SlideShare a Scribd company logo

Security guidelines

K
karthz

The document outlines essential security guidelines for safeguarding customer environments, emphasizing the security gaps that arise from a lack of collaboration between security professionals and application developers. It discusses various application vulnerabilities and outlines best practices for incorporating security into the software development lifecycle, including threat modeling and the use of security assessments. Additionally, it highlights the importance of educating developers, managing user access, and maintaining updated security protocols to protect against known vulnerabilities.

Technology
Related topics:
Information Security Risk-Management
1 of 25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
SECURITY GUIDELINES ARE WE RIGHTLY SAFEGUARDING OUR CUSTOMER ENVIRONMENTS ? Karthik Sagar P Technology Evangelist Karthiksagar.p@outlook.com
“Every program has at least two purposes: the one for which it was written, and another for which it wasn't.” -Alan J. Perlis
SAMPLE Let see an example
EVAL () • eval() like functions takes string argument and • evaluate those as source code • var x = req.body.x; • var y = req.body.y; • var sum = eval(a + "+" + b);what if attacker fills 'x' with: some.super.class.wipe.the.database('now’); LOL :)
WHY APPLICATION VULNERABILITIES OCCUR
SECURITY GAP Security Professionals Don’t Know The Applications Application Developers and QA Professionals Don’t Know Security The Web Application Security Gap “As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.” “As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.”
VULNERABILITIES Platform Administration Application Known Vulnerabilities Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow scripting Application vulnerabilities occur in multiple areas.
HOW TO SECURE APPLICATIONS
WHAT I SAY ! The best way to secure anything is to learn how someone can break it
HOW? • Incorporating security into lifecycle • Integrate security into application requirements • Including information security professionals in software architecture/design review • Security APIs & libraries (e.g. ESAPI, Validator, etc.) when possible • Threat modeling • Web application vulnerability assessment tools (VAPT)
SECURE YOUR DB
DB SECURITY • User Access Management –Authentication • User Rights Management – Authorization • Auditing • Environmental and Process Control • Encryption • Network Encryption • Network Filter • Binding IP Addresses • Running in VPNs • Dedicated OS User Account. • File System Permissions • Query Injection • Physical Access Controls Environment & Processes SSL Encryption for DB communication
ENVIRONMENT & PROCESSES •Network Filter Binding IP Addresses Running in VPNs Dedicated OS User Account. File System Permissions Query Injection Physical Access Controls
MY ARCHITECTURE SSL Web Application Mobile Application Firewall Port No’s: 83 & 2011 Public IP App Server Port :83 Port :88 Public IP – Static IP Web Server Port :2011 Public IP – Static IP Port :2016 Static IP 1 Static IP 3 DB Server DB Node Web Server Port:271 8 SSL Bind IP :Static IP 1 Traffic Log Customer Environment
EDUCATE Developers • Software security best practices Security Professionals • Software development • Software coding best practices Testers • Methods for identifying vulnerabilitie s Executives, System Owners, etc Understanding the risk and why they should be concerned Who is your Security Owner ?
CREATING THE RISK ASSESSMENT
RESIDUAL RISK TABLES
PRACTISE • Update your DB and application versions • Always ensure to move your traffic through firewall • Identify security owner for your applications • Test for what it has not been developed for • Create rules in the firewall • Educate your network administrator • Prepare Risk Assessment blog
QUESTION AND ANSWERS ?
THANK YOU
REFERENCES • https://www.slideshare.net/LiranTal1/nodejs-security-done-right-tips-and-tricks-they-wont-teach- you-in- school?utm_source=slideshow&utm_medium=ssemail&utm_campaign=download_notification • https://docs.mongodb.com/manual/security/
BACKUP SLIDES
Platform Known Vulnerabilities PLATFORM • Known vulnerabilities can be exploited immediately with a minimum amount of skill or experience – “script kiddies” • Most easily defendable of all web vulnerabilities • MUST have streamlined patching procedures
Administration Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing • Less easily corrected than known issues • Require increased awareness • More than just configuration, must be aware of security flaws in actual content • Remnant files can reveal applications and versions in use • Backup files can reveal source code and database connection strings ADMINISTRATION
• Common coding techniques do not necessarily include security • Input is assumed to be valid, but not tested • Unexamined input from a browser can inject scripts into page for replay against later visitors • Unhandled error messages reveal application and database structures • Unchecked database calls can be ‘piggybacked’ with a hacker’s own database call, giving direct access to business data through a web browser Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting APPLICATION

