SlideShare a Scribd company logo

11 application security fundamentals - part 2 - security mechanisms - summary

A
appsec

This document discusses various security mechanisms for achieving goals of confidentiality, integrity, availability, authentication, authorization, session management, data validation, error handling, and logging. It provides guidelines for implementing authentication, authorization, encryption, data validation, session management, and logging to help secure systems and applications.

Technology
1 of 3
1
2
3
SECURITY MECHANISMS SUMMARY
Security Mechanisms to Achieve Goals onfidentiality ntegrity vailability Authentication Authorization Session Management Data Validation Error Handling Logging Encryption
Good practices cheat-sheet Authentication  Enforce basic password security  Implement an account lockout for failed logins  “Forgot my password” functionality can be a problem  For web applications, use and enforce POST method Authorization  Every function (page) must verify authorization to access  Every function (page) must verify the access context  Any client/server app must verify security on the server Error Handling  Don’t disclose information that should remain private  Remember to cleanup completely in an error condition Encryption  If storing passwords – hash with a salt value  If you’re using authentication – encrypt in transmission  Properly seed random number generators Data Validation  Validate data before use in SQL Commands  Validate data before sending back to the client  Validate data before use in ‘eval’ or system commands  Validate all data lengths before writing to buffers Session Management  Enforce a reasonable session lifespan  Leverage existing session management solutions  Force a change of session ID after a successful login Logging  Avoid logging sensitive data (e.g., passwords)  Beware of logging tainted data to the logs  Beware of logging excessive data  Beware of potential log spoofing

More Related Content

PPTX
Database security
Software Engineering
 
PPTX
Decrypting the security mystery with SIEM (Part 2) ​
Zoho Corporation
 
PPTX
Overview of RateSetter web security
RateSetter
 
PDF
Payment Card Industry Data Security Standard (PCI DSS) 3.0
- Mark - Fullbright
 
PPT
Database Systems Security
amiable_indian
 
PPT
Database Security
alraee
 
PDF
Web application security (eng)
Anatoliy Okhotnikov
 
PPT
Updated Mvc Web security updated presentation
John Staveley
 
Database security
Software Engineering
 
Decrypting the security mystery with SIEM (Part 2) ​
Zoho Corporation
 
Overview of RateSetter web security
RateSetter
 
Payment Card Industry Data Security Standard (PCI DSS) 3.0
- Mark - Fullbright
 
Database Systems Security
amiable_indian
 
Database Security
alraee
 
Web application security (eng)
Anatoliy Okhotnikov
 
Updated Mvc Web security updated presentation
John Staveley
 

Similar to 11 application security fundamentals - part 2 - security mechanisms - summary (20)

PPTX
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
VikasTuwar1
 
PPT
Web security presentation
John Staveley
 
PPTX
Lecture-8. I know this slide is littlepptx
MUHAMMADAHMAD173574
 
PPTX
Lecture- program are executed in syst9.pptx
MUHAMMADAHMAD173574
 
PPTX
Core defense mechanisms against security attacks on web applications
Karan Nagrecha
 
PDF
Session4-Authentication
zakieh alizadeh
 
PDF
[Austria] Security by Design
OWASP EEE
 
PPTX
Mobile Application Security - Broken Authentication & Management
Barrel Software
 
PPT
Secure code practices
Hina Rawal
 
PPT
Web security leeds sharp dot netnotts
John Staveley
 
PPSX
Broken Authentication & authorization
Sarwar Jahan M
 
PPT
Web application development_dos_and_donts
huynhvanphuc
 
PPTX
Secure Software Engineering
Rohitha Liyanagama
 
PPTX
Authentication and session v4
skimil
 
PPTX
2 security concepts
LimenihMuluneh1
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
PDF
Best Security Practices for Web Application Development.pdf
Digital Auxilio Technologies
 
PPT
Survey Presentation About Application Security
Nicholas Davis
 
PDF
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
imgautam076
 
PDF
OWASPTop 10
InnoTech
 
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
VikasTuwar1
 
Web security presentation
John Staveley
 
Lecture-8. I know this slide is littlepptx
MUHAMMADAHMAD173574
 
Lecture- program are executed in syst9.pptx
MUHAMMADAHMAD173574
 
Core defense mechanisms against security attacks on web applications
Karan Nagrecha
 
