0% found this document useful (0 votes)

111 views

Web Application Security

The document discusses security goals and threats related to web applications. The goal of security is to maintain confidentiality, integrity, and availability of information. Common security threats include spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. Various mitigation approaches are outlined such as authentication, encryption, access controls, and input validation to address these threats. The Open Web Application Security Project (OWASP) provides tools and resources to help developers secure web applications.

Uploaded by

Daffy Duck

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

111 views

Web Application Security

Uploaded by

Daffy Duck

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 12

Web Application Security

The Goal of Security

The goal of software security is to maintain the conﬁdentiality, integrity,
and availability of information resources in order to enable successful
business operations

This goal is accomplished through the implementation of security controls

The Goal of Security
Information is probably the most valuable item we now have

Malicious users are looking for ways to steal users’ data and identities by
sneaking into insecure applications
Security Attack Categories
Spooﬁng impersonating something or someone else

Tampering modifying something you’re not supposed to modify. It can

include packets on the wire (or wireless), bits on disk, or the bits in memory

Repudiation claiming you didn’t do something

Denial of Service attacks designed to prevent a system from providing

service, including by crashing it, making it unusably slow, or ﬁlling all its
storage
Security Attack Categories
Information Disclosure exposing information to people who are not
authorized to see it

Elevation of Privilege when a program or user is technically able to do things

that they’re not supposed to do
Threat Mitigation Approach
What can you do to prevent these attacks?

Threat Type Property Violated Mitigation Approach

Spooﬁng Authentication

Tampering Integrity

Repudiation Non-repudiation

Information Disclosure Conﬁdentiality

Denial of Service Availability

Elevation of Privilege Authorization

Threat Mitigation Approach
Threat Type Property Violated Mitigation Approach

Passwords, Multi-Factor
Spooﬁng Authentication
Authentication, Digital Signature

Tampering Integrity Permissions/ACLs, Digital Signature

Secure Logging and Auditing, Digital

Repudiation Non-repudiation
Signature

Information Disclosure Conﬁdentiality Encryption, Permissions/ACLs

Denial of Service Availability Quotas, Permissions/ACLs

Elevation of Privilege Authorization Permissions/ACLs, Input Validation

Open Web Application Security Project (OWASP)
The Open Web Application Security Project® (OWASP)

is a nonproﬁt foundation that works to improve the security of software

OWASP Foundation is the source for developers and technologists to

secure the web

OWASP provides

tools and resources

community and networking

education & training

Top 10 Web Application Security Risks
Comparing top 10 during 2017 and 2021

There are new risks in 2021

https://owasp.org/www-project-top-ten/
OWASP Secure Coding Checklist
Input Validation Data Protection

Output Encoding Communication Security

Authentication & Password Management System Conﬁguration

Session Management Database Security

Access Control File Management

Cryptographic Practices Memory Management

Error Handling & Logging

Security in NestJS
https://docs.nestjs.com/security
Further References
https://www.owasp.org/index.php/OWASP_Guide_Project
https://www.owasp.org/index.php/Category:OWASP_Code_Review_P
roject
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practice
s_-_Quick_Reference_Guide
https://www.owasp.org/images/b/ba/Web_Application_Developmen
t_Dos_and_Donts.ppt

