Outline
• Introduction
• Basic security for HTTP Applications and Services
Module 3 • Basic Security for SOA Services
Securing Web Application, Services and Servers • Identity Management and Web Services
• Authorization Patterns
• Security Considerations
• Challenges
Introduction Common Attacks
• Web application security is the practice of protecting websites,
• Zero day vulnerability
applications, and APIs from attacks. • XSS
• SQL injection
• It is a broad discipline, but its ultimate aims are keeping web applications • DoS & DDoS
• Buffer Overflow
functioning smoothly and protecting business from cyber vandalism, data • Credential stuffing
• Page scraping
theft, unethical competition, and other negative consequences. • API abuse
• Third party code abuse
• The global nature of the Internet exposes web applications and APIs to
attacks from many locations and various levels of scale and complexity.
• As such, web application security encompasses a variety of strategies and
covers many parts of the software supply chain.
Common Security Principles for web applications Common Security Principles for web applications
• These are some of the general security principles followed be website • Always update frameworks and application –
owners. Updates are the best way to reduce bugs in our application. in the same manner updating the
framework we used to build the application might be helpful but sometimes we have to rewrite the
• Never put Debug mode ON in production – code for our application but if the update is long term it would be best to do it even we have to
Many web frameworks like WordPress, Django, Larvel provide a rewrite the code.
development server which should be never used in production. Debug mode • Keep the Database secure –
Many times we miss that database is also the part of our application and its also necessary for us to
ON provides better error logs, with the availability of information such as keep our database secure. Always keep strong passwords, limit users who can have access to run
variable names and line numbers from the source code for developers. native commands with the database.
• Restrict Access to server and close unused ports – • DNS hosting –
DNS is the backbone of internet, its the phonebook for the internet. In simple word DNS is the
Running our web app in cloud is very good option. Some of the good options protocol which converts human readable hostnames like geeksforgeeks.org to computer
are Digitalocean, google cloud, azure and AWS. When you rent for the virtual understanding numbers like 34.218.62.116. Its necessary for our web app to have better and
server limit the people who can access to the server. its better to use SSH to widespread DNS like Cloudflare, cloud based DNS which reduces the lookup time to find our server
access the server. Always close unnecessary ports while running the server. IP and to connect to it.
Basic security for HTTP Applications and
Common Security Principles for web applications
Services
• Limiting API usage – • Securing HTTP applications and services is crucial to protect against various threats and
Many of the webapp use external services which will be included using specially configured API’s vulnerabilities.
for specific functions. Most of API providers limit the usage according to their plan and its also • Use HTTPS:
better for web app developers also to implement rate limiting of API’s according to need so that we Ensure that your application uses HTTPS (HTTP Secure) to encrypt data in transit between the
don’t pay any extra. client and the server. This prevents attackers from intercepting sensitive information during
• Bot and Spam – transmission.
Many web application also contain forms for allowing to subscribe email, or some other query form,
Many bots these days have the ability to submit the plain forms. To protect its better to keep • Update Software:
recaptcha with every form which will keep most of the bots out. Regularly update your web server, application server, and any third-party libraries or frameworks
• HTTP headers – to patch security vulnerabilities. Outdated software may have known vulnerabilities that attackers
Most of the web application frameworks allow to send HTTP headers like HSTS, CSP, Referrer and can exploit.
Permission Policy, which helps the browser determine the sources and protocols it should allow to
load styles, sources and media in turn hardening the security of webapps like upgrading to HTTPS, • Input Validation:
XSS protection and more. Validate and sanitize all user inputs to prevent common web vulnerabilities such as SQL injection,
cross-site scripting (XSS), and cross-site request forgery (CSRF). Use parameterized queries for
database access.
Basic security for HTTP Applications and Basic security for HTTP Applications and
Services Services
• Authentication and Authorization: • Cross-Origin Resource Sharing (CORS):
Implement strong authentication mechanisms to ensure that only authorized users can access your If your application interacts with resources on different domains, configure CORS settings to control
application. Enforce the principle of least privilege, giving users only the permissions they need. which domains are allowed to make requests. This helps prevent cross-origin attacks.
• Session Management: • Web Application Firewall (WAF):
Use secure session management practices. Generate unique session identifiers, store them securely, Implement a web application firewall to filter and monitor HTTP traffic between a web application
and expire sessions after a set period of inactivity. Implement mechanisms to protect against and the Internet. WAFs can help protect against common web application attacks.
session hijacking and fixation.
