Chapter 5 : Application Security Flashcards
Securing Web Browsers
- Avoid newest versions and disable auto update (new versions are unstable)
- Consider organizational requirements and OS
- General Browser Security Procedures
> Implement Policies
Hand written, browser settings, GPO(Windows), OS setting etc
> Train Users
> Use proxy and content filter
Proxy serves as an intermediate cache between server and client
Configured in browser settings / domain controller
Beware of malicious proxy configurations
> Secure against malicious code
Configure Java, ActiveX, Javascript, Flash media etc
- Web Browser Concerns and Security Methods
Basic Methods > Timely Updates > Adblock, pop up blocking > Implement security zones > Control ActiveX/Java/Plugins > Avoid jailbreaking (mobile)
How can you secure Cookies?
> Configure and control through browser settings
> Related threat : Session Hijacking
Securing LSO(Locally Shared Objects - Flash)
> Flash version of cookies, may be used to track users
> Configure and control in Flash Player Settings Manager
Securing Addons / Plugins
> Inherent security risk, disable all
> Most IE plugins made with vulnerable ActiveX
Advanced Browser Security
> Browser temp files – configure to automatically flush
> Disable saved passwords
> Configure a minimum version limit on TLS/SSL
> Disable all 3rd party plugins
> Consider using a VPN or virtual machine for extra separation
Principle of Least Functionality
don’t give tools users don’t need
User Account Control (Windows)
- Keeps everyone on regular user level of access by default
- Prompts required to access any admin right required things
Securing common Windows programs 1. Outlook
> Install latest update, upgrade to newer version of Office
> Use email whitelisting to remove junk email
> Read email in text format instead of HTML
> Enable attachment blocking
> Use encryption - SPA (Secure Password Authentication), PGP, SSL
Securing common Windows programs 2. Word
> Using passwords for opening/modifying documents
> Read only settings
> Digital certificates
Securing common Windows programs 3. Excel
> Password protected worksheets, no macro
> Excel encryption
Mobile Applications
- Disable GPS
- Configure strong passwords
Server Applications - e.g. FTP, Email, Web, SQL database
- Change default username / passwords
- Don’t consolidate multiple services into single machine
SDLC
(Software Development Life Cycle)
SDLC- Waterfall
> Traditional method
> Requirements are decided before development
SDLC- Agile
> RAD (Rapid Application Development) approach
> Relatively new, Breaks development down to incremental changes
> Requires high dedication from members
SDLC- DevOps
> Deployment tool, often used together with Agile method
- Secure code review
> In depth code review for security bugs
> Included before fuzzing or penetration testing
- Threat Modeling
> Identifying and prioritizing potential threats
- Common Security Principles
- Least Privilege
2. Defense in Depth
3. Never trust user input
4. Minimizing attack surface
5. Secure defaults
6. Provide authenticity and integrity (program signatures)
7. Fail securely (Error handling)
8. Thorough testing of security fixes and patches
White box vs Black box testing
> white box, black box, gray box, stress testing, pentesting etc
Compile time vs runtime errors
> Reminder that both software and hardware has runtime errors
> SHE (Structured Exception Handling) deals with both SW/HW
Static vs Dynamic code analysis
> Static : No code execution, examines code with automated tools
> Dynamic : Runtime examination of code behavior for bugs
* Fuzzing is a form of dynamic code analysis
Arbitrary and Remote Code Execution
> Shellcode injections
> Strong input validation, fuzz testing
