pace-it, security+ 4.1: application security controls and techniques

Application security controls and techniques.

Instructor, PACE-IT Program – Edmonds Community College

Areas of expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Application security controls and techniques.PACE-IT.

– Secure coding concepts.

– Other security controls, techniques, and concepts.

Secure coding concepts.Application security controls and techniques.

Hackers will often focus on applications (software) when they are attempting to breach network security.

Because of this, application developers need to focus on security controls right from the beginning of developing the application. This is the idea of using secure coding concepts.An application designed with security in mind is much easier to defend than an application that doesn’t use such methods. Two of the main concepts of secure coding are: error and exception handling and input validation.



– Error handling.» Thoroughly testing applications will catch most errors,

with the possible exception of some runtime errors.• Runtime errors are problems that occur during the

operation of an application.• Many things can cause a runtime error. They include

poor programming, conflicts with other software (including malicious applications), and conflicts with hardware.

» The developer should put processes in place that trap all runtime errors before such an error crashes the application.

• Trapping a runtime error requires that the developer intercept the error and display a warning message before the error causes the application to crash.

– Exception handling.» A more advanced method of error handling.

• An exception is a different term for a runtime error.» Exception handling code will use a try/catch block—try

this code and catch any errors that occur. • Usually will provide a means of looping the program

until the error condition subsides.

A major cause of runtime errors and other security issues in applications is users inputting invalid data into the application.

Secure coding requires that input validation be done before that data is actually placed into the application. Input validation is when the user supplied data is examined against a set of rules that outline what type of data the application is expecting.One method of testing input validation rules is to use fuzzing. During the testing phase of the application, the developer will input invalid or random data into the input fields in order to test the input validation rules.


Other security controls, techniques, and concepts.Application security controls and techniques.


– Client-side and server-side validation.

» Initial input validation should occur on the client (requesting machine) before it is sent to the application on the server.

• This can help to prevent a runtime error or exploit on the server and reduces the amount of traffic that is crossing a network.

» Additional input validation should occur at the server (receiving machine) before the input is passed on to the application—further reducing the chances of a runtime error or an exploit occurring.

– Cross-site scripting (XSS) prevention.

» XSS occurs when a hacker inserts script code into a form on a website so that when other users access the form, the script is executed.

• Proper input validation of data is usually an effective means of preventing XSS from occurring.


– Cross-site request forgery (XSRF) prevention.

» XSRF is when a user is automatically directed to a linked Web page and logged in using data supplied by a cookie from the original page—when this was not the Web developer’s intent.

• Web developers can help to prevent XSRF from occurring by setting a short expiration time for cookies.

• User can help prevent XSRF by choosing not to have a website automatically log them in when they visit the site.

– Application configuration baseline.» The initial setting up of an application (the baseline)

should be done with security in mind.• The baseline should be as secure as possible.

– Application hardening.» Disabling all features and functions that users should

not be allowed to use (e.g., disabling an application’s ability to use FTP).

• Should initially be done during the configuration process.


– Application patch management.» New exploits and threats against applications are

created all the time, requiring that applications be updated on a regular basis.

• Patches are used to fix problems (e.g., security issues) that were unknown at the time the application was developed.

» Caution: just as with operating system patches, application patches must be tested before being deployed into a production setting.

– SQL vs. NoSQL databases.» SQL databases are the most common relational

database management system used today.• They are optimized for the inserting and updating of

records in a database.» NoSQL databases are designed to store and retrieve

large amounts of data—big data.• They must be optimized for the retrieval of big data,

and require different methods of input validation than a SQL database.

What was covered.Application security controls and techniques.

Application security controls need to begin with the application’s developer using secure coding methods. The two main concepts used in secure coding are: error and exception handling and input validation. Error and exception handling are how an application will deal with a runtime error. Input validation is a method used to prevent users from inputting invalid data into an application, which may cause a security issue or runtime error.

Topic

Secure coding concepts.

Summary

Client-side and server-side validation should both be used to prevent application problems. Input validation can be used to prevent XSS from occurring. XSRF prevention requires actions from both the user and the Web developer. An application’s configuration baselines should be set to the highest level of security and include application hardening techniques. All applications should be patched as required to maintain security. SQL databases and NoSQL databases are used to perform different functions and require different methods of application security controls.

Other security controls, techniques, and concepts.

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.