Introduction to Web Security
Overview
Why Be Concerned about Web Security?
The increased use of the networks and the internet helps users finish many tasks quickly and efficiently and adds convenience to many people’s lives. However, there is downside, as well. As more and more personal and business data is stored on computer networks, the risk and consequences of unauthorized computer access, theft, fraud, and other types of computer crime increase; so do the chances of data loss due to crime or employee misconduct.
Web security may easily be split into three specific areas:
- Client Access to Web Pages
- Server
- Connection
Firstly: there is the client. This is the machine from which the user requests a web page. By typing a URL a connection between the client and server is made. The server returns the document and the user browser displays the document.
Secondly: the Web Server. This is where the entire web pages and resources are held. Similarly, the web server may host databases or act as a middleware to back-end databases.
Thirdly: the connection between the server and client needs to be considered. In very few circumstances this connection will be conducted over a trusted or value added network. Most of the connections take place over public channels – these channels are not secure and are host to numerous breaches of security.
Introduction to Web Security
Why Is Security So Important?
Security is a critical part of your Web applications. Web applications by definition allow users access to a central resource — the Web server — and through it, to others such as database servers. By understanding and implementing proper security measures, you guard your own resources as well as provide a secure environment in which your users are comfortable working with your application.
E-mail viruses, financial fraud, network sabotage, and other security intrusions result in:
- Stolen intellectual property
- System downtime
- Lost productivity
- Damage to business reputation
- Lost consumer confidence
- Severe financial losses due to lost revenue
Challenges Involved in Implementing Security
Challenges | Reasons |
Attacker needs to understand one vulnerability; defender needs to secure all entry points
Attackers outnumber defenders Attackers have unlimited time |
Attackers vs. Defenders |
Secure systems become harder to use
Complex and strong passwords are difficult to remember Users prefer simple passwords |
Security vs. Usability |
Developers and management think that security does not add any business value
Managers do not build time for security implementation into schedule |
Security As an Afterthought |
Threats to Web-Accessible Assets
- A threat is a possibility that poses danger to business assets, such as sales data or account information
- Tangible assets (Money, source code, data, business plan, and ideas )
- Intangible assets (Identity, privacy, reputation, and name)
- Define the basic principals of, and motivations for, Web security. – Perform a threat analysis of Web-accessible assets. – Use knowledge of authentication, Security Identifiers (SIDs), Access Control Lists (ACLs), impersonation, and the concept of running with least privilege to ensure access to only those system resources that are necessary to accomplish normal request processing. – Protect file system data by using the features in Microsoft Windows.
- Use the Microsoft SQL Server??? Security model and Microsoft ADO.NET to protect a Web application against SQL Server injection attacks.
- Protect the portion of a Web application that requires private communications by using Secure Sockets Layer (SSL),
- Use general security coding best practices to ensure a secure Web application.
- Use the Microsoft .NET Framework to build secure Web applications.