You are previewing Security Strategies in Web Applications and Social Networking.
O'Reilly logo
Security Strategies in Web Applications and Social Networking

Book Description

PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES! Security Strategies in Web Applications and Social Networking provides a unique, in-depth look at how to secure mobile users as customer-facing information migrates from mainframe computers and application servers to Web-enabled applications. Written by an industry expert, this book provides a comprehensive explanation of the evolutionary changes that have occurred in computing, communications, and social networking and discusses how to secure systems against all the risks, threats, and vulnerabilities associated with Web-enabled applications accessible via the Internet. Using examples and exercises, this book incorporates hands-on activities to prepare readers to successfully secure Web-enabled applications.

Table of Contents

  1. Copyright
  2. Preface
    1. Purpose of This Book
    2. Learning Features
    3. Audience
  3. Acknowledgments
  4. ONE. Evolution of Computing, Communications, and Social Networking
    1. 1. From Mainframe to Client/Server to World Wide Web
      1. The Evolution of Data Processing
        1. Understanding Data, Data Processing, and Information
        2. 1900s and Rapid Growth
      2. Mainframe Computers
      3. Client/Server Computing
      4. Distributed Computing
      5. Transformation of Brick-and-Mortar Businesses to E-commerce Businesses
        1. E-commerce Today
      6. World Wide Web Revolution
        1. Pre-Internet Era
      7. Groupware and Gopher
        1. Emergence of the World Wide Web
      8. The Changing States of the World Wide Web
        1. Web 1.0
          1. Web 1.0 and Keyword Search
          2. Directory Portals
        2. Web 2.0
        3. Web 3.0
      9. Cloud Computing and Virtualization
        1. Cloud Computing
          1. Types of Cloud Computing
        2. Virtualization
      10. Lack of Inherent Security Within Protocols, Systems, Applications, and Coding Itself
        1. System and Protocol Security
        2. Securing IP Communications
        3. Managing Application and Coding Security
        4. Using Service Packs
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 1 ASSESSMENT
      14. ENDNOTE
    2. 2. From Brick-and-Mortar to E-commerce to E-business Transformation
      1. The Evolution of Business from Brick-and-Mortar to the WWW
        1. E-commerce: A Brick-and-Mortar Model
        2. Customer-Focused E-commerce
        3. Emerging Trends in E-commerce: Distributed E-commerce
      2. Top-of-Mind Business Drivers
      3. Solving Common Business Challenges
        1. Planning Properly
        2. Managing the Customer Life Cycle
        3. Implementing an Effective Internet Marketing Strategy
        4. Creating New Revenue Streams
        5. Enhancing Customer Service Delivery
        6. Telecommuting and Secure Access for Remote Employees
        7. Maintaining Highly Available and Secure E-mail and Web Site Hosting
          1. The Internet and WWW Never Sleep
          2. Virtual Businesses Run 24 × 7 × 365
      4. E-business Strategies
        1. Customer Acquisition and Revenue Growth
          1. Isolating Key Demographics
          2. Conversion: Getting Results
          3. Retention: Getting Repeat Visitors
        2. E-commerce and Enhanced Customer Service Delivery
          1. One-Way Communication
          2. Limited Two-Way Communication
          3. Full Two-Way Communication
        3. E-business with Integrated Applications
      5. Internet Marketing Strategies
        1. E-mail Distribution Lists and E-mail Blasting
        2. Lead-Generation Web Sites
        3. SEO Marketing
          1. Using HTML Tags
            1. HTML <TITLE> tags.
            2. HTML <DESCRIPTION> tags.
          2. Social Networking and Other Forms of User-Generated Content
        4. Summing Up
      6. Risks, Threats, and Vulnerabilities with Web Sites
        1. Connecting to the Internet Means You Are Connecting to the Outside World
        2. Web Sites Are Prone to Attack and Scrutiny
        3. E-commerce Applications House Customer Privacy Data and Credit Card Transaction Processing Data
          1. Credit, Charge, and Debit Cards
          2. Electronic Cash and Wallets
        4. Web-Enabled Applications May Face Threats and Vulnerabilities
          1. Firmware
          2. Operating Systems and Applications
          3. Coding and SQL Vulnerabilities
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 2 ASSESSMENT
    3. 3. Evolution of People-to-People Communications
      1. Personal Versus Business Communications
        1. E-mail
        2. Voice over Internet Protocol
        3. Real-Time Communications
          1. Real-Time Communication with Video
          2. Blogging
        4. Social Networking
      2. Evolution of Communications
        1. Voice: Analog, Digital, VoIP
          1. Packet and Circuit Switching
        2. Voice Messaging
        3. Faxing
        4. E-mail
        5. Unified Messaging
        6. Unified Communications
        7. VoIP/SIP-Enabled Applications
        8. Presence/Availability
        9. Audio Conferencing
        10. Video Conferencing
