Chapter 9 - 01 - Understand Secure Application Design and Architecture - 01_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Application Security Exam 212-82 Module =9 Understand Secure Application Design and o Understand Software Security Standards, Models, e and Frameworks Flow 329 o o Understand Secure Application, Development, Deployment, and Automation Application Security Testing Techniques and Tools Understand Secure Application Design and Architecture Increasing Internet usage and expanding online businesses have accelerated the development and ubiquity of web applications across the globe. A key factor in the adoption of web applications for business purposes is the multitude of features that they offer. Although web applications enforce certain security policies, they are vulnerable to various attacks. This section discusses the importance of secure application design and architecture. Module 09 Page 1138 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 What is a Secure Application? O An application is said to be secure when it ensures the confidentiality, integrity, and availability of its restricted resources O Arestricted resource is any object, data, feature, or function of an application designed o ¢ Authentication The user supplies their identity and secret User =% ¥ 1 1 < to be accessed by only authorized users Authorization ——— The user is authenticated by checking the veracity of the secret et R The user is authorized to use one or more protected resources Copyright © by c Protected Resource e Protected Resource G > tect i TESCISRaNI The set of resources that the user is authorized to use defines the level of trust granted to the user EC All Rights Reserved. Reproduction is Strictly Prohibited. What is a Secure Application? A secure application ensures the confidentiality, integrity, and availability of its restricted resources throughout the application lifecycle. The securing process involves some tools and procedures to protect the application from cyberattacks. Cybercriminals are motivated to target and exploit vulnerabilities in an application to steal confidential data, tamper with code, and compromise the whole application. The process component resources of securing an application involves of the application. This procedure such as the objects, data, features, accessed by only authorized users. deploying, inserting, and or functions of an application @ | 7 Jp— {R € Authentication Authorization their identity and The user is authenticated The user is authorized to secret by checking the veracity of use one or more The user supplies User d the secret every identifies all the vulnerabilities in restricted :--Y;> > testing protected resources 1 IV I 1 1 : x H m> R designed to be 0 Protected Resource 0 Protected Resource e eat i The set of resources that the user is authorized to use defines the level of trust granted to the user Figure 9.1: lllustration of secure web application Module 09 Page 1139 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Need for Application Security Q Itis a common myth that perimeter security controls such as firewall and IDS systems can secure your application, but it is not true as these controls are not effective to defend application layer attacks O This is because port 80 and 443 are generally open on perimeter devices for legitimate web traffic, which attackers can use to exploit the application level vulnerabilities and get into the network Application Layer DETELET Application Level Attack Legacy Systems Web Services Firewall : Directories Copyright © by E Sll. Al Rights Reserved. Reproduction is Strictly Prohibited Need for Application Security Organizations are increasingly using web applications to provide high value business functions to their customers such as real-time sales, transactions, inventory management across multiple vendors including both B-B and B-C e-commerce, workflow and supply chain management, etc. Attackers exploit vulnerabilities in the applications to launch various attacks and gain unauthorized access to resources. It is a common myth that perimeter security controls such as firewall and IDS systems can secure your application but it is not true as these controls are not effective to defend application layer attacks. This is because port 80 and 443 are generally open on perimeter devices for legitimate web traffic, which attackers can use to exploit the application level vulnerabilities and get into the network. A successful application level attack may result into: = Financial Loss Affects Business Continuity = Closure of Business = Disclosure of Business Information = Damages Reputation ®» Fraudulent Module 09 Page 1140 Transactions Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Application Layer Databases Application Level Attack Legacy Systems Web Services Firewall : Directories Hardened OS Figure 9.2: Illlustration of web application attack Module 09 Page 1141 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Application Security Administration Q Application security administration involves a set of actions for managing and administrating the security of the applications installed on an organization’s computers and networks Application Security Administration Responsibilities » » Application Security Administration Practices Protecting users from downloading and installing potentially harmful applications Preventing applications from creating and modifying executable files Preventing applications from accessing, creating, and modifying operating system resources unnecessarily » Preventing applications from spawning into various processes ‘! Y » ‘ ~ ~ »Y 1. Application whitelisting/blacklisting = 2. Application sandboxing 3. Application patch management 4. Application-level firewall (WAF) deployments Regularly updating applications with the latest patches, updates, and versions for security Securely configuring applications to protect against security risks arising from security misconfigurations Application Security Administration Organizations potential must risks and continuously maintain monitor their applications for vulnerabilities the security of applications. Application involves a set of actions for managing organization’s computers and networks. companies consider to secure systems. to reduce security administration the security of the applications installed on an It is one of the several levels of security that The typical responsibilities of application security administration include the following: = Users must be protected from downloading and installing potentially harmful applications. Security professionals should not allow the downloading and installation of applications from untrusted sources or third-party sites. Untrusted malware inside applications to compromise the system. = sources may hide Application must not be allowed to create and modify executable files. Security professionals should ensure the security of an application before it is installed on the system, and applications should be installed using the installation guide provided by the vendor. = Applications must not be allowed to access, create, or modify OS resources unnecessarily. A security professional should monitor the running applications, and the applications should have only the required permissions to access the system resources to prevent the loss of confidentiality, integrity, and availability. = Applications must not be allowed to spawn into various processes. Module 09 Page 1142 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Applications must be regularly updated with the latest patches and for security. The existence of outdated or insecure applications organization’s network. poses a serious security threat to the Applications must be configured in a secure manner to protect users from security risks arising from security misconfigurations. To implement following: application security in an organization, a security professional Application whitelisting/blacklisting: Control the execution applications. Application sandboxing: Execute untrusted or untested of unwanted applications performs the or malicious in an isolated environment to protect the system. Application patch management: Monitor and deploy new or missing patches to ensure the security of applications on hosts. Application-level firewall (WAF) deployment: Deploy WAF to protect web servers from malicious traffic. Module 09 Page 1143 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.