Chapter 9 - 01 - Understand Secure Application Design and Architecture - 01_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EG-Council
Tags
Related
- Chapter 9 - 01 - Understand Secure Application Design and Architecture PDF
- Chapter 9 - 03 - Understand Secure Application, Development, Deployment, and Automation_ocred.pdf
- Software/Application Security Policy PDF
- Chapter 9 - 01 - Understand Secure Application Design and Architecture - 03_ocred_fax_ocred.pdf
- Chapter 9 - 02 - Understand Software Security Standards, Models, and Frameworks_ocred_fax_ocred.pdf
- Software Security Development CYB0203 Lecture Notes PDF
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Application Security Module Flow =9 329 Understand Secure...
Certified Cybersecurity Technician Exam 212-82 Application Security Module Flow =9 329 Understand Secure Understand Secure Application Design and o o Application, Development, Deployment, and Automation Understand Software Application Security Security Standards, Models, e o Testing Techniques and and Frameworks Tools Understand Secure Application Design and Architecture Increasing Internet usage and expanding online businesses have accelerated the development and ubiquity of web applications across the globe. A key factor in the adoption of web applications for business purposes is the multitude of features that they offer. Although web applications enforce certain security policies, they are vulnerable to various attacks. This section discusses the importance of secure application design and architecture. Module 09 Page 1138 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security What is a Secure Application? O An application is said to be secure when it ensures the confidentiality, integrity, and availability of its restricted resources O Arestricted resource is any object, data, feature, or function of an application designed to be accessed by only authorized users < c Protected Resource 1 1 ¥ =% e Protected Resource o ¢ Authentication Authorization The user supplies ——— et R G > tect i their identity and The user is authenticated The user is authorized to TESCISRaNI secret by checking the veracity of use one or more User the secret protected resources The set of resources that the user is authorized to use defines the level of trust granted to the user Copyright © by EC All Rights Reserved. Reproduction is Strictly Prohibited. What is a Secure Application? A secure application ensures the confidentiality, integrity, and availability of its restricted resources throughout the application lifecycle. The securing process involves some tools and procedures to protect the application from cyberattacks. Cybercriminals are motivated to target and exploit vulnerabilities in an application to steal confidential data, tamper with code, and compromise the whole application. The process of securing an application involves deploying, inserting, and testing every component of the application. This procedure identifies all the vulnerabilities in restricted resources such as the objects, data, features, or functions of an application designed to be accessed by only authorized users. :--Y;> 0 Protected Resource 1 IV > d @ | 7 Jp— {R € I m> 0 Protected Resource 1 1 Authentication Authorization : x The user supplies R e H their identity and The user is authenticated The user is authorized to eat i secret by checking the veracity of use one or more User the secret protected resources The set of resources that the user is authorized to use defines the level of trust granted to the user Figure 9.1: lllustration of secure web application Module 09 Page 1139 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Need for Application Security Q Itis a common myth that perimeter security controls such as firewall and IDS systems can secure your application, but it is not true as these controls are not effective to defend application layer attacks O This is because port 80 and 443 are generally open on perimeter devices for legitimate web traffic, which attackers can use to exploit the application level vulnerabilities and get into the network Application Layer DETELET Application Level Attack Legacy Systems Web Services Firewall : Directories Copyright © by E Sll. Al Rights Reserved. Reproduction is Strictly Prohibited Need for Application Security Organizations are increasingly using web applications to provide high value business functions to their customers such as real-time sales, transactions, inventory management across multiple vendors including both B-B and B-C e-commerce, workflow and supply chain management, etc. Attackers exploit vulnerabilities in the applications to launch various attacks and gain unauthorized access to resources. It is a common myth that perimeter security controls such as firewall and IDS systems can secure your application but it is not true as these controls are not effective to defend application layer attacks. This is because port 80 and 443 are generally open on perimeter devices for legitimate web traffic, which attackers can use to exploit the application level vulnerabilities and get into the network. A successful application level attack may result into: = Financial Loss Affects Business Continuity = Closure of Business = Disclosure of Business Information = Damages Reputation ®» Fraudulent Transactions Module 09 Page 1140 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Application Layer Databases Application Level Attack Legacy Systems Web Services Firewall : Directories Hardened OS Figure 9.2: lllustration Illlustration of web application attack Module 09 Page 1141 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Application Security Administration Q Application security administration involves a set of actions for managing and administrating the security of the applications installed on an organization’s computers and networks Application Security Administration Application Security Responsibilities Administration Practices » Protecting users from downloading and installing potentially ‘ 1. Application harmful applications ~ ~ whitelisting/blacklisting » Preventing applications from creating and modifying = »Y executable files 2. Application sandboxing » Preventing applications from accessing, creating, and 3. Application patch modifying operating system resources unnecessarily management » Preventing applications from spawning into various processes 4. Application-level firewall Regularly updating applications with the latest patches, (WAF) deployments Y updates, and versions for security Securely configuring applications to protect against security ‘! risks arising from security misconfigurations Application Security Administration Organizations must continuously monitor their applications for vulnerabilities to reduce potential risks and maintain the security of applications. Application security administration involves a set of actions for managing the security of the applications installed on an organization’s computers and networks. It is one of the several levels of security that companies consider to secure systems. The typical responsibilities of application security administration include the following: = Users must be protected from downloading and installing potentially harmful applications. Security professionals should not allow the downloading and installation of applications from untrusted sources or third-party sites. Untrusted sources may hide malware inside applications to compromise the system. = Application must not be allowed to create and modify executable files. Security professionals should ensure the security of an application before it is installed on the system, and applications should be installed using the installation guide provided by the vendor. = Applications must not be allowed to access, create, or modify OS resources unnecessarily. A security professional should monitor the running applications, and the applications should have only the required permissions to access the system resources to prevent the loss of confidentiality, integrity, and availability. = Applications must not be allowed to spawn into various processes. Module 09 Page 1142 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Applications must be regularly updated with the latest patches and for security. The existence of outdated or insecure applications poses a serious security threat to the organization’s network. Applications must be configured in a secure manner to protect users from security risks arising from security misconfigurations. To implement application security in an organization, a security professional performs the following: Application whitelisting/blacklisting: Control the execution of unwanted or malicious applications. Application sandboxing: Execute untrusted or untested applications in an isolated environment to protect the system. Application patch management: Monitor and deploy new or missing patches to ensure the security of applications on hosts. Application-level firewall (WAF) deployment: Deploy WAF to protect web servers from malicious traffic. Module 09 Page 1143 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.