More Related Content

PPTX
CSS 17: NYC - Stories from the SOC
Alert Logic
 
PPTX
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
PPTX
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
PDF
Automated Security Testing
seleniumconf
 
PPTX
Security testautomation
Linkesh Kanna Velu
 
PPTX
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
PDF
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
PPTX
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
CSS 17: NYC - Stories from the SOC
Alert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Automated Security Testing
seleniumconf
 
Security testautomation
Linkesh Kanna Velu
 
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
Alfredo Reino - Monitoring aws and azure
DevSecCon
 

What's hot (20)

PPTX
Hacker Proof web app using Functional tests
Ankita Gupta
 
PDF
The Joy of Proactive Security
Andy Hoernecke
 
PPTX
OpenSourceSecurityTools - UPDATED
Sparsh Raj
 
PDF
Proactive Security AppSec Case Study
Andy Hoernecke
 
PDF
Stories from the Security Operations Center (S.O.C.)
Alert Logic
 
PPTX
Essential security measures in ASP.NET MVC
Rafał Hryniewski
 
PDF
Realities of Security in the Cloud - CSS ATX 2017
Alert Logic
 
PDF
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
PDF
CSS17: Houston - Protecting Web Apps
Alert Logic
 
PDF
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
PDF
How to Harden the Security of Your .NET Website
DNN
 
PPTX
Web Application Security 101
Jannis Kirschner
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
PDF
Protecting Against Web App Attacks
Alert Logic
 
PDF
5 step plan to securing your APIs
💻 Javier Garza
 
PPTX
AllDayDevOps 2019 AppSensor
jtmelton
 
PDF
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
PPTX
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
PDF
Managed Threat Detection and Response
Alert Logic
 
PDF
Stories from the Security Operations Center
Alert Logic
 
Hacker Proof web app using Functional tests
Ankita Gupta
 
The Joy of Proactive Security
Andy Hoernecke
 
OpenSourceSecurityTools - UPDATED
Sparsh Raj
 
Proactive Security AppSec Case Study
Andy Hoernecke
 
Stories from the Security Operations Center (S.O.C.)
Alert Logic
 
Essential security measures in ASP.NET MVC
Rafał Hryniewski
 
Realities of Security in the Cloud - CSS ATX 2017
Alert Logic
 
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
CSS17: Houston - Protecting Web Apps
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
How to Harden the Security of Your .NET Website
DNN
 
Web Application Security 101
Jannis Kirschner
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Protecting Against Web App Attacks
Alert Logic
 
5 step plan to securing your APIs
💻 Javier Garza
 
AllDayDevOps 2019 AppSensor
jtmelton
 
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
Managed Threat Detection and Response
Alert Logic
 
Stories from the Security Operations Center
Alert Logic
 
Ad

Similar to Security guidelines (20)

PPTX
00. introduction to app sec v3
Eoin Keary
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
PDF
C01461422
IOSR Journals
 
PPTX
Application security
Hagar Alaa el-din
 
PDF
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
PDF
Designing Secure APIs
Steven Chen
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PDF
Owasp Top 10-2013
n|u - The Open Security Community
 
PDF
Web App Security: Top Threats and How to Protect Your App.pdf
Nathan Smith
 
PPT
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
PPT
Bank One App Sec Training
Mike Spaulding
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
PDF
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
PPTX
Application Security: What do we need to know?
Jose L. Quiñones-Borrero
 
PDF
GitHub: Secure Software Development for Financial Services
Debbie A. Everson
 
PPT
Web Application Security
Colin English
 
PDF
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Veracode
 
PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
PDF
Web application security (eng)
Anatoliy Okhotnikov
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
00. introduction to app sec v3
Eoin Keary
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
C01461422
IOSR Journals
 
Application security
Hagar Alaa el-din
 
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
Designing Secure APIs
Steven Chen
 
Application Security - Your Success Depends on it
WSO2
 
Owasp Top 10-2013
n|u - The Open Security Community
 
Web App Security: Top Threats and How to Protect Your App.pdf
Nathan Smith
 
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
Bank One App Sec Training
Mike Spaulding
 
