Scribd Logo
Upload

Welcome to Scribd!

  • Csce813 Lect11 New

    Uploaded by

    abhijitddas19
    7 views34 pages
    network security

    Original Title

    csce813-lect11-new (1)

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    network security

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views34 pages

    Csce813 Lect11 New

    Uploaded by

    abhijitddas19
    network security

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 34

    Web Application Security

    Computer Science and Engineering 1


    Reading

    • Required:
    – Stuttard and Pinto: Chapter 3
    • Recommended: Csilla Farkas, Michael N. Huhns:
    Securing Enterprise Applications: Service-Oriented
    Security (SOS). CEC/EEE 2008: 428-431.
    http://www.cse.sc.edu/~farkas/publications/SOS-
    cec.pdf

    Computer Science and Engineering 2


    Key Problem Factors

    • Underdeveloped security awareness


    • Custom development
    • Deceptive simplicity
    • Resource and time constraints
    • Overextended technologies
    • Increased demands on functionality

    Computer Science and Engineering 3


    New Security Perimeter

    • Before web applications:


    – Network perimeter protection (DMZ)
    – Firewall
    • With web applications:
    – Firewall must allow access to the application server
    – Server may connect to back-end systems
    – Back-end system is behind several layers of defensive
    technologies
    – Web application vulnerability may allow the attacker to
    access back-end system

    Computer Science and Engineering 4


    Demilitarized Zone (DMZ)

    • Perimeter Service:
    – Operates at application layer
    – Work in conjunction with existing firewall
    technologies
    – Hide internal application details
    • External customer: corresponds with the perimeter
    service’s external contracts
    • Internal application: response is relayed to the customer
    by the perimeter service
    How to handle Vulnerable
    Applications?

    • Honest users may use compromised applications


    • Compromised applications allow malicious attacker to
    access the victim’s back-end system
    • Malicious user gains privileges of the victimized user
    • Client-side attacks
    • Weakness of authentication via email notifications (e.g.,
    forgotten password)

    Computer Science and Engineering 6


    Web Application Security

    Layered security:
    1. Software-level (single service) security
    2. Business-level (service composition) security
    3. Network-level security

    Computer Science and Engineering 7


    Application Development

    • Inherent Security of Applications


    • Security granularity

    Security Software  Software Security

    Computer Science and Engineering 8


    Secure Software Development

    • Develop software that is free of flaws


    – Software engineering – functional requirements
    – Security, reliability, QoS – non-functional requirements
    • Protect against malicious code
    • Reading:
    – G. McGraw, Software Security ,
    http://www.cigital.com/papers/download/bsi1-swsec.pdf
    – US National Security Agency: System Security Engineering
    CMM (SSE CMM), http://www.sse-cmm.org/index.html

    Computer Science and Engineering 9


    Web Services Composition

    • Create complex applications on the fly from individual


    services
    • BPEL4WS, WSBPEL
    • How to express security and reliability needs?
    • How to verify that these needs are satisfied?
    • How to resolve conflict between business needs and
    security requirements?

    Computer Science and Engineering 10


    Web Services Transactions

    • Traditional database transaction managements vs. SOA


    application needs
    • How can we evaluate correct execution? ACID
    properties? Serializability?
    • WS transaction framework:
    – Atomic (short-term) transactions
    – Business activity (long-term) transactions
    • What are the security implications of WS transactions?

    Computer Science and Engineering 11


    Service-Level Dependencies

    • Old threats reappearing in new context: deadlocks,


    denial-of-service, network flooding, etc.
    • How to detect and prevent the occurrence of these
    threats?
    • In composition, independently developed services are
    dependent on each other
    • No information about internal processing of the
    workflow components

    Computer Science and Engineering 12


    New Approaches to Improve
    Security and Reliability
    • Develop criteria to evaluate correctness of composite
    application execution
    – E.g., WS transactions: compensation-based transactions
    • Increase reliability using redundant services
    • Offer security as service
    • Develop defense models using distributed and
    collaborative components
    – E.g., detect malicious behavior based on collaborative nodes,
    verify execution correctness by comparing outcome of
    different services, deploy intelligent software decoy, etc.

    Computer Science and Engineering 13


    Web Application
    Development Technologies

    • SOA
    • HTTP
    • Web Functionality
    • Encoding Schemes

    Computer Science and Engineering 14


    SOA Types

    • Service Architecture
    • Service Composition Architecture
    • Service Inventory Architecture
    • Service-Oriented Enterprise Architecture

    Computer Science and Engineering 15


    SOA Characteristics

    • Business driven
    • Vendor neutral
    • Enterprise centric
    • Composition centric

    Computer Science and Engineering 16


    Service Architecture

    • Where to implement the security?