        11. Collaborative Communications
      3. Social Media and Social Networking
        1. What Are Social Media and Social Networking?
        2. Virtual Communities and Online Social Groups
        3. Generation-Y People-to-People Communications
        4. Online Presence and Networking—Personal and Professional
          1. Personal Social Networking Sites
            1. MySpace.
            2. Orkut.
            3. Yahoo 360.
            4. Facebook.
            5. Twitter.
            6. Ning and Plaxo.
          2. Professional Networking
      4. Online Social Behavior
        1. Online Language
        2. Social Networking Protocols
        3. Chat Room Protocols
        4. Acceptable Use
      5. Limitations of Liability of Web Site Owners
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 3 ASSESSMENT
    4. 4. From Personal Communication to Social Networking
      1. The History and Evolution of E-mail
        1. E-mail's Effectiveness
      2. The Rules for E-mail Communication
        1. Rules for Personal E-mail
        2. Rules for Business E-mail
      3. The Key Elements of Web Pages
        1. Understanding Eye Paths and Heat Maps
        2. The Fold
        3. The Body
      4. Online Message Boards
      5. Online Forums
      6. Online Virtual Community Portals
      7. Online Chat Rooms
      8. Risks, Threats, and Vulnerabilities with Personal Communications and Social Networks
        1. Perpetrators
        2. Phishing
        3. Online Scams
        4. E-mail Scams
        5. Social Engineering
          1. Shoulder Surfing
          2. Dumpster Diving
          3. Persuasion
          4. Impersonation
        6. Loss of Privacy Data
          1. Web Site Registrations
          2. Cookies
          3. Confidentiality of Customer's Information
      9. Privacy Violations
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 4 ASSESSMENT
  5. TWO. Secure Web-Enabled Application Deployment and Social Networking
    1. 5. Mitigating Risk When Connecting to the Internet
      1. Threats When Connecting to the Internet
        1. Risks and Threats
          1. Hackers or Malware
            1. Understanding malware.
            2. Viruses.
            3. Worms.
            4. Trojan horses.
          2. Personal Attacks
            1. Fraud.
            2. Harassment and cyberstalking.
            3. Identity theft.
          3. E-mail Attacks
          4. Managing Online Risks and Threats
        2. Vulnerabilities and Exploits
        3. Perpetrators
          1. Common Perpetrator Attacks
          2. Denial of Service (DoS) Attacks
      2. Web Site Hosting
        1. External Web Hosting
        2. Internal Web Hosting
          1. Whois (Private or Public)
        3. Domain Name Server
          1. Working with DNS
          2. Understanding the DNS Name
          3. Common DNS Attacks
      3. The Seven Domains of a Typical IT Infrastructure
      4. Protecting Networks in the LAN-to-WAN Domain
        1. Perimeter Defense Strategies
          1. Port 80: Open or Closed?
        2. Firewalls
        3. Demilitarized Zones (DMZs)
        4. Proxy Servers
        5. Intrusion Detection Systems and Intrusion Protection Systems
          1. Data Leakage Prevention
      5. Best Practices for Connecting to the Internet
      6. CHAPTER SUMMARY
      7. KEY CONCEPT AND TERMS
      8. CHAPTER 5 ASSESSMENT
    2. 6. Mitigating Web Site Risks, Threats, and Vulnerabilities
      1. Who Is Coming to Your Web Site?
      2. Whom Do You Want to Come to Your Web Site?
      3. Does Your Web Site Accept User Input?
        1. Forums
        2. Web Site Feedback Forms
        3. Online Surveys
      4. The Open Web Application Security Project (OWASP) Top 10
        1. Cross-Site Scripting (XSS)
          1. Mitigating XSS Attacks
        2. Injection Flaws
          1. Mitigating Injection Flaws
        3. Malicious File Execution
          1. Mitigating Malicious File Execution
        4. Insecure Direct Object Reference
          1. Mitigating Insecure Direct Object Reference
        5. Cross-Site Request Forgery
          1. Mitigating Cross-Site Request Forgery
        6. Information Leakage and Improper Error Handling
          1. Mitigating Error Message Handling Errors
        7. Broken Authentication and Session Management
          1. Mitigating Broken Authentication and Session Management
        8. Insecure Cryptographic Storage
          1. Mitigating Insecure Cryptographic Storage
        9. Insecure Communications
          1. Mitigating Insecure Communications
            1. Phase I SA negotiation.
            2. Phase II SA negotiation.
          2. Internet Security Protocol (IPSec)
            1. Authentication Header.
            2. Encapsulating Security Payload.
            3. IPSec authentication protocols.
            4. IPSec encryption protocols.
          3. Secure Sockets Layer (SSL)
        10. Failure to Restrict URL Access
          1. Mitigating Failure to Restrict URL Access
        11. Summary of OWASP Top 10
      5. Best Practices for Mitigating Known Web Application Risks, Threats, and Vulnerabilities
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 6 ASSESMENT
    3. 7. Introducing the Web Application Security Consortium (WASC)
