Web Security

Internet and Web Application Security

Mike Harwood, Ron Price , 2022

Inhaltsverzeichnis des Buches

Cover
Title Page
Copyright Page
Contents
Preface
New to This Edition
Acknowledgments
About the Authors
CHAPTER 1 The Internet and the World Wide Web
Data and Information
Data
Information
The Evolution of Computers and Computing
Before There Was an Internet
ARPANET
The Legacy of ARPANET
The Maturing Network
Hypertext
The Early Internet
Gopher, Archie, and Veronica
Groupware
Hardware
The World Wide Web (WWW)
Tim Berners-Lee
The Web
Mosaic
World Wide Web Phases
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Client/Server Computing
Virtualization and Cloud Computing
Virtualization
Cloud Computing
Chapter Summary
Key Concepts And Terms
Chapter 1 Assessment
CHAPTER 2 Security Considerations for SOHO and Personal Systems
What Is Security?
Vulnerabilities, Threats, and Risk
Vulnerabilities
Human Vulnerabilities and Error
Weak Passwords
Insecure Location
System and Application Updates Not Applied
No Backup Plan
Natural Vulnerabilities
Threats
Ownership
Threat Actors
Social Engineering
Antisocial Defense
Identify Theft
Malware and Ransomware
Viruses
Malware
Malware Types
Malware Movement
Ransomware
Risk
Types of Risk
Risk Assessment
Risk Matrix
Protecting Assets
Keeping Private Data Private
Hardening
Exposures
Closures
The Benefits of Hardening
Cookies
Wireless Network Vulnerabilities
Minimize Wireless Risks
Encrypt Data in Transit
Guard the SSID
Threat and Risk Identification
Threat Maps
Current Threat Identification
Broken Access Control
Cryptographic Failures
Injections
Weak Security Design
Misconfiguration
Identification and Authentication Failures
Application Software and Data Integrity Issues
Insufficient Security Logging and Monitoring
Chapter Summary
Key Concepts And Terms
Chapter 2 Assessment
CHAPTER 3 Security Considerations for Business
Business on the Web
Business Modes
Early E-Commerce
Customer-Focused Services
The Evolution of the Web
Website Security
Vulnerabilities
Threats
Ransomware
Online Business Risk
Asset Identification
Data Assets
Managing Risk
Risk Assessments
Qualitative and Quantitative
Qualitative Assessment
Quantitative Assessment
Mitigation Strategies
Securing IP Communications
Secure Access for Remote Employees
Chapter Summary
Key Concepts And Terms
Chapter 3 Assessment
CHAPTER 4 Mitigating Risk When Connecting to the Internet
The Threats and Risks on the Internet
Risks and Threats
Hackers and Predators
Malware
Vulnerabilities and Exploits
Personal Attacks
Online Risks and Threats
Website Hosting
External Web Hosting
Internal Web Hosting
Domain Name Server
DNS Names
Common DNS Attacks
Best Practices for Connecting to the Internet
Chapter Summary
Key Concepts And Terms
Chapter 4 Assessment
CHAPTER 5 Mitigating Website Risks, Threats, and Vulnerabilities
Who Is Coming to Your Website?
Whom Do You Want to Come to Your Website?
