Summary

This document details an application security frame, also known as a web application security schema. It incorporates technical operations such as threat modeling to identify and categorize security threats, vulnerabilities, and attack surfaces. The security frame minimizes risks from public platforms by establishing security controls for the web server and host server.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Application Security Application Security Frame...

Certified Cybersecurity Technician Exam 212-82 Application Security Application Security Frame L3 3 © Application Security Frame ' Input Validation Sensitive Data Protection Parameter Manipulation Authentication Session Management Exception Management Authorization Cryptography Auditing and Logging Configuration Management Web Server Applicauon Server """" ==.___."‘ EEN Apps -'-'-"-'ll‘I-- - Apps ". == Database Firewall : Firewall : —) EJ Host i[9 Host 9 Host Securing the Nehvork Secuflng the Host Router 1DS Patches and Updates Services Protocols Firewall IPS : i Accounts Files and Directories ~ Shares Switch i Ports Registry Auditing and Logging < Threats and Countermeasures > Copyright © by E. All Rights Reserved. Reproductionis Strictly Prohibited Application Security Frame An application security frame, also referred to as a web-application security schema, incorporates skillful technical operations such as threat modeling to discover and categorize threats, vulnerabilities, and attack surfaces as well as provide appropriate countermeasures. It minimizes risks that can evolve from public platforms while accessing application services. The security frame can establish a regular framework that can merge skills to secure the web server though firewalls, IDSes, routers, and other networking solutions and to secure the host server by releasing on time patches, maintaining individual accounts, logging, etc. Module 09 Page 1144 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security trrsrsssssannnn e e NN a et e RNB ----------------------------------------- AR ARSI SRS R SRR Y... Application Security Frame Input Validation Sensitive Data Protection Parameter Manipulation Authentication Session Management Exception Management Authorization Cryptography Auditing and Logging Configuration Management Web Server e Apps : : S Database --===.1 B = o e e I Ii g : 4 : : = Firewall Firewall —| g R — o (o Host Host i: |: (@ Host Host — P Qesscsssssees Sersraresaane §.E.................... -------------------- 3T teessssesses s Jeseecasassanssscases i """"""""""""" H. PRDRTPIIRRLE SR AN P PEIN N R ot et KA T Securing the Network Securing the Host Router IDS i Patches and Updates Services Protocols : Firewall IPS : i Accounts Files and Directories Shares Switch : i Ports Registry Auditing and Logging Threats Countermeasures and Countermeasures Figure 9.3: Application security frame Module 09 Page 1145 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security 3W’s in Application Security : Why should we care about Owing to theur globally accessible nature, applications W hv N. are becoming popular targets for attackers to application security?. PR. compromise an organization’s security Constant security vigilance is required at various m What do we need for phases of the application development lifecycle [ 1] application security ? Managers, architects, developers, testers, and Who is responsible for 3BErs, ! 'oP o —. administrators are responsible for application application security? security Copyright © by EC. i All Rights Reserved. Reproduction is Strictly Prohibited. 3W’s in Application Security As a web application passes through complex networks and connects to multiple users, it must be secured with all the necessary security measures, which requires proper planning and expertise. The following are the three Ws involved in providing effective application security. = Why: Why should we care about application security? As applications are globally accessible, they are becoming popular targets for attackers to compromise an organization’s security. Therefore, an application must be evaluated while considering all the target portions or attack surfaces. Through appropriate security implementations, the application can maintain confidentiality and integrity of data as well as ensure the uninterrupted availability of services. = What: What do we need for application security? To overcome all the security challenges that an application can face in the global network, constant security vigilance is required at various phases of the application development lifecycle. The application also requires security controls or tools to identify, address, and handle threats and to enhance the overall security, thus making it less vulnerable to cyberattacks. Standard policies and guidelines can also play a major role in implementing application security. = Who: Who is responsible for application security? Irrespective of where an application is hosted, securing it is a major concern for the organization. Entities such as managers, architects, developers, testers, and administrators take equal responsibility in securing the application. All these parties must collaborate to detect common application security bugs as well as create and deliver patches after thorough inspection. Module 09 Page 1146 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Secure Application Design and Architecture o A security negligence at design and architecture phase may lead to (@ —Il yulnerabilities that are difficult to detect and expensive to fix in production vulnerabilities » Security vigilance at design phase enables detecting potential security flaws g early in the software development lifecycle Secure design of an application is based on security requirements identified in the previous phase of the SDLC > @ Secure design is a challenging process as designing required security controls may obstruct the business functionality requirements Copyright Copyright ©© by by EC Al Rights Secure Application Design and Architecture A security negligence at design and architecture phase may lead to vulnerabilities that are difficult to detect and expensive to fix in production. The security vigilance at design phase enables detecting potential security flaws early in the software development lifecycle. Secure design of an application is based on security requirements identified in the previous phase of the SDLC. Secure design is a challenging process as designing required security controls may obstruct the business functionality requirements. Module 09 Page 1147 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security B g i 1-! @ Y ) 7)) Z 780\ s~ -~ - - — mramues c—tztzmszmue c—tmtz ‘ (&u“:, QLR > ) M) Identifying the threats in Designing an architecture in such Enforcing secure design sufficient details for developers a way that it mitigates as many principles that force developers to understand and code threats as possible to consider security while coding accordingly to mitigate the risk associated with the threats AlAll Rights Rights Reserved. Reserved. Reproduction Reproduction iiss Strictly Strictly Prohibited Prohibited Goal of Secure Design Process = |dentifying the threats in sufficient details for developers to understand and code accordingly to mitigate the risk associated with the threats. = Designing an architecture in such a way that it mitigates as many threats as possible. = Enforcing secure design principles that force developers to consider security while coding. * Ensuring confidentiality, integrity, and availability of data used within the application. Module 09 Page 1148 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Secure Design Actions 00© Security Requirement Secure Design Specifications Principles Design the application according Define the secure coding to security specifications standards to be implemented in gathered at requirement phase development phase Threat Secure Application Modeling Architecture Perform threat modeling to know @ Design secure application your threats architecture Copyright © by. Al Rights Reserved. Reproductionis Strictly Prohibited Secure Design Actions The secure design actions include the following: = Security Requirement Specifications: Design the application according to security specifications gathered at requirement phase. = Secure Design Principles: Define the secure coding standards to be implemented in development phase. * Threat Modeling: Perform threat modeling to know your threats. = Secure Application Architecture: Design secure application architecture. Module 09 Page 1149 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser