Application Security

Application security is the use of software, hardware, and procedural methods to protect
applications from external threats. Security is becoming an increasingly important concern during
development as applications become more frequently accessible over networks and are, as a result,
vulnerable to a wide variety of threats.
Application security includes:

 Knowing your threats.

 Securing the network, host and application.
 Incorporating security into your software development process

Typically, any application that is available to multiple users as a shared resource has to address at
least a few of the following security issues:

1. Verifications of users: Applications need to verify that only legitimate users are trying to use
them. Users may prove their ID in multiple ways, such as something that users know,
something that users have or something that users are.
2. Granting access to users: Once a user is authenticated, the application needs to determine if the
identified user is allowed to access the functionality he is requesting. This is called
authorization.
3. Keeping data confidential with encryption: For business transactions, data from application
systems gets exchanged over the networks. Data stored by applications needs to be
safeguarded from potential attacks.
4. Guaranteeing data integrity and Non-repudiation: When the receiver gets a message , neither
the sender nor the receiver should be able to repudiate it – that is deny the authenticity of the
message. Digital signature is a common mechanism to guarantee data integrity.
5. Safeguarding applications from common attack strategies
6. Guarding privacy of applications

Application Threats

Category Threats / Attacks

Input Validation Buffer overflow; cross-site scripting; SQL injection; canonicalization

Network eavesdropping ; Brute force attack; dictionary attacks; cookie replay; credential
Authentication
theft

Authorization Elevation of privilege; disclosure of confidential data; data tampering; luring attacks

Unauthorized access to administration interfaces; unauthorized access to configuration

Configuration
stores; retrieval of clear text configuration data; lack of individual accountability; over-
management
privileged process and service accounts
Sensitive
Access sensitive data in storage; network eavesdropping; data tampering
information

Session
Session hijacking; session replay; man in the middle
management

Cryptography Poor key generation or key management; weak or custom encryption

Parameter Query string manipulation; form field manipulation; cookie manipulation; HTTP header
manipulation manipulation

Exception
Information disclosure; denial of service
management

Database Security
A database is a collection of information that is organized so that it can easily be accessed,
managed, and updated. It is a monolithic collection of related or interdependent data elements. It
is a structured way to organize information. To access information from a database, you need
a database management system (DBMS). This is a collection of programs that enables you to
enter, organize, and select data in a database.

Relational database: Computer database in which all data is stored in Relations which (to
the user) are tables with rows and columns. Each database is a collection of related tables. Each
table is a physical representation of an entity or object that is in a tabular format consisting
of columns and rows. Columns are the fields of a record or the attributes of an entity. The rows
contain the values or data instances; these are also called records or tuples. Every table shares at
least one field with another table in 'one to one,' 'one to many,' or 'many to many' relationships.
These relationships allow the database user to access the data in almost an unlimited number of
ways, and to combine the tables as building blocks to create complex and very large databases.
Database Security: Databases are cardinal components of any web based application that enables
websites to provide varying dynamic content. A database is usually intended to be shared across
users and applications. Thus database security is primarily concerned with the secrecy of data.
‘Secrecy’ means protecting a database from unauthorized access by users and software
applications. It ranges from protection from intentional unauthorized database uses to
unintentional database accesses by unauthorized entities (e.g., a person or a computer program).

The general categories of secrecy-related problems in database systems are:

1. The improper release of information from reading data that were intentionally
accessed by unauthorized users.
2. The improper modification of data
3. Denial of service (DoS) threats.

Why database security is important for organizations?

Database systems comprise computer processors and storage media, an operating system to handle
requests for access to stored data, a set of files comprising the data of the database and a database
management system (DBMS). The corporate database system is now a major asset of many
organizations. Database security is the business of the entire organization as all people use the
data held in the organization’s database and any loss or corruption to data would affect the day-to-
day operation of the organization and the performance of the people. Therefore, It encompasses
hardware software, infrastructure, people and data of the organization.

Now there is greater emphasis on database security than in the past as the amount of data stored in
corporate database is increasing and people are depending more on the corporate data for
decision-making, customer service management, supply chain management and so on. Any loss or
unavailability to the corporate data will cripple today's organization and will seriously affect its
performance. Now the unavailability of the database for even a few minutes could result in serious
losses to the organization.
 Data Security Risks
 Data Tempering
 Data Theft
 Falsifying User Identities
 Password Related Threats
 Unauthorized Access to Tables and Column
 Unauthorized Access to Data Rows
 Lack of Accountability
 Complex User Management Requirement