Home Page Icon
Home Page
Table of Contents for
Cover
Close
Cover
by Ron Lepofsky
The Manager’s Guide to Web Application Security: A Concise Guide to the Weaker Side of the Web
Cover
Title
Copyright
Dedication
Contents at a Glance
Contents
About the Author
About the Technical Reviewer
Acknowledgments
Introduction
Chapter 1: Understanding IT Security Risks
Web Application Security Terminology
Risk Calculation Models
DREAD
How to Calculate Web Application Security Risk
Standard Calculations
A Customized Approach
Calculating a Security Risk
Calculating Risk from Multiple Vulnerabilities for Any Asset
Calculating the Monetary Value at Risk for Any Asset
Sources of Web Application Security Vulnerability Information
Summary
Chapter 2: Types of Web Application Security Testing
Understanding the Testing Process
Web Application Audits
Vulnerability Assessment
Postremediation Testing
Important Report Deliverables for All Testing Reports
Summary
Chapter 3