Session4-Authentication
zakieh alizadeh
 
[Austria] Security by Design
OWASP EEE
 
Mobile Application Security - Broken Authentication & Management
Barrel Software
 
Secure code practices
Hina Rawal
 
Web security leeds sharp dot netnotts
John Staveley
 
Broken Authentication & authorization
Sarwar Jahan M
 
Web application development_dos_and_donts
huynhvanphuc
 
Secure Software Engineering
Rohitha Liyanagama
 
Authentication and session v4
skimil
 
2 security concepts
LimenihMuluneh1
 
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
Best Security Practices for Web Application Development.pdf
Digital Auxilio Technologies
 
Survey Presentation About Application Security
Nicholas Davis
 
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
imgautam076
 
OWASPTop 10
InnoTech
 
Ad

More from appsec (12)

PPTX
23 owasp top 10 - resources
appsec
 
PPTX
15 owasp top 10 - a3-xss
appsec
 
PPTX
12 owasp top 10 - introduction
appsec
 
PPTX
10 application security fundamentals - part 2 - security mechanisms - encry...
appsec
 
PPTX
09 application security fundamentals - part 2 - security mechanisms - logging
appsec
 
PPTX
08 application security fundamentals - part 2 - security mechanisms - error...
appsec
 
PPTX
06 application security fundamentals - part 2 - security mechanisms - sessi...
appsec
 
PPTX
07 application security fundamentals - part 2 - security mechanisms - data ...
appsec
 
PPTX
04 application security fundamentals - part 2 - security mechanisms - authe...
appsec
 
PPTX
05 application security fundamentals - part 2 - security mechanisms - autho...
appsec
 
PPTX
02 application security fundamentals - part 1 - security priciples
appsec
 
PPTX
01 Application Security Fundamentals - part 1 - introduction and goals
appsec
 
23 owasp top 10 - resources
appsec
 
15 owasp top 10 - a3-xss
appsec
 
12 owasp top 10 - introduction
appsec
 
10 application security fundamentals - part 2 - security mechanisms - encry...
appsec
 
09 application security fundamentals - part 2 - security mechanisms - logging
appsec
 
08 application security fundamentals - part 2 - security mechanisms - error...
appsec
 
06 application security fundamentals - part 2 - security mechanisms - sessi...
appsec
 
07 application security fundamentals - part 2 - security mechanisms - data ...
appsec
 
04 application security fundamentals - part 2 - security mechanisms - authe...
appsec
 
05 application security fundamentals - part 2 - security mechanisms - autho...
appsec
 
02 application security fundamentals - part 1 - security priciples
appsec
 
01 Application Security Fundamentals - part 1 - introduction and goals
appsec
 
Ad

Recently uploaded (20)

PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Cloud computing and distributed systems.
kkkkkhan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Approach and Philosophy of On baking technology
30anthuong17
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 

11 application security fundamentals - part 2 - security mechanisms - summary

  • 2. Security Mechanisms to Achieve Goals onfidentiality ntegrity vailability Authentication Authorization Session Management Data Validation Error Handling Logging Encryption
  • 3. Good practices cheat-sheet Authentication  Enforce basic password security  Implement an account lockout for failed logins  “Forgot my password” functionality can be a problem  For web applications, use and enforce POST method Authorization  Every function (page) must verify authorization to access  Every function (page) must verify the access context  Any client/server app must verify security on the server Error Handling  Don’t disclose information that should remain private  Remember to cleanup completely in an error condition Encryption  If storing passwords – hash with a salt value  If you’re using authentication – encrypt in transmission  Properly seed random number generators Data Validation  Validate data before use in SQL Commands  Validate data before sending back to the client  Validate data before use in ‘eval’ or system commands  Validate all data lengths before writing to buffers Session Management  Enforce a reasonable session lifespan  Leverage existing session management solutions  Force a change of session ID after a successful login Logging  Avoid logging sensitive data (e.g., passwords)  Beware of logging tainted data to the logs  Beware of logging excessive data  Beware of potential log spoofing