      1. WASC Threat Classification
      2. Web Site Attacks
        1. Abuse of Functionality
        2. Brute-Force Attacks
          1. Authentication Account Lockout Policy
          2. Developing Password Policies
        3. Buffer Overflow
        4. Content Spoofing
        5. Credential/Session Prediction
        6. Cross-Site Scripting
        7. Cross-Site Request Forgery
        8. Denial of Service
        9. Fingerprinting
        10. Format String
        11. HTTP Response Smuggling
        12. HTTP Response Splitting
        13. HTTP Request Smuggling
        14. HTTP Request Splitting
        15. Integer Overflows
        16. LDAP Injection
        17. Mail Command Injection
        18. Null Byte Injection
        19. OS Commanding
        20. Path Traversal
        21. Predictable Resource Location
        22. Remote File Inclusion (RFI)
        23. Routing Detour
        24. Session Fixation
        25. SOAP Array Abuse
        26. SSI Injection
        27. SQL Injection
        28. URL Redirector Abuse
        29. XPath Injection
        30. XML Attribute Blowup
        31. XML External Entities
        32. XML Entity Expansion
        33. XML Injection
        34. XQuery Injection
      3. Web Site Weaknesses
        1. Application Misconfiguration
        2. Directory Indexing
        3. Improper File System Permissions
          1. Advanced NTFS Settings
        4. Improper Input Handling
        5. Improper Output Handling
        6. Information Leakage
        7. Insecure Indexing
        8. Insufficient Anti-Automation
        9. Insufficient Authentication
        10. Insufficient Authorization
        11. Insufficient Password Recovery
        12. Insufficient Process Validation
        13. Insufficient Session Expiration
        14. Insufficient Transport Layer Protection
        15. Server Misconfiguration
      4. Best Practices for Mitigating Attack Risks
      5. Best Practices for Mitigating Weaknesses
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 7 ASSESSMENT
    4. 8. Securing Web Applications
      1. Does Your Application Require User Input into Your Web Site?
        1. Get to Know Your Syntax with Request for Comments (RFC)
      2. Technologies and Systems Used to Make a Complete Functional Web Site
        1. Hypertext Markup Language (HTML)
        2. Common Gateway Interface (CGI) Script
        3. JavaScripting
        4. SQL Database Back-End
      3. Does Your Development Process Follow the Software Development Life Cycle (SDLC)?
      4. Designing a Layered Security Strategy for Web Sites and Web Applications
      5. Incorporating Security Requirements Within the SDLC
        1. Systems Analysis Stage
        2. Designing Stage
        3. Implementation Stage
        4. Testing Stage
        5. Acceptance and Deployment Stage
        6. Maintenance
      6. HTTP and Clear Text Versus HTTPS and Encryption
      7. SSL—Encryption for Data Transfer Between Client and Web Site
        1. SSL Encryption and Hash Protocols
      8. Selecting an Appropriate Access Control Solution
        1. Discretionary Access Control
        2. Mandatory Access Control
        3. Rule-Based Access Control
        4. Role-Based Access Control
        5. Create Access Controls That Are Commensurate with the Level of Sensitivity of Data Access or Input
      9. Best Practices for Securing Web Applications
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 8 ASSESSMENT
    5. 9. Mitigating Web Application Vulnerabilities
      1. Causes of Vulnerabilities
        1. Authentication
        2. Input Validation
        3. Session Management
        4. Vulnerabilities Are Caused by Non-Secure Code in Software Applications
      2. Developing Policies to Mitigate Vulnerabilities
      3. Implementing Secure Coding Best Practices
      4. Incorporating HTML Secure Coding Standards and Techniques
      5. Incorporating JavaScript Secure Coding Standards and Techniques
      6. Incorporating CGI Form and SQL Database Access Secure Coding Standards and Techniques
        1. SQL Database Security
      7. Implementing Software Development Configuration Management and Revision-Level Tracking
        1. Revision-Level Tracking
      8. Best Practices for Mitigating Web Application Vulnerabilities
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 9 ASSESSMENT
    6. 10. Maintaining PCI DSS Compliance for E-commerce Web Sites
      1. Credit Card Transaction Processing
        1. Batch Processing
        2. Real-Time Processing
      2. What Is PCI DSS?
        1. If PCI DSS Is Not a Law, Why Do You Need to Be in Compliance?