• Logging and Monitoring:
• Secure File Uploads: Enable comprehensive logging of security-relevant events. Regularly review logs for suspicious
If your application allows file uploads, validate file types, limit file sizes, and store them in a secure activities and set up alerts for unusual patterns. Monitoring tools can help detect and respond to
location. Consider using a separate server or storage service for uploaded files. security incidents.
• Security Headers: • Error Handling:
Use security headers to enhance the security of your application. Headers like Content Security Customize error messages to reveal minimal information to users. Display generic error messages
Policy (CSP), Strict-Transport-Security (HSTS), and X-Content-Type-Options can help mitigate to users and log detailed error information for internal use.
various attacks.
Basic security for HTTP Applications and
Services Basic Security for SOA Services
• Regular Security Audits and Penetration Testing: • Service-Oriented Architecture (SOA) is a design paradigm and architectural style that structures
Conduct regular security audits and penetration testing to identify and address vulnerabilities. This software applications as a collection of loosely coupled, interoperable services.
helps ensure that your security measures are effective and up to date.
• In SOA, services represent modular units of functionality that can be independently developed,
• User Education: deployed, and consumed.
Educate users about security best practices, such as using strong passwords, enabling multi-factor
authentication, and being cautious about phishing attempts. • These services communicate with each other over well-defined, standard protocols.
Basic Security for SOA Services Basic Security for SOA Services
• Securing Service-Oriented Architecture (SOA) services is critical to ensure the integrity,
confidentiality, and availability of the distributed components. • Message Integrity and Confidentiality:
Use message-level security measures to ensure the integrity and confidentiality of data exchanged
• Authentication and Authorization: between services. This may involve encrypting sensitive data within the messages and signing
Implement strong authentication mechanisms for both services and service consumers. Use messages to verify their authenticity.
protocols like OAuth or API keys to ensure that only authorized entities can access your services.
Enforce proper authorization mechanisms to control the actions each authenticated entity can • Service Identity Management:
perform. Establish a robust identity management system for services. Ensure that services can verify the
identity of other services and consumers. This may involve using service accounts, certificates, or
• Secure Communication: other identity mechanisms.
Employ secure communication channels between services. Use protocols like HTTPS for data
encryption in transit. Avoid sending sensitive information in clear text, and if possible, use mutual • Monitoring and Logging:
TLS for both client and server authentication. Implement comprehensive monitoring and logging for SOA services. Track and log security-relevant
events, and regularly review these logs to detect any suspicious activities. Monitoring tools can help
• Service Endpoint Security: identify and respond to security incidents promptly.
Secure the service endpoints by validating and sanitizing inputs. Implement proper validation to
prevent common security issues like SQL injection, XML/JSON injection, and other injection attacks.
Basic Security for SOA Services Basic Security for SOA Services
• Denial-of-Service (DoS) Protection: • Secure Deployment:
Implement measures to protect against Denial-of-Service attacks. This may involve rate limiting, Implement secure deployment practices for your services. This includes ensuring that the
traffic analysis, and the use of firewalls or intrusion prevention systems. underlying infrastructure, containers, or virtual machines are securely configured. Regularly update
and patch the software stack.
• Governance and Policy Management:
Establish governance policies for SOA services to ensure that security standards are adhered to • API Security:
across the organization. Implement policies for access control, data protection, and other security If your SOA involves APIs, secure them by following best practices such as proper authentication,
aspects. Use tools and frameworks that support policy-based security. rate limiting, and input validation. Consider using API gateways for additional security controls.
• Threat Modeling: • Regular Security Audits and Penetration Testing:
Perform threat modeling to identify potential security threats and vulnerabilities in your SOA Conduct regular security audits and penetration testing on your SOA services to identify and
architecture. This proactive approach can help you design security controls into your services from address vulnerabilities. This proactive approach helps discover and mitigate potential security
the outset. issues before they can be exploited.
key aspects of identity management in the
Identity Management and Web Services context of web services
❖ Authentication:
• Identity management in the context of web services refers to the process of managing and • User Authentication: Ensuring that users accessing web services are who they claim to be. This
securing user identities and access within a system that utilizes web services. can involve various authentication mechanisms, such as username/password, multi-factor
authentication (MFA), or token-based authentication.
• Web services often involve multiple entities and interactions, and identity management plays a
crucial role in ensuring that these interactions are secure, authenticated, and authorized • Service Authentication: Verifying the identity of the web services themselves to ensure that
appropriately. they are legitimate and authorized to access specific resources.
❖ Authorization:
• Access Control: Defining and enforcing access policies to determine which users or services are
allowed to access particular resources or perform specific actions. This is often based on roles,
permissions, or attributes associated with the identities.