Accepting User Input on Your Website
Forums
Website Feedback Forms
Online Surveys
The OWASP Top 10 Threats
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfigurations
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery (SSRF)
Additional Web Threats Not in the Top 10
Information Leakage and Improper Error Handling
Unsecure Communications
Failure to Restrict URL Access
Mitigating Web Risks, Threats, and Vulnerabilities
Chapter Summary
Key Concepts And Terms
Chapter 5 Assessment
CHAPTER 6 Web Application Security
Web Applications
Web Application Vulnerabilities
Web Application Security Areas
Web Services
Common Website Attacks
Abuse of Functionality
Brute-Force Attacks
Developing Password Policies
Buffer Overflow
Content Spoofing
Credential/Session Prediction
Cross-Site Scripting
Cross-Site Request Forgery
Denial of Service
Fingerprinting
Format String
HTTP Attacks
Integer Overflows
Injection Attacks
URL Redirector Abuses
OS Commanding
Path Traversal
Predictable Resource Location
Remote File Inclusion (RFI)
Routing Detour
Session Fixation
SOAP Array Abuse
XML Attacks
Common Website Weaknesses
Application Misconfiguration
Directory Indexing
Improper File System Permissions
Improper Input Handling
Improper Output Handling
Information Leakage
Unsecure Indexing
Insufficient Anti-Automation
Insufficient Authentication
Insufficient Authorization
Insufficient Password Recovery
Insufficient Process Validation
Insufficient Session Expiration
Insufficient Transport Layer Protection
Server Misconfiguration
Best Practices for Mitigating Web Attacks
Best Practices for Mitigating Weaknesses
Chapter Summary
Key Concepts And Terms
Chapter 6 Assessment
CHAPTER 7 How Web Applications Work and Building a Secure Foundation
How Web Applications Work
Web Application Function
Web Application Benefits
Web Application Disadvantages
Third-Party Apps Versus Third-Party Web Apps
Third-Party Web Apps
Web App Architecture
Application Programming Interface (API)
Security Regulations, Standards, and Guidelines
Internet Law
Censorship and Control
Internet and Web Laws and Regulations
Specific Information Security Standards
Payment Card Industry Data Security Standard
Types of Information Security
Application Security
Infrastructure Security
Cloud Security
Mitigating Risk in Web Applications
Guidelines and Standards for Securing Web Applications
The PCI DSS
Security Actions to Protect Websites
Protect Your System with Firewalls
Configure Passwords and Settings
Protect Stored PII Data
Encrypt Transmission of Data Across Open, Public Networks
Use and Regularly Update Antivirus Software
Regularly Update and Patch Systems
Restrict Physical Access to Workplace and Data
Implement Logging and Log Management
Conduct Vulnerability Scans and Penetration Tests
Documentation and Risk Assessments
Chapter Summary
Key Concepts And Terms
Chapter 7 Assessment
CHAPTER 8 Developing Secure Websites and Web Applications
Accepting User Input into a Website
Functional Websites
Hypertext Markup Language
Common Gateway Interface Script
JavaScript
SQL Database Back-End
Development Processes
Secure Application Development
Layered Security Strategies for Websites and Web Applications
Concept and Planning
Architecture and Design
Implementation
Testing and Debugging
Release and Maintenance
End of Life
Incorporating Security Requirements Within the SDLC
Systems Analysis Stage
Designing Stage
Implementation Stage
Testing Stage
Acceptance and Deployment Stage
Maintenance
Using Secure and Unsecure Protocols
How Secure Sockets Layer Works
SSL/TLS Encryption and Hash Protocols
Selecting an Appropriate Access Control Solution
Best Practices for Securing Web Applications
Chapter Summary
Key Concepts And Terms
Chapter 8 Assessment
CHAPTER 9 Mitigating Web Application Vulnerabilities
Causes of Web Application Vulnerabilities
Authentication
Input Validation
Session Management
Nonsecure Code in Software Applications
Developing Policies to Mitigate Vulnerabilities
Implementing Secure Coding Best Practices
Incorporating HTML Secure Coding Standards and Techniques
Incorporating JavaScript Secure Coding Standards and Techniques
Incorporating CGI Form and SQL Database Access Secure Coding Standards and Techniques
Implementing SCM and Revision-Level Tracking
Best Practices for Mitigating Web Application Vulnerabilities
Chapter Summary
Key Concepts And Terms
Chapter 9 Assessment
CHAPTER 10 Performing a Website Vulnerability and Security Assessment
Software Testing Versus Website Vulnerability and Security Assessments
Performing an Initial Discovery on the Targeted Website
