You are previewing The Manager’s Guide to Web Application Security: A Concise Guide to the Weaker Side of the Web.
O'Reilly logo
The Manager’s Guide to Web Application Security: A Concise Guide to the Weaker Side of the Web

Book Description

The Manager's Guide to Web Application Security is a concise, information-packed guide to application security risks every organization faces, written in plain language, with guidance on how to deal with those issues quickly and effectively. Often, security vulnerabilities are difficult to understand and quantify because they are the result of intricate programming deficiencies and highly technical issues. Author and noted industry expert Ron Lepofsky breaks down the technical barrier and identifies many real-world examples of security vulnerabilities commonly found by IT security auditors, translates them into business risks with identifiable consequences, and provides practical guidance about mitigating them.

The Manager's Guide to Web Application Security describes how to fix and prevent these vulnerabilities in easy-to-understand discussions of vulnerability classes and their remediation. For easy reference, the information is also presented schematically in Excel spreadsheets available to readers for free download from the publisher’s digital annex. The book is current, concise, and to the point—which is to help managers cut through the technical jargon and make the business decisions required to find, fix, and prevent serious vulnerabilities.

Table of Contents

  1. Cover
  2. Title
  3. Copyright
  4. Dedication
  5. Contents at a Glance
  6. Contents
  7. About the Author
  8. About the Technical Reviewer
  9. Acknowledgments
  10. Introduction
  11. Chapter 1: Understanding IT Security Risks
    1. Web Application Security Terminology
    2. Risk Calculation Models
    3. DREAD
    4. How to Calculate Web Application Security Risk
      1. Standard Calculations
      2. A Customized Approach
      3. Calculating a Security Risk
      4. Calculating Risk from Multiple Vulnerabilities for Any Asset
      5. Calculating the Monetary Value at Risk for Any Asset
    5. Sources of Web Application Security Vulnerability Information
    6. Summary
  12. Chapter 2: Types of Web Application Security Testing
    1. Understanding the Testing Process
      1. Web Application Audits
      2. Vulnerability Assessment
      3. Postremediation Testing
    2. Important Report Deliverables for All Testing Reports
    3. Summary
  13. Chapter 3: Web Application Vulnerabilities and the Damage They Can Cause
    1. Lack of Sufficient Authentication
      1. Weak Password Controls
      2. Passwords Submitted Without Encryption
      3. Username Harvesting
    2. Weak Session Management
      1. Weak SSL Ciphers Support
      2. Information Submitted Using the GET Method
      3. Self-Signed Certificates, Insecure Keys, and Passwords
      4. Username Harvesting Applied to Forgotten Password Process
      5. Autocomplete Enabled on Password Fields
      6. Session IDs Nonrandom and Too Short
    3. Weak Access Control
      1. Frameable Response (Clickjacking)
      2. Cached HTTPS Response
      3. Sensitive Information Disclosed in HTML Comments
      4. HTTP Server Type and Version Number Disclosed
      5. Insufficient Session Expiration
      6. HTML Does Not Specify Charset
      7. Session Fixation
      8. Insecure Cookies
    4. Weak Input Validation at the Application Level
      1. Lack of Validated Input Allowing Automatic Script Execution
      2. Unauthorized Access by Parameter Manipulation
      3. Buffer Overflows
      4. Forms Submitted Using the GET Method
    5. Redirects and Forwards to Insecure Sites
      1. Application Susceptible to Brute-Force Attacks
      2. Client-Side Enforcement of Server-Side Security
    6. Injection Flaws
      1. SQL Injection
      2. Blind SQL Injection
      3. Link Injection
      4. HTTP Header Injection Vulnerability
      5. HTTP Response-Splitting Attack
    7. Unauthorized View of Data
      1. Web Application Source Code Disclosure
      2. Web Directories Enumerated
      3. Active Directory Object Default Page on Server
      4. Temporary Files Left in the Environment
      5. Internal IP Address Revealed by Web Server
      6. Server Path Disclosed
      7. Hidden Directory Detected
      8. Unencrypted VIEWSTATE
      9. Obsolete Web Server
      10. Query Parameter in SSL Request
    8. Error Handling
    9. Cross-Site Scripting Attacks
      1. Reflected Cross-Site Scripting Attack
      2. Stored Cross-Site Scripting Attack
      3. Cross-Site Request Forgery Attack
    10. Security Misconfigurations and Use of Known Vulnerable Components
    11. Denial-of-Service Attack
    12. Related Security Issues
      1. Storage of Data at Rest
      2. Storage of Account Lists
      3. Password Storage
      4. Insufficient Patch Management
    13. Summary
  14. Chapter 4: Web Application Vulnerabilities and Countermeasures
    1. Lack of Sufficient Authentication
      1. Weak Password Controls
      2. Passwords Submitted Without Encryption
      3. Username Harvesting
    2. Weak Session Management
      1. Weak SSL Ciphers Support
      2. Information Submitted Using the GET Method
      3. Self-Signed Certificates, Insecure Keys, and Passwords
      4. Username Harvesting Applied to Forgotten Password Process
      5. Autocomplete Enabled on Password Fields
      6. Session IDs Nonrandom and Too Short
    3. Weak Access Control
      1. Frameable Response (Clickjacking)
      2. Cached HTTP Response
      3. Sensitive Information Disclosed in HTML Comments