• Fine-Grained Authorization: Implementing detailed access controls to specify precisely what
actions users or services can perform within a web service.
key aspects of identity management in the key aspects of identity management in the
context of web services context of web services
❖ Single Sign-On (SSO): ❖ Token-Based Security:
• User Convenience: Implementing SSO allows users to log in once and access multiple web • JSON Web Tokens (JWT) and OAuth: Utilizing token-based mechanisms to secure web
services without having to re-enter their credentials. This enhances user experience and services. Tokens are used to convey identity and access information between different
simplifies identity management. components in a secure and standardized manner.
• Federated Identity: Extending SSO across multiple domains or services, allowing users to use • Token Validation: Verifying the authenticity and integrity of tokens to prevent unauthorized
their identity from one service to access resources in another service. access.
❖ Identity Federation: ❖ Identity Lifecycle Management:
• Interoperability: Allowing identities to be shared across different web services or systems, • User Provisioning and Deprovisioning: Managing the entire lifecycle of user identities,
enabling seamless integration and collaboration between entities. including creating, updating, and disabling accounts based on changes in roles or employment
status.
• Standards: Using standards like Security Assertion Markup Language (SAML) or OAuth for
identity federation to ensure consistency and interoperability. • Account Recovery: Providing mechanisms for users to recover their accounts securely, such as
through password reset processes or multi-factor authentication.
key aspects of identity management in the
context of web services Authorization Patterns
❖ Security Standards: • In web applications, authorization is the process of determining whether a user has the
necessary permissions to access a particular resource or perform a specific action.
• Security Protocols: Adhering to industry standards and protocols, such as HTTPS for secure
communication and encryption, to protect sensitive information during data transmission. • There are various authorization patterns and approaches that can be used, depending on the
requirements of your application.
• Security Best Practices: Implementing security best practices, including secure coding
practices, regular security audits, and keeping software and libraries up-to-date.
Authorization Patterns Authorization Patterns
Role-Based Access Control (RBAC):
• Assign roles to users, and each role has certain permissions. Claims-Based Authorization:
• Users inherit permissions based on their assigned roles. • Uses claims or assertions about a user to make access control decisions.
• Simplifies management and maintenance by grouping permissions into roles. • Claims are typically embedded in security tokens (like JWTs).
• Allows for flexible and extensible authorization policies.
Attribute-Based Access Control (ABAC):
• Access is granted based on attributes associated with the user, resource, and environment. Policy-Based Authorization:
• Policies are defined based on combinations of attributes. • Define policies that dictate access control rules.
• More flexible than RBAC, allowing for fine-grained control. • Policies are evaluated to determine whether a user has access.
• Offers a high level of flexibility and can handle complex scenarios.
Permission-Based Access Control:
• Users are directly assigned specific permissions. Context-Based Authorization:
• Permissions are associated with specific actions or resources. • Access decisions are made based on the context of the request.
• Provides a more granular level of control compared to RBAC. • Takes into account various factors such as user attributes, environmental conditions, and more.
• Useful for dynamic access control.
Authorization Patterns Authentication Pattern
Securing web applications involves implementing strong authentication patterns to ensure that
Rule-Based Access Control:
only authorized users have access to sensitive resources.
• Define rules that determine access control decisions.
• Rules can be based on a combination of conditions and actions.
Password-Based Authentication:
• Offers a way to express complex access control logic.
• Users provide a unique username and a strong, securely hashed password.
• Enforce password complexity requirements and encourage users to use unique passwords.
Time-Based Access Control:
• Implement strong password hashing algorithms and use techniques like salting.
• Access permissions are granted or revoked based on specific time intervals.
• Useful for scenarios where access needs to be restricted during certain periods.
Multi-Factor Authentication (MFA):
• Requires users to provide multiple forms of identification.
Ownership-Based Access Control:
• Common factors include something you know (password), something you have (token or
• Users have access to resources based on ownership relationships.
device), and something you are (biometrics).
• Common in content management systems where users have control over their own content.
• Adds an extra layer of security, especially effective against credential stuffing and phishing
attacks.
Authentication Pattern Authentication Pattern
Token-Based Authentication (e.g., JSON Web Tokens - JWT):
Biometric Authentication:
• Users obtain a token after successful authentication, which is then included in subsequent
• Uses unique biological characteristics for identity verification (e.g., fingerprints, facial
requests.
recognition, voice recognition).
• Tokens can have expiration times, reducing the risk of long-term compromise.
• Provides a high level of security and user convenience but may require additional security
• Useful for stateless authentication and for supporting Single Sign-On (SSO) in a distributed
measures to protect biometric data.
environment.
Certificate-Based Authentication:
OAuth (Open Authorization):
• Uses digital certificates to verify the identity of users or systems.