Ping Sweep
Nmap
Operating System Fingerprint
Nessus Vulnerability and Port Scan
Performing a Vulnerability and Security Assessment
Web Server OS
Web Server Application
Website Front-End
Website Forms and User Inputs
Incorporate PCI DSS for E-Commerce Websites
Using Planned Attacks to Identify Vulnerabilities
Develop an Attack Plan
Identify Gaps and Holes
Escalate the Privilege Level
Vulnerabilities in Back-End Systems and Structured Query Language (SQL) Databases
Develop an Attack Plan
Identify Gaps and Holes
Escalate the Privilege Level
Perform an SQL Injection for Data Extraction
Preparing a Vulnerability and Security Assessment Report
Executive Summary
Summary of Findings
Vulnerability Assessment
Security Assessment
Recommendations
Best Practices for Website Vulnerability and Security Assessments
Choose the Right Tools
Test Inside and Out
Think Outside the Box
Research, Research, Research
Chapter Summary
Key Concepts And Terms
Chapter 10 Assessment
CHAPTER 11 Maintaining Compliance for E-Commerce Websites
Compliance Issues for Websites
General Privacy Laws
General Data Protection Regulation (GDPR)
California Privacy Rights Act (CPRA)
Website Legal Requirements
Legal Requirements Compliance
Privacy Policy
Cookie Management Policy
Terms and Conditions
Records of User Consent
Other Laws Affecting Websites and Data Privacy
Operational Compliance
Security Measures
“Lawful Basis”
Data Handling
Payment Processing Compliance
PCI DSS Standard
Revised Payment Services Directive (PSD2)
3D Secure 2.0 (3DS2)
KYB and KYC Verification
Tax Compliance
Other Compliance Elements
Chapter Summary
Key Concepts And Terms
Chapter 11 Assessment
CHAPTER 12 Testing and Quality Assurance for Websites
Development and Production Software Environments
Software Development Methodologies
Software Development Life Cycle
Agile Software Development Methodology
Scrum
Other Agile Development Methodologies
Joint Application Development (JAD)
JAD Team Roles
JAD Sessions and Workshops
DevOps
Website Testing
First Impressions
Functional Testing
Links Testing
Forms Testing
Cookies Testing
HTML/CSS Validation Testing
Security Testing
Mitigating Website Security Flaws
Mobile Devices
Documentation Testing
Releasing a Website to the World
Pre-Launch Tasks
Website Launch
Website Diagnostics
SEO Strategy
Post-Launch
Chapter Summary
Key Concepts And Terms
Chapter 12 Assessment
CHAPTER 13 Securing Mobile Communications
Endpoint Devices
Smartphones
Tablets
Cellular Networks and How They Work
1G Networks
2G Networks
3G Networks
4G Networks
Security 4G Networks
5G Networks
5G Types
5G Signaling
5G Networking
Wireless Endpoint Communication
Voice Communication
Voice Communication Security
Email
Instant Messaging (IM) Chat
SMS/Text Messaging
MMS Messaging
Endpoint Device Risks, Threats, and Vulnerabilities
OWASP Top 10 Mobile Risks
Securing Endpoint Device Communication
Technological Security of Devices
Applications and Systems
Physical Security of Devices
The Internet of Things
IoT Components
IoT Applications
Chapter Summary
Key Concepts And Terms
Chapter 13 Assessment
CHAPTER 14 Securing Personal and Business Communications
Privacy and Security in Communication
Data-in-Transit
Communication Privacy and Security
Privacy Versus Security
Online Privacy and Security
Internet Privacy Issues
Store-and-Forward Communication
Real-Time Communication
Threats to Personal and Business Communications
Mitigating Voicemail Risks
Messaging on Social Networking Sites
Presence and Availability
Instant Messaging Chat
Short Message Service Text Messaging
Multimedia Messaging Service Messaging
Voice over IP Threats
Securing Telephone and Private Branch Exchange Communications
Securing Unified Communications
Chapter Summary
Key Concepts And Terms
Chapter 14 Assessment
CHAPTER 15 Security Training, Education, and Certification
Security and Careers—Database Administration
Database Security
Database Administrator Versus Database Designer
Database Management Tasks
Database Security Training and Certification
Security and Careers—Application Development
Common Programming Tasks
Programming Training and Certification
Security and Careers—Network Management
Common Network Administration Tasks
Network Administration Training and Certification
Reviewing Security Information
Security and Careers—Web Design and Administration
Security for Web Developers
Daily Tasks for Web Developers
Chapter Summary
Key Concepts And Terms
Chapter 15 Assessment
APPENDIX A Answer Key
APPENDIX B Standard Acronyms
APPENDIX C Internet and Web Cybersecurity Certifications
Glossary of Key Terms
References
Index