      4. HTTP Server Type and Version Number Disclosed
      5. Insufficient Session Expiration
      6. HTML Does Not Specify Charset
      7. Session Fixation
      8. Insecure Cookies
    4. Weak Input Validation at the Application Level
      1. Lack of Validated Input Allowing Automatic Script Execution
      2. Unauthorized Access by Parameter Manipulation
      3. Buffer Overflows
      4. Form Submitted Using the GET Method
    5. Redirects and Forwards to Insecure Sites
      1. Application Susceptible to Brute-Force Attacks
      2. Client-Side Enforcement of Server-Side Security
    6. Injection Flaws
      1. SQL Injection
      2. Blind SQL Injection
      3. Link Injection
      4. HTTP Header Injection Vulnerability
      5. HTTP Response-Splitting Attack
    7. Unauthorized View of Data
      1. Web Application Source Code Disclosed
      2. Web Directories Enumerated
      3. Active Directory Object Default Page on Server
      4. Temporary Files Left in the Environment
      5. Internal IP Address Revealed by Web Server
      6. Server Path Disclosed
      7. Hidden Directory Detected
      8. Unencrypted VIEWSTATE
      9. Obsolete Web Server
      10. Query Parameter in SSL Request
    8. Error Handling
    9. Cross-Site Scripting Attacks
      1. Reflected Cross-Site Scripting Attack
      2. Stored Cross-Site Scripting Attack
      3. Cross-Site Request Forgery Attack
    10. Security Misconfigurations and Using Known Vulnerable Components
    11. Denial-of-Service Attack
    12. Related Security Issues
      1. Storage of Data at Rest
      2. Storage of Account Lists
      3. Password Storage
      4. Insufficient Patch Management
    13. Summary
  15. Chapter 5: How to Build Preventative Countermeasures for Web Application Vulnerabilities
    1. Security-in-Software-Development Life Cycle
    2. Framework for Secure Web Application Code
    3. Web Application Security Testing
      1. Manual vs. Automated Code Testing
      2. Multilayered Defense
    4. Security Technology for Protecting Web Applications and Their Environments
    5. Summary
  16. Chapter 6: How to Manage Security on Applications Written by Third Parties
    1. Transparency of Problem Resolution
    2. Liability Insurance as Backup for Transparency of Problem Resolution
    3. Change Management
    4. Summary
  17. Chapter 7: Integrating Compliance with Web Application Security
    1. Regulations, Standards, and Expert Organization Recommendations
      1. Government Regulations
      2. Industry Standards
      3. Recommendations from Expert Organizations
      4. Financial Auditors’ Favorites
    2. Leading Standards and Regulations
      1. COBIT
      2. COBIT 5 for IT Security
      3. E13PA and PCI DSS
      4. ISO 27000
      5. NIST
      6. NERC CIP
      7. Sarbanes-Oxley
    3. Integrating Compliance and Security Reporting
    4. Summary
  18. Chapter 8: How to Create a Business Case for Web Application Security
    1. Assessing the Risk
      1. Identifying Risk and Its Business Impact
      2. Estimating the Chance of Occurrence of Each Event
      3. Qualitative and Quantitative Risk Analysis
    2. Calculating Annual Loss Expectancy
    3. Calculating the Cost of Prevention and Remediation
    4. Calculating the Return on Security Investment
    5. Creating the Business Case for Executives
    6. Measuring and Cost-Justifying Residual Risk
      1. Calculating Security Status and Residual Risk with a Monthly Security Health Score
      2. How to Cost-Justify and Triage Vulnerabilities for Remediation
      3. Noting the Difference Between Remediating and Fixing
      4. Calculating the Cost of Mitigation
      5. Measuring the Effectiveness of Mitigation
    7. Determining Whether Return on Security Investment Objectives Are Met
    8. Summary
  19. Chapter 9: Parting Thoughts
  20. Appendix A: COBIT® 5 for Information Security
    1. F.3 Secure Development
      1. Description of the Service Capability
      2. Attributes
      3. Goals
    2. F.4 Security Assessments
      1. Description of the Service Capability
      2. Attributes
      3. Goals
    3. F.5 Adequately Secured and Configured Systems, Aligned With Security Requirements and Security Architecture
      1. Description of the Service Capability
      2. Attributes
      3. Goals
    4. F.6 User Access and Access Rights in Line With Business Requirements
      1. Description of the Service Capability
      2. Attributes
      3. Goals
    5. F.7 Adequate Protection Against Malware, External Attacks and Intrusion Attempts
      1. Description of the Service Capability
      2. Attributes
      3. Goals
  21. Appendix B: Experian EI3PA Security Assessment
  22. Appendix C: ISO/IEC 17799:2005 and the ISO/IEC 27000:2014 Series
    1. ISO/IEC 17799:2005
    2. The ISO/IEC 27000:2014 Series
  23. Appendix D: North American Energy Council Security Standard for Critical Infrastructure Protection (NERC CIP)
    1. NERC CIP Standards Currently in Force
    2. Future NERC CIP Standards
    3. Future Standard CIP-007-5: Cyber Security — System Security Management
      1. Requirement R1:
      2. Requirement R2:
      3. Requirement R3:
      4. Requirement R4:
      5. Requirement R5:
      6. Rationale for R5:
  24. Appendix E: NIST 800 Guidelines
  25. Appendix F: Payment Card Industry (PCI) Data Security Standard Template for Report on Compliance for use with PCI DSS v3.0
    1. Maintain a Vulnerability Management Program
  26. Appendix G: Sarbanes-Oxley Security Compliance Requirements
  27. Appendix H: Sources of Information
  28. Index