3.0 WEB AND APPLICATION SECURITY
by afiqah mrsydh
1. Process of giving someone permission to do or have something
2. Spam filters
3. b) CGI Operation - information may be passed to and from the browser and server
4. Advantages
4.1. Easy to use
5. b) Repudiation : Non-repudiation, logging, audit trails, digital signatures
6. iii. Trojan Horse
7. i. Viruses
8. 5) IMAP - Internet Message Access Protocol used for accesing email on a web server from a local email client
9. Application threats and countermeasure
9.1. a) Spoofing Identify : Authentication, protect keys & password
9.2. d) Elevation pf Privilege : Authorization
9.3. c) Denial of Service : Availability, access control
10. Features to secure web application
10.1. a) Authentication :
10.1.1. Process of determining whether someone is, in fact, who or what it is declared to be
10.2. b) Authorization :
10.2.1. Antivirus software
11. Threat Modeling for Web Application
11.1. 1) Identify security objective -help to focus the threat modeling activity and determine how much effort to spent on subsequent.
11.2. 2) Application Overview - itemizing application characteristics and actors help to identify relevant threat.
11.3. 3) Decompose Application - a detailed understanding of the mechanics of application to uncover more relevant and detailed threat.
11.4. 4) Identify Threats - identify threat relevant to application scenarion and context.
11.5. 5) Identify Vulnerabilities - review the layers of application to identify weakness threat and use vulnerability categories to focus areas mistakes.
12. Common Security Threats on Web
12.1. a) Threats on Client Server
12.1.1. Many computers are vulnerable to attacks (worms, viruses, Trojan horse) so on that are created by hackers, crackers, or malicious codes
12.2. b) Threats on Server Side
12.2.1. Hackers usually attack network that are not properly secured and can steal the resources on the computer
12.2.2. Data available on web server is exposed to unauthorized access
12.3. c) Network Threats
13. Client Authorization
13.1. a) Client Side Data
13.1.1. Performed by the client
13.1.2. Can be seen and edited by the user
13.1.3. Cannot read files off server directly, must communicate via HTTP requests
13.2. b) Server Side Data
13.2.1. Performed by the server
13.2.2. Cannot be seen by the user
14. Common Gateway Interface (CGI)
14.1. a) CGI Script -any program that runs on a web server.
15. Tools for web based solution
15.1. a) Stinger
15.1.1. Use to detect and remove certain viruses in the browser hijacked system
15.2. Cwshredder
15.2.1. Scan entire system and looks for hijacking in the browser
15.3. c) Microsoft Anti Spyware
15.3.1. Use to protect a windows operating system from spyware and other potentially unwanted software
16. Implement Email Security
16.1. Strong password
16.2. Encrypt message
17. How Email Works
17.1. 1) the sender uses a MUA to compose an email.
17.2. 2) the mail is sent to MTA for sending the email to the receipient' MTA.
17.3. 3) the recipient's MTA receives the email and passed it to a MDA (using POP or IMAP protocol).
17.4. 4) the recipient uses an MUA to check and retrieve messages from the MDA.
18. Advantages and Limitations of Email.
18.1. Limitations
18.1.1. Set reminders to yourself
18.1.2. Info at your fingertips
18.1.2.1. Emotional responses
18.1.3. Attachment size limits
18.1.4. Recipient limits
19. Important Elements of Email
19.1. a) MUA : Mail User Agent
19.1.1. Allow user to read and compose email message
19.2. b) MTA : Mail Transfer Agent
19.2.1. Transport email using SMTP
19.3. c) MDA : Mail Delivery Agent
19.3.1. Delivery email to a local recipient's mailbox
19.4. d) MRA : Mail Retrieval Agent
19.4.1. Fetches email from mail server
20. Differences between Web-based and POP3 email
20.1. a) Web-based email
20.1.1. Use Gmail, Yahoo
20.1.2. Access to web browser
20.1.3. Downloaded will be store in server
20.2. b) POP3 email
20.2.1. Use Outlook, Windows
20.2.2. Access to computer
20.2.3. Downloaded will store in computer
21. Email encryption and authentication
21.1. a) Encryption
21.1.1. Protects against sniffing, unsecured attachment and also spoofing
21.1.2. Use public key encryption to protect messages
21.2. b) Authentication
21.2.1. Verifies that an email is actually from the user
22. Common Email Protocol
22.1. 1) MIME - Multipurpose Internet Mail Extensions used a digital certificate to trusted authority.
22.2. 3) SMTP - Simple Mail Transfer Protocol for sending emails across the internet.
22.2.1. 2)PGP - Pragmatic General Protocol used encryption program that provides cryptographic privacy and authentication for data communication.
22.3. 4) POP3- Post Office Protocol 3 used to receive emails from a server to local email client
23. Risk Related with Email Security
23.1. a) Email Spoofing
23.2. b) Spreading Malware
23.2.1. ii. Worms