Chapter 9 - 01 - Understand Secure Application Design and Architecture - 05_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
OCER
Tags
Related
- Chapter 2 - 04 - Understand Application-level and OS-level Attacks - 01_ocred.pdf
- Chapter 9 - 04 - Application Security Testing Techniques and Tools - 07_ocred.pdf
- Chapter 9 - 04 - Application Security Testing Techniques and Tools - 08_ocred.pdf
- Chapter 2 - 04 - Understand Application-level and OS-level Attacks_fax_ocred.pdf
- Chapter 2 - 04 - Understand Application-level and OS-level Attacks - 01_ocred_fax_ocred.pdf
- Chapter 9 - 04 - Application Security Testing Techniques and Tools - 08_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Application Security Design Secure Application Architecture A typical web application archite...
Certified Cybersecurity Technician Exam 212-82 Application Security Design Secure Application Architecture A typical web application architecture comprises of three tiers i.e. web, application and database Security at one tier is not enough as attacker can breach the security of another tier to compromise the application Design web application architecture with defense-in-depth principle i.e. providing security at each tier of the web application A multi-tiered security include proper input validation, database layer abstraction, server configuration, proxies, web application firewalls, data encryption, OS hardening, and so on Design Secure Application Architecture (Cont’d) O Applying multiple layer security in application architecture design makes application robust and secure Tier1 Tier 2 Tier 3 Input validation, users Authenticating and authorization, secure authorizing upstream exception, secure identities , secure auditing configuration canbedone at and logging and transactions Can encrypt or hash the this tier can be performed at this tier data stored in database Internet Firewall Client running b - Database Server Can protect sensitive data using Can protect the sensitive secure communication channel database communication Design Secure Application Architecture A typical web application architecture comprises of three tiers i.e. web, application and database. Security at one tier is not enough as attacker can breach the security of another tier to compromise the application. Design web application architecture with defense-in-depth principle i.e. providing security at each tier of the web application. A multi-tiered security include proper input validation, database layer abstraction, server configuration, proxies, web Module 09 Page 1161 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security application firewalls, data encryption, OS hardening, and so on. Applying multiple layer security in application architecture design makes application robust and secure. Tier1 Tier2 Tier3 Input validation, users Authenticating and authorization, secure authorizing upstream exception, secure identities , secure auditing configuration can be done at and logging and transactions Can encrypt or hash the this tier can be performed at this tier data stored in database Authenticating users Internet Firewall Client running e Web Server Application Server Database Server Can protect sensitive data using Can protect the sensitive secure communication channel database communication Figure 9.5: Secure application architecture Module 09 Page 1162 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Secure Coding Practices: Input Validation @ The input should be validated against: Input validation is the process of &/ Data type (string, integer, real, etc.) verifying and testing user inputs of the application that come v Allowed character set from untrusted data sources %7 Minimum and maximum length It is the simplest defensive V Whether null is allowed technique used to secure web. applications from injection V' Numeric range attacks %7 Whether duplicates are allowed V Whether the parameter is required or not Proper input validation techniques are used to eliminate the V Specific legal values (enumeration) vulnerabilities in web applications V Specific patterns (regular expressions) Copyright © by EC-Councll. All Rights Reserved. Reproductionis Strictly Prohibited Secure Coding Practices While developing applications, developers must consider many aspects of security in coding such as input validation, secure parameter passing, normalization, and output encoding. Secure coding helps in preventing vulnerabilities and cyberattacks. Input Validation Input validation is the process of verifying and testing user inputs of the application that come from untrusted data sources. It is the simplest defensive technique used to secure web applications from injection attacks. Proper input validation techniques are used to eliminate the vulnerabilities in web applications. Improper validation of input may provide the path for the attackers to perform injection attacks such as cross site scripting attacks and SQL injection attacks on the application. Firewalls cannot prevent the attacks caused by malicious or invalid inputs and processing of these inputs without validation can make the application vulnerable to attacks. Attackers can exploit improper input validation vulnerabilities by supplying malicious data to crash the application, manipulate or corrupt databases, etc. The input should be validated against: = Data type (string, integer, real, etc.) * Whether the parameter is required = Allowed character set or not s Minimum and maximum length = Specific legal values (enumeration) = Specific patterns (regular = Whether null is allowed. expressions) = Numeric range = Whether duplicates are allowed Module 09 Page 1163 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Secure Coding Practices: Parameterized Queries and Stored Procedures [ Parameterized Queries T Parameterized Stored Procedures Q In parameterized queries, an SQL query is O A parameterized stored procedure allows written without embedding parameters in the developer to write SQL code first and it; instead, each parameter of the query is then pass parameters to it supplied dynamically later pe X y O The only difference with parametrized QO This technigue helps in distinguishing queries is that non-parameterized stored between code and data irrespective of user procedures are stored in the database with input values supplied to them, and they are later called by the application O Parameterized queries do not allow attackers to change the intent of the query Parameterized Queries and Stored Procedures In parameterized queries, SQL query is written without embedding parameters in it; instead, each parameter of query is supplied dynamically later. This technique helps in distinguishing between code and data irrespective of user input. Parameterized queries do not allow attackers to change the intent of the query. The parameterized stored procedure also allows the developer to write SQL code first and then pass parameters to it. The only difference is that non-parameterized stored procedures are stored in the database with values supplied to them and then they are called by the application. Module 09 Page 1164 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Secure Coding Practices: Unicode Normalization Unicode normalization is the process of normalizing strings and determining B whether two given Unicode strings are equivalent based on the chosen normalization form I Normalization is mandatory because in Unicode, a character string can have many alternative representations fi gfi Web applications that accept unknown input strings use input filters and validation processes depending on the type of characters @ Input validation is applied only after normalizing the strings to prevent vulnerabilities such as cross-site scripting (XSS) Copyright © by EC-Councll. All Rights Reserved. Reproduction is Strictly Prohibited Unicode Normalization Unicode normalization is the process of normalizing strings and determining whether two given Unicode strings are equivalent based on the chosen normalization form. This mechanism is used while developing secure web applications to normalize input strings. With normalization, two strings with different binary representations acquire the same binary values. Normalization is mandatory because in Unicode, a character string can have many alternative representations. Web applications that accept unknown input strings use input filters and validation processes depending on the type of characters. Input validation is applied only after normalizing the strings to prevent vulnerabilities such as cross-site scripting (XSS). It is performed by correctly identifying and eliminating the tags in the input text. Such processes are necessary in the security strategy, even if they are inadequate for thorough input sanitization and validation. There are two types of equivalence between characters: canonical equivalence and compatibility equivalence. Canonical equivalence implies that two characters or a sequence of characters has the same meaning and visual appearance. In compatibility equivalence, also called the weaker equivalence of characters, two characters or a sequence of characters has the same abstract character(s) but different meanings and appearances. Sample Code for Normalization Check >>> strl = '\uOOF1'; >>> str2 = '\u006E\u0303'; >>> strl == str2 False Module 09 Page 1165 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security >>> unicodedata.normlize unicodedata.normlize (“"NFKD” ,strl)==unicodedata.normlize (“"NFKD” (“"NFKD”,strl)==unicodedata.normlize (“"NFKD”,str2) ,hstr2) True >>> unicodedata.normlize unicodedata.normlize (“"NFKC”,strl)==unicodedata.normlize (“NFKC” ,strl)==unicodedata.normlize (“"NFKC”,bstr2) (“"NFKC”,hstr2) True Module 09 Page 1166 E8-Gommell Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.
