESSMENT
- ENDNOTE
- 2. From Brick-and-Mortar to E-commerce to E-business Transformation
- The Evolution of Business from Brick-and-Mortar to the WWW
- Top-of-Mind Business Drivers
- Solving Common Business Challenges
- E-business Strategies
- Internet Marketing Strategies
- Risks, Threats, and Vulnerabilities with Web Sites
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 2 ASSESSMENT
- 3. Evolution of People-to-People Communications
- Personal Versus Business Communications
- Evolution of Communications
- Social Media and Social Networking
- Online Social Behavior
- Limitations of Liability of Web Site Owners
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 3 ASSESSMENT
- 4. From Personal Communication to Social Networking
- The History and Evolution of E-mail
- The Rules for E-mail Communication
- The Key Elements of Web Pages
- Online Message Boards
- Online Forums
- Online Virtual Community Portals
- Online Chat Rooms
- Risks, Threats, and Vulnerabilities with Personal Communications and Social Networks
- Privacy Violations
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 4 ASSESSMENT
- 1. From Mainframe to Client/Server to World Wide Web
- TWO. Secure Web-Enabled Application Deployment and Social Networking
- 5. Mitigating Risk When Connecting to the Internet
- Threats When Connecting to the Internet
- Web Site Hosting
- The Seven Domains of a Typical IT Infrastructure
- Protecting Networks in the LAN-to-WAN Domain
- Best Practices for Connecting to the Internet
- CHAPTER SUMMARY
- KEY CONCEPT AND TERMS
- CHAPTER 5 ASSESSMENT
- 6. Mitigating Web Site Risks, Threats, and Vulnerabilities
- Who Is Coming to Your Web Site?
- Whom Do You Want to Come to Your Web Site?
- Does Your Web Site Accept User Input?
- The Open Web Application Security Project (OWASP) Top 10
- Cross-Site Scripting (XSS)
- Injection Flaws
- Malicious File Execution
- Insecure Direct Object Reference
- Cross-Site Request Forgery
- Information Leakage and Improper Error Handling
- Broken Authentication and Session Management
- Insecure Cryptographic Storage
- Insecure Communications
- Failure to Restrict URL Access
- Summary of OWASP Top 10
- Best Practices for Mitigating Known Web Application Risks, Threats, and Vulnerabilities
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 6 ASSESMENT
- 7. Introducing the Web Application Security Consortium (WASC)
- WASC Threat Classification
- Web Site Attacks
- Abuse of Functionality
- Brute-Force Attacks
- Buffer Overflow
- Content Spoofing
- Credential/Session Prediction
- Cross-Site Scripting
- Cross-Site Request Forgery
- Denial of Service
- Fingerprinting
- Format String
- HTTP Response Smuggling
- HTTP Response Splitting
- HTTP Request Smuggling
- HTTP Request Splitting
- Integer Overflows
- LDAP Injection
- Mail Command Injection
- Null Byte Injection
- OS Commanding
- Path Traversal
- Predictable Resource Location
- Remote File Inclusion (RFI)
- Routing Detour
- Session Fixation
- SOAP Array Abuse
- SSI Injection
- SQL Injection
- URL Redirector Abuse
- XPath Injection
- XML Attribute Blowup
- XML External Entities
- XML Entity Expansion
- XML Injection
- XQuery Injection
- Web Site Weaknesses
- Application Misconfiguration
- Directory Indexing
- Improper File System Permissions
- Improper Input Handling
- Improper Output Handling
- Information Leakage
- Insecure Indexing
- Insufficient Anti-Automation
- Insufficient Authentication
- Insufficient Authorization
- Insufficient Password Recovery
- Insufficient Process Validation
- Insufficient Session Expiration
- Insufficient Transport Layer Protection
- Server Misconfiguration
- Best Practices for Mitigating Attack Risks
- Best Practices for Mitigating Weaknesses
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
- 8. Securing Web Applications
- Does Your Application Require User Input into Your Web Site?
- Technologies and Systems Used to Make a Complete Functional Web Site
- Does Your Development Process Follow the Software Development Life Cycle (SDLC)?