      3. Designing and Building Your E-commerce Web Site with PCI DSS in Mind
      4. What Does a PCI DSS Security Assessment Entail?
        1. Scope of Assessment
        2. Instructions and Content for Report on Compliance
        3. Detailed PCI DSS Requirements and Security Assessment Procedures
        4. Security Assessment Marking Procedure
      5. Best Practices to Mitigate Risk for E-commerce Web Sites with PCI DSS Compliance
        1. Build and Maintain a Secure Network
          1. Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data
          2. Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
        2. Protect Cardholder Data
          1. Requirement 3: Protect Stored Cardholder Data
          2. Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks
        3. Maintain a Vulnerability Management Program
          1. Requirement 5: Use and Regularly Update Antivirus Software or Programs
          2. Requirement 6: Develop and Maintain Secure Systems and Applications
        4. Implement Strong Access Control Measures
          1. Requirement 7: Restrict Access to Cardholder Data by Business Need-To-Know
          2. Requirement 8: Assign a Unique ID to Each Person with Computer Access
          3. Requirement 9: Restrict Physical Access to the Cardholder Data Environment
        5. Regularly Monitor and Test Networks
          1. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
          2. Requirement 11: Regularly Test Security Systems and Processes
        6. Maintain an Information Security Policy
          1. Requirement 12: Maintain a Policy That Addresses Information Security for Employees and Contractors
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 10 ASSESSMENT
    7. 11. Testing and Quality Assurance for Production Web Sites
      1. Development and Production Software Environments
        1. Software Development Life Cycle (SDLC)
      2. Configuration and Change Management
        1. Policies
        2. Standards
        3. Procedures
        4. Guidelines
      3. Building a Test Plan and Functionality Checklist for Web Site Deployments
      4. Testing for All New Applications and Features
      5. Detecting Security Gaps and Holes in Web Site Applications
      6. Mitigating Any Identified Gaps and Holes and Retesting
      7. Deploying Web Site Applications in a Production Environment
      8. Monitoring and Analyzing Web Site Traffic, Use, and Access
      9. Best Practices for Testing and Assuring Quality of Production Web Sites
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 11 ASSESSMENT
    8. 12. Performing a Web Site Vulnerability and Security Assessment
      1. Software Testing Versus Web Site Vulnerability and Security Assessments
      2. Performing an Initial Discovery on the Targeted Web Site
        1. Ping Sweep
        2. Nmap
        3. OS Fingerprint
        4. Nessus Vulnerability and Port Scan
      3. Performing a Vulnerability and Security Assessment
        1. Web Server OS
        2. Web Server Application
        3. Web Site Front End
        4. Web Site Forms and User Inputs
        5. Incorporate PCI DSS for E-commerce Web Sites
      4. Using Planned Attacks to Identify Vulnerabilities
        1. Develop an Attack Plan
        2. Identify Gaps and Holes
        3. Escalate the Privilege Level
      5. Spotting Vulnerabilities in Back-End Systems and SQL Databases
        1. Develop an Attack Plan
        2. Identify Gaps and Holes
        3. Escalate the Privilege Level
        4. Perform an SQL Injection for Data Extraction
      6. Preparing a Vulnerability and Security Assessment Report
        1. Executive Summary
        2. Summary of Findings
        3. Vulnerability Assessment
        4. Security Assessment
        5. Recommendations
          1. Short Term
          2. Long Term
      7. Best Practices for Web Site Vulnerability and Security Assessments
        1. Choose the Right Tools
        2. Test Inside and Out
        3. Think Outside the Box
        4. Research, Research, Research
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 12 ASSESSMENT
  6. THREE. Web Applications and Social Networking Gone Mobile
    1. 13. Securing Endpoint Device Communications
      1. Endpoint Devices
        1. Cell Phones
        2. PDA Devices
          1. Electronic Readers and Tablet Devices
        3. Smartphones
      2. Wireless Networks and How They Work
        1. 1G/2G Networks
        2. 3G Networks
        3. 4G Networks
        4. Security Features of 3G and 4G Networks
      3. Endpoint Device Communications
        1. Voice
          1. Security Risks with Voice
        2. Internet Browsing