VAPT AGREEMENT
No ratings yet
VAPT AGREEMENT
5 pages
Sectrio NIST CSF 20 Audit
No ratings yet
Sectrio NIST CSF 20 Audit
89 pages
Jim Jordan Threatens Jack Smith
100% (2)
Jim Jordan Threatens Jack Smith
3 pages
Konecranes Brochure CLX Chain Hoist Crane en 2014 2
No ratings yet
Konecranes Brochure CLX Chain Hoist Crane en 2014 2
12 pages
DLP Plan Final Signed
No ratings yet
DLP Plan Final Signed
9 pages
Developing A Database Security Plan
100% (1)
Developing A Database Security Plan
13 pages
Dornier UroPulse Brochure
0% (1)
Dornier UroPulse Brochure
4 pages
CISO Proposal 23dec2015
No ratings yet
CISO Proposal 23dec2015
7 pages
PentestTools WebsiteScanner Report
No ratings yet
PentestTools WebsiteScanner Report
7 pages
Dvwa Report
No ratings yet
Dvwa Report
10 pages
Checkpoint Firewall Audit Program
No ratings yet
Checkpoint Firewall Audit Program
12 pages
STANDARD Database Security Template en
100% (1)
STANDARD Database Security Template en
9 pages
User Evidencecollection CC Evidence Collection Checklist v2-2021-11!23!02!35!16
No ratings yet
User Evidencecollection CC Evidence Collection Checklist v2-2021-11!23!02!35!16
71 pages
6-Web Application Security
No ratings yet
6-Web Application Security
36 pages
CCNA Sec 02
No ratings yet
CCNA Sec 02
36 pages
Cybersecurity Sample 1
No ratings yet
Cybersecurity Sample 1
14 pages
CISSP-Identity and Access Management
No ratings yet
CISSP-Identity and Access Management
4 pages
Ponemon Report The Economics of Security Operations Centers
No ratings yet
Ponemon Report The Economics of Security Operations Centers
32 pages
2025_Ransomware_Survival_Guide
No ratings yet
2025_Ransomware_Survival_Guide
17 pages
BSIMM V Activities
No ratings yet
BSIMM V Activities
32 pages
Web Application Security Scanning Flow
No ratings yet
Web Application Security Scanning Flow
20 pages
CISO Mindmap 2022 No Headings
No ratings yet
CISO Mindmap 2022 No Headings
1 page
AWS Case Study JG Hosiery
No ratings yet
AWS Case Study JG Hosiery
3 pages
Secure by Design
No ratings yet
Secure by Design
36 pages
SOW Security
100% (2)
SOW Security
3 pages
Top SIEM Use Cases Derbycon 09232016
No ratings yet
Top SIEM Use Cases Derbycon 09232016
29 pages
FOR One API Security Testing Training For Bug Hunters and InfoSec
No ratings yet
FOR One API Security Testing Training For Bug Hunters and InfoSec
7 pages
Active Directory Penetration Testing Procedure
No ratings yet
Active Directory Penetration Testing Procedure
2 pages
RFP For Office 365 Email Security Solutions Including Email Gateway, Email DLP and Email ATP
No ratings yet
RFP For Office 365 Email Security Solutions Including Email Gateway, Email DLP and Email ATP
68 pages
Deep Security 20 Administration Guide
No ratings yet
Deep Security 20 Administration Guide
1,837 pages
Introduction to Network Security Theory and Practice Second Edition Kissel - The latest updated ebook version is ready for download
100% (1)
Introduction to Network Security Theory and Practice Second Edition Kissel - The latest updated ebook version is ready for download
57 pages
Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 On AWS
No ratings yet
Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 On AWS
29 pages
Pentestreport Romio
No ratings yet
Pentestreport Romio
72 pages
Penetration Testing and Mitigation of Vulnerabilities Windows Server
No ratings yet
Penetration Testing and Mitigation of Vulnerabilities Windows Server
13 pages
FedRAMP Security Controls Preface
No ratings yet
FedRAMP Security Controls Preface
2 pages
Report Experts Guide To PAM Success - (P8-P21-Ex-P20)
No ratings yet
Report Experts Guide To PAM Success - (P8-P21-Ex-P20)
34 pages
RSL SecureCodeReview Example Report
No ratings yet
RSL SecureCodeReview Example Report
28 pages
SEC450 W7 ILab SEC450 W7 Network Vulnerability Case Study Instructions
0% (1)
SEC450 W7 ILab SEC450 W7 Network Vulnerability Case Study Instructions
2 pages
Cyber Exposure Management Obooko
No ratings yet
Cyber Exposure Management Obooko
22 pages
Cyber Boot Camp - Day 05 - Cyber Security Framework
No ratings yet
Cyber Boot Camp - Day 05 - Cyber Security Framework
3 pages
Information Security Management and Metrics
No ratings yet
Information Security Management and Metrics
30 pages
Vision One - Endpoint Security - Datasheet
No ratings yet
Vision One - Endpoint Security - Datasheet
3 pages
Cyber+Capability+Toolkit+ +Cyber+Incident+Response+ +Phishing+Playbook+v2.3
No ratings yet
Cyber+Capability+Toolkit+ +Cyber+Incident+Response+ +Phishing+Playbook+v2.3