• Allows third-party applications to access user resources without exposing credentials.
• Commonly used in environments where a higher level of security is required.
• Commonly used for authorization and authentication in scenarios like social login.
• Implement secure OAuth flows (e.g., OAuth 2.0) with proper validation and protection against
Time-Based One-Time Passwords (TOTP):
token leakage.
• Users generate one-time passwords based on a shared secret and the current time.
• Adds an additional layer of security, commonly used for two-factor authentication.
OpenID Connect:
• Provides identity layer on top of OAuth 2.0, enabling clients to verify the identity of end-users
based on authentication performed by an authorization server.
• Used for Single Sign-On (SSO) scenarios and to obtain user information.
Authentication Pattern Security Considerations and challeges
Device-Based Authentication: 1. Web Application:
• Authenticates users based on the device they are using, considering factors like device Input Validation and Sanitization:
fingerprinting. • Challenge: Inadequate validation may lead to injection attacks, such as SQL injection or Cross-
• Can be used to detect and prevent unauthorized access from unfamiliar devices. Site Scripting (XSS).
• Consideration: Implement strict input validation and sanitize user inputs to prevent injection
Session Management: vulnerabilities.
• Securely manage user sessions, using techniques like session tokens, secure cookies, and session
timeout. Authentication and Authorization:
• Implement mechanisms to protect against session hijacking and session fixation attacks. • Challenge: Weak authentication methods or improper authorization checks can result in
unauthorized access.
• Consideration: Enforce strong authentication practices, implement multi-factor authentication,
and employ proper authorization mechanisms.
Security Considerations and challeges Security Considerations and challeges
Session Management: 2. Servers:
• Challenge: Insecure session handling may lead to session hijacking or fixation. Patch Management:
• Consideration: Use secure session management techniques, employ secure cookies, and • Challenge: Delayed or incomplete patching can leave servers vulnerable to
regularly rotate session tokens. known exploits.
• Consideration: Regularly apply security patches and updates to server software,
Security Headers and Content Security Policy (CSP): applications, and operating systems.
• Challenge: Lack of proper security headers and CSP can expose the application to
various attacks. Access Controls:
• Consideration: Implement security headers (e.g., Content Security Policy) to mitigate • Challenge: Inadequate access controls may lead to unauthorized access or
XSS and other client-side vulnerabilities. privilege escalation.
• Consideration: Implement proper access controls, follow the principle of least
File Upload Security: privilege, and conduct regular access reviews.
• Challenge: Allowing unsecured file uploads can introduce security risks.
• Consideration: Validate file types, check file content, and store uploaded files in a secure
location.
Security Considerations and challeges Security Considerations and challeges
Network Security: 3. Services:
• Challenge: Insufficient network security measures may expose servers to
attacks. API Security:
• Consideration: Implement firewalls, intrusion detection/prevention systems, • Challenge: Insecure APIs can expose sensitive data or allow unauthorized
and secure network configurations. access.
• Consideration: Use secure authentication mechanisms, implement proper
Data Encryption: authorization, and validate input data to secure APIs.
• Challenge: Failure to encrypt sensitive data may result in data breaches.
• Consideration: Use encryption for data in transit (SSL/TLS) and data at rest, and Third-Party Integrations:
employ secure key management practices. • Challenge: Security vulnerabilities in third-party services or libraries can pose
risks.
• Consideration: Regularly update and patch third-party components, perform
security assessments, and monitor third-party security disclosures.
Security Considerations and challeges Security Considerations and challeges
Monitoring and Incident Response: Container Security:
• Challenge: Inadequate monitoring can result in delayed detection of security
incidents. • Challenge: Security risks in containerized environments may expose
• Consideration: Implement robust logging, continuous monitoring, and an vulnerabilities.
effective incident response plan. • Consideration: Secure container configurations, regularly update images, and
Regulatory Compliance: implement container-specific security measures.
• Challenge: Non-compliance with industry or regional regulations may lead to
legal consequences. Serverless Security:
• Consideration: Stay informed about relevant regulations, ensure compliance, • Challenge: Security concerns in serverless computing environments.
and conduct regular audits. • Consideration: Implement secure coding practices, enforce proper permissions,
and use built-in security features provided by serverless platforms.
Challenges
• Evolving Insider Threat
• User Awareness
• Complexity of system
• Legacy System (Lack of Modern Security)
• Balancing Security & Usability
• Insider Threat
• Compliance Requirement
• Resource Limitation
• Zero day Vulnerability
• Interconnected Services
• Cloud Security
• Mobile Device security
• Privacy concerns
• Incident detection & Responses
• Global Nature of Threats