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
Application Security: What do we need to know?
Jose L. Quiñones-Borrero
 
GitHub: Secure Software Development for Financial Services
Debbie A. Everson
 
Web Application Security
Colin English
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Veracode
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Web application security (eng)
Anatoliy Okhotnikov
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Ad

Recently uploaded (20)

PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Teaching material agriculture food technology
LiaRayya
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
KodekX | Application Modernization Development
KodekX
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 

Security guidelines

  • 1. SECURITY GUIDELINES ARE WE RIGHTLY SAFEGUARDING OUR CUSTOMER ENVIRONMENTS ? Karthik Sagar P Technology Evangelist Karthiksagar.p@outlook.com
  • 2. “Every program has at least two purposes: the one for which it was written, and another for which it wasn't.” -Alan J. Perlis
  • 4. EVAL () • eval() like functions takes string argument and • evaluate those as source code • var x = req.body.x; • var y = req.body.y; • var sum = eval(a + "+" + b);what if attacker fills 'x' with: some.super.class.wipe.the.database('now’); LOL :)
  • 6. SECURITY GAP Security Professionals Don’t Know The Applications Application Developers and QA Professionals Don’t Know Security The Web Application Security Gap “As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.” “As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.”
  • 7. VULNERABILITIES Platform Administration Application Known Vulnerabilities Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow scripting Application vulnerabilities occur in multiple areas.
  • 8. HOW TO SECURE APPLICATIONS
  • 9. WHAT I SAY ! The best way to secure anything is to learn how someone can break it
  • 10. HOW? • Incorporating security into lifecycle • Integrate security into application requirements • Including information security professionals in software architecture/design review • Security APIs & libraries (e.g. ESAPI, Validator, etc.) when possible • Threat modeling • Web application vulnerability assessment tools (VAPT)
  • 12. DB SECURITY • User Access Management –Authentication • User Rights Management – Authorization • Auditing • Environmental and Process Control • Encryption • Network Encryption • Network Filter • Binding IP Addresses • Running in VPNs • Dedicated OS User Account. • File System Permissions • Query Injection • Physical Access Controls Environment & Processes SSL Encryption for DB communication
  • 13. ENVIRONMENT & PROCESSES •Network Filter Binding IP Addresses Running in VPNs Dedicated OS User Account. File System Permissions Query Injection Physical Access Controls
  • 14. MY ARCHITECTURE SSL Web Application Mobile Application Firewall Port No’s: 83 & 2011 Public IP App Server Port :83 Port :88 Public IP – Static IP Web Server Port :2011 Public IP – Static IP Port :2016 Static IP 1 Static IP 3 DB Server DB Node Web Server Port:271 8 SSL Bind IP :Static IP 1 Traffic Log Customer Environment
  • 15. EDUCATE Developers • Software security best practices Security Professionals • Software development • Software coding best practices Testers • Methods for identifying vulnerabilitie s Executives, System Owners, etc Understanding the risk and why they should be concerned Who is your Security Owner ?
  • 16. CREATING THE RISK ASSESSMENT
  • 18. PRACTISE • Update your DB and application versions • Always ensure to move your traffic through firewall • Identify security owner for your applications • Test for what it has not been developed for • Create rules in the firewall • Educate your network administrator • Prepare Risk Assessment blog
  • 23. Platform Known Vulnerabilities PLATFORM • Known vulnerabilities can be exploited immediately with a minimum amount of skill or experience – “script kiddies” • Most easily defendable of all web vulnerabilities • MUST have streamlined patching procedures
  • 24. Administration Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing • Less easily corrected than known issues • Require increased awareness • More than just configuration, must be aware of security flaws in actual content • Remnant files can reveal applications and versions in use • Backup files can reveal source code and database connection strings ADMINISTRATION
  • 25. • Common coding techniques do not necessarily include security • Input is assumed to be valid, but not tested • Unexamined input from a browser can inject scripts into page for replay against later visitors • Unhandled error messages reveal application and database structures • Unchecked database calls can be ‘piggybacked’ with a hacker’s own database call, giving direct access to business data through a web browser Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting APPLICATION