          1. Security Risks with Internet Browsing
        3. E-mail
          1. Security Risks with E-mail
        4. Instant Messaging (IM) Chat
          1. Security Risks with IM Chat
        5. SMS/Text Messaging
          1. Security Risks with SMS/Text Messaging
        6. MMS Messaging
          1. Security Risks of MMS Messaging
      4. Endpoint Device Communication Risks, Threats, and Vulnerabilities
      5. Best Practices for Securing Endpoint Device Communications
        1. Technological Security of Devices
          1. Applications and Systems That Provide Security
          2. Configuration Changes That Provide Security
          3. Actions and Practices That Provide Security
        2. Physical Security of Devices
          1. Lock the Device
          2. Device Encryption
          3. Remote Erasure/Reset
          4. Disabling Integrated Cameras
          5. Inventory and Backup of the Device
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 13 ASSESSMENT
    2. 14. Securing Personal and Business Communications
      1. Store-and-Forward Communication
        1. Voice Mail
          1. Centralization of Voice Mail
          2. Threats to Voice Mail
          3. Voice Mail Risk Mitigation Techniques
      2. Methods of Messaging
        1. E-mail
          1. E-mail Threats
          2. E-mail Mitigation Techniques
        2. Fax
          1. Fax Threats
          2. Fax Mitigation Techniques
        3. Social Networking Site Messages
          1. Site Messages Threats
          2. Site Messages Mitigation Techniques
      3. Real-Time Communication
        1. Telephone
          1. Telephone Threats
          2. Telephone Mitigation Techniques
        2. Presence/Availability
          1. Benefits of Presence and Availability
          2. Issues with Presence and Availability
        3. Instant Messaging Chat
          1. Instant Messaging Threats
          2. Instant Messaging Mitigation Techniques
        4. SMS Text Messaging
          1. SMS Threats
        5. MMS Messaging
          1. Differences Between MMS and SMS
          2. Content Adaptation
          3. Delivery
          4. MMS Threats
        6. VoIP Threats
      4. Telephony/Private Branch Exchange (PBX) Communication Security Best Practices
      5. VoIP Communication Security Best Practices
        1. VoIP Planning Best Practices
        2. VoIP Implementation Best Practices
      6. SIP Application (Unified Communications) Best Practices
        1. SIP Features and Essentials
        2. SIP User Agents and Communication Between Them
        3. Implementation Best Practices
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 14 ASSESSMENT
      10. ENDNOTE
    3. 15. Web Application Security Organizations, Education, Training, and Certification
      1. Department of Homeland Security (DHS)
        1. Advisory Bodies
        2. The U.S. Secret Service (USSS)
        3. The Federal Law Enforcement Training Center (FLETC)
      2. National Cyber Security Division (NCSD)
        1. United States Computer Emergency Response Team (US-CERT)
          1. National Cyber Alert System
        2. Cyber-Risk Management Programs
      3. Computer Emergency Response Team Coordination Center (CERT®/CC)
      4. The MITRE Corporation and the CVE List
        1. Why CVE?
        2. Common Vulnerabilities and Exposures (CVE) List
          1. What Is a CVE Identifier?
          2. Generating New List Entries
      5. National Institute of Standards and Technology (NIST)
        1. Technical Security Standards
        2. Computer Security Resource Center (CSRC)
          1. The National Vulnerability Database
      6. International Information Systems Security Certification Consortium, Inc. (ISC)2
        1. Certified Information Systems Security Professional (CISSP)
          1. CISSP Concentrations
        2. Systems Security Certified Practitioner (SSCP)
        3. (ISC)2 Associate
        4. Certification and Accreditation Professional (CAP)
        5. Certified Secure Software Lifecycle Professional (CSSLP)
      7. Web Application Security Consortium (WASC)
        1. WASC Projects
      8. Open Web Application Security Project (OWASP)
        1. OWASP Top 10 List
        2. WebScarab
        3. AntiSamy
        4. Enterprise Security API (ESAPI)
        5. WebGoat
        6. Open Software Assurance Maturity Model (OpenSAMM)
        7. OWASP Guides
          1. Building Secure Web Applications and Web Services
          2. Testing Guide
          3. Code Review Guide
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 15 ASSESSMENT
  7. A. Answer Key
  8. B. Standard Acronyms
  9. Glossary of Key Terms
  10. References