    • Revealing error messages?
    • Access to protected resources?

    Computer Science and Engineering 17


    Service Composition
    Architecture

    • Complex composition?
    • Changes and re-composition?
    • Security design?
    • Conflict between security and business goals?
    • Proprietary vs. standardized development?

    Computer Science and Engineering 18


    SOA Orientation Principles

    • Standardized service contract


    • Service lose coupling
    • Service abstraction
    • Service reusability
    • Service autonomy
    • Service statelessness
    • Service discoverability
    • Service composability

    Computer Science and Engineering 19


    Service Inventory
    Architecture
    • Common security measures?
    • Range of potential consumers?
    • Shared security policies vs. inference?
    • Cross-domain service composition?
    • Performance degradation?

    Computer Science and Engineering 20


    Industry standards

    • XML
    – XML encryption
    – XML Signature
    – Canonical XML
    – Decryption Transformation for XML Signature
    • WS-Security
    • Security Assertion Markup Language (SAML)

    Computer Science and Engineering 21


    SOA Service
    Communication

    • Simple Object Access Protocol (SOAP)-based


    • REST based (no additional messaging layer)

    • Communication over HHTP

    Computer Science and Engineering 22


    The HTTP Protocol

    • Hyper Text Transfer Protocol


    – Application layer
    – Layered on top of TCP
    – Client Server Model
    – Request-response communication
    • Originally developed to retrieve static text-based
    resources

    Computer Science and Engineering 23


    HTTP Request

    • Request line
    1. HTTP method
    2. Requested URL
    3. HTTP version
    E.g., GET /search?q= Web+Technologies HTTP/1.1
    • Header lines
    – Host, Referer, Cookie, User-Agent, Connection,
    etc.
    • Request body

    Computer Science and Engineering 24


    HTTP Response

    • Status line
    1. HTTP version
    2. Numeric status call indicating the result of the request
    3. Txt reason phrase describing the status of the response
    • Header lines
    – Server (web server software), Pragma (for the browser),
    Expires (content), Content-Type, Content-Length
    • Response body

    Computer Science and Engineering 25


    Status Codes

    • 1xx – Informational
    • 2xx – the request was successful
    • 3xx – the client is redirected to a different resource
    • 4xx – the request contains an error of some kinds
    • 5xx – the server encountered an error fulfilling the
    request

    Computer Science and Engineering 26


    HTTP Methods

    • GET – retrieves a resources


    – Send parameters to the requested resource
    – Be Aware! URLs are stored and displayed -> do not
    include sensitive data in the query string
    • POST – performs an action
    – Request parameters sent in the URL query string or
    in message body
    – Be Aware! Back button use  warning
    • Other methods: Head, Trace, Put, etc.
    Computer Science and Engineering 27
    REST

    • Representational State Transfer


    – Request and response messages contain
    representation of the current state of the system’s
    resources
    – HTTP conforms to the REST architecture
    • REST-based web services
    – Based on HTTP not on SOAP

    Computer Science and Engineering 28


    HTTPS

    • HTTP tunneled through SSL


    • HTTP Proxies
    – Using HTTP
    – Using HTTPS
    • Proxy is a man-in-the-middle
    • Pure TCP level relay

    Computer Science and Engineering 29


    HTTP Authentication

    • Basic: sends user credentials as a Base64-encoded


    string in a request header
    • NTLM: Challenge-response using Windows NTLM
    protocol
    • Digest: challenge-response using MD5 and checksum
    of a nonce with the user’s credentials

    Computer Science and Engineering 30


    State and Session

    • Client and server exchange and process data


    • Application needs to maintain the state of each user
    interactions
    – Server side structure: session
    – Client side: sent by the server and protected from
    tampering
    • Stateless HTTP  token to identify user sessions

    Computer Science and Engineering 31


    Functionality

    • Server side technologies:


    – Scripting languages
    – Web application platform
    – Web server software
    – Databases
    – Back-end components
    • Client-side technologies:
    – Browser Extension technologies

    Computer Science and Engineering 32


    WS Security Standards

    • OASIS Web Services Security (WSS)


    – Integrity and authentication: sign SOAP msgs.
    – Confidentiality: encrypt SOAP msgs.
    – Attach security tokens
    • Security tokens
    • Security Assertion Markup Language (SAML) assertions
    • Kerberos tickets
    • User credentials
    • X.509 certificate
    • Custom defined tokens

    Computer Science and Engineering 33


    Next Class

    • Mapping Applications

    Computer Science and Engineering 34

    You might also like