23 pages
Cyber Security Reference Guide
No ratings yet
Cyber Security Reference Guide
14 pages
Security Zero Trust
No ratings yet
Security Zero Trust
1,170 pages
Bru Cyber Security Checklist
No ratings yet
Bru Cyber Security Checklist
12 pages
Cybersecurity Incident Response Plans
No ratings yet
Cybersecurity Incident Response Plans
70 pages
Cloud Security Posture Management - Why You - Cloud Security Alliance PDF
No ratings yet
Cloud Security Posture Management - Why You - Cloud Security Alliance PDF
7 pages
Cyber Security 24
No ratings yet
Cyber Security 24
10 pages
2015 UW-Madison Cybersecurity Strategic Plan Final Jul-01-2015
No ratings yet
2015 UW-Madison Cybersecurity Strategic Plan Final Jul-01-2015
47 pages
type of Log Monitoring in SOC
No ratings yet
type of Log Monitoring in SOC
36 pages
Enterprise DLP As A Program - Phase 1: Project Charter: Whitepaper
0% (1)
Enterprise DLP As A Program - Phase 1: Project Charter: Whitepaper
6 pages
2022 - Unit42 - Incident Response Report
No ratings yet
2022 - Unit42 - Incident Response Report
52 pages
AnsibleAutomates AnsibleForSecurityAutomation
No ratings yet
AnsibleAutomates AnsibleForSecurityAutomation
38 pages
Qadeer Arbab (MS-IS-074) Waqas Syed Mubbashir Mahmood (MS-IS-070)
100% (2)
Qadeer Arbab (MS-IS-074) Waqas Syed Mubbashir Mahmood (MS-IS-070)
24 pages
Endpoint Security - Best Practice
No ratings yet
Endpoint Security - Best Practice
13 pages
USER ACCESS MANAGEMENT
No ratings yet
USER ACCESS MANAGEMENT
4 pages
Defense in Depth PDF
No ratings yet
Defense in Depth PDF
9 pages
Information Security BDCR Plan DRAFT Nov 2019
No ratings yet
Information Security BDCR Plan DRAFT Nov 2019
11 pages
Planning For Information Security Testing - Joa - Eng - 0916
No ratings yet
Planning For Information Security Testing - Joa - Eng - 0916
10 pages
Owasp Api Security Checklist - Updated
100% (1)
Owasp Api Security Checklist - Updated
13 pages
Network Security Complete Self-Assessment Guide
From Everand
Network Security Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
Social Science
No ratings yet
Social Science
2 pages
Practice Test For Banking Exam - Part 5
No ratings yet
Practice Test For Banking Exam - Part 5
18 pages
Data Reveals Pharma Industry Not Connecting With Social Media
No ratings yet
Data Reveals Pharma Industry Not Connecting With Social Media
8 pages
All About CNG
100% (2)
All About CNG
20 pages
9 Arduino Tutorials For Grove Starter KIT 11 Steps - Instructables
No ratings yet
9 Arduino Tutorials For Grove Starter KIT 11 Steps - Instructables
32 pages
CDPPT Functionalities
No ratings yet
CDPPT Functionalities
5 pages
F013
No ratings yet
F013
2 pages
Reflection Essay
No ratings yet
Reflection Essay
3 pages
4-Planning Tools & Techniques
No ratings yet
4-Planning Tools & Techniques
17 pages
Eucoseal
No ratings yet
Eucoseal
1 page
Hotel Rahul Jabalpur
No ratings yet
Hotel Rahul Jabalpur
1 page
CCST Conversions Document
0% (1)
CCST Conversions Document
5 pages
Water: A Novel, Coupled CFD-DEM Model For The Flow Characteristics of Particles Inside A Pipe
No ratings yet
Water: A Novel, Coupled CFD-DEM Model For The Flow Characteristics of Particles Inside A Pipe
23 pages
(Ebook) Microsoft .NET Remoting by Kim Williams ISBN 9780735617780, 0735617783 2024 Scribd Download
100% (4)
(Ebook) Microsoft .NET Remoting by Kim Williams ISBN 9780735617780, 0735617783 2024 Scribd Download
81 pages
Datasheet - 7905
No ratings yet
Datasheet - 7905
2 pages
Swat Analysis
No ratings yet
Swat Analysis
12 pages
Burns and The Physiotherapist: Royal Melbourne Hospital
No ratings yet
Burns and The Physiotherapist: Royal Melbourne Hospital
5 pages
Neb Extraordinary Circumstances List Version 1
No ratings yet
Neb Extraordinary Circumstances List Version 1
7 pages
112-2 搭配詞整理.xlsx - L7
No ratings yet
112-2 搭配詞整理.xlsx - L7
1 page
Animation
No ratings yet
Animation
8 pages
Last Quarter On 1 August 2002 Thursday
No ratings yet
Last Quarter On 1 August 2002 Thursday
1 page
Reading For Pleasure
No ratings yet
Reading For Pleasure
28 pages
Q3e LS5 U01A Student
No ratings yet
Q3e LS5 U01A Student
9 pages
Otago 649834
No ratings yet
Otago 649834
27 pages
4.display Case
No ratings yet
4.display Case
2 pages
Free Download: Modelling Flexible Pavement Response and Performance by Per Ullidtz
No ratings yet
Free Download: Modelling Flexible Pavement Response and Performance by Per Ullidtz
6 pages
Design of Cold Storage Structure For Thousand PDF
No ratings yet
Design of Cold Storage Structure For Thousand PDF
8 pages