- Designing a Layered Security Strategy for Web Sites and Web Applications
- Incorporating Security Requirements Within the SDLC
- HTTP and Clear Text Versus HTTPS and Encryption
- SSL—Encryption for Data Transfer Between Client and Web Site
- Selecting an Appropriate Access Control Solution
- Best Practices for Securing Web Applications
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
- 9. Mitigating Web Application Vulnerabilities
- Causes of Vulnerabilities
- Developing Policies to Mitigate Vulnerabilities
- Implementing Secure Coding Best Practices
- Incorporating HTML Secure Coding Standards and Techniques
- Incorporating JavaScript Secure Coding Standards and Techniques
- Incorporating CGI Form and SQL Database Access Secure Coding Standards and Techniques
- Implementing Software Development Configuration Management and Revision-Level Tracking
- Best Practices for Mitigating Web Application Vulnerabilities
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 9 ASSESSMENT
- 10. Maintaining PCI DSS Compliance for E-commerce Web Sites
- Credit Card Transaction Processing
- What Is PCI DSS?
- Designing and Building Your E-commerce Web Site with PCI DSS in Mind
- What Does a PCI DSS Security Assessment Entail?
- Best Practices to Mitigate Risk for E-commerce Web Sites with PCI DSS Compliance
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
- 11. Testing and Quality Assurance for Production Web Sites
- Development and Production Software Environments
- Configuration and Change Management
- Building a Test Plan and Functionality Checklist for Web Site Deployments
- Testing for All New Applications and Features
- Detecting Security Gaps and Holes in Web Site Applications
- Mitigating Any Identified Gaps and Holes and Retesting
- Deploying Web Site Applications in a Production Environment
- Monitoring and Analyzing Web Site Traffic, Use, and Access
- Best Practices for Testing and Assuring Quality of Production Web Sites
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
- 12. Performing a Web Site Vulnerability and Security Assessment
- Software Testing Versus Web Site Vulnerability and Security Assessments
- Performing an Initial Discovery on the Targeted Web Site
- Performing a Vulnerability and Security Assessment
- Using Planned Attacks to Identify Vulnerabilities
- Spotting Vulnerabilities in Back-End Systems and SQL Databases
- Preparing a Vulnerability and Security Assessment Report
- Best Practices for Web Site Vulnerability and Security Assessments
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- 5. Mitigating Risk When Connecting to the Internet
- THREE. Web Applications and Social Networking Gone Mobile
- 13. Securing Endpoint Device Communications
- Endpoint Devices
- Wireless Networks and How They Work
- Endpoint Device Communications
- Endpoint Device Communication Risks, Threats, and Vulnerabilities
- Best Practices for Securing Endpoint Device Communications
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 13 ASSESSMENT
- 14. Securing Personal and Business Communications
- Store-and-Forward Communication
- Methods of Messaging
- Real-Time Communication
- Telephony/Private Branch Exchange (PBX) Communication Security Best Practices
- VoIP Communication Security Best Practices
- SIP Application (Unified Communications) Best Practices
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 14 ASSESSMENT
- ENDNOTE
- 15. Web Application Security Organizations, Education, Training, and Certification
- Department of Homeland Security (DHS)
- National Cyber Security Division (NCSD)
- Computer Emergency Response Team Coordination Center (CERT®/CC)
- The MITRE Corporation and the CVE List
- National Institute of Standards and Technology (NIST)
- International Information Systems Security Certification Consortium, Inc. (ISC)2
- Web Application Security Consortium (WASC)
- Open Web Application Security Project (OWASP)
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 15 ASSESSMENT
- 13. Securing Endpoint Device Communications
- A. Answer Key
- B. Standard Acronyms
- Glossary of Key Terms
- References
CHAPTER 5 Mitigating Risk When Connecting to the Internet 108
CHAPTER 6 Mitigating Web Site Risks, Threats, and Vulnerabilities 142
CHAPTER 7 Introducing the Web Application Security Consortium (WASC) 167
CHAPTER 8 Securing Web Applications 200
CHAPTER 9 Mitigating Web Application Variables 224
CHAPTER 10 Maintaining PCI DSS Compliance for E-commerce Web Sites 246
CHAPTER 11 Testing and Quality Assurance for Production Web Sites 266
CHAPTER 12 Performing a Web Site Vulnerability and Security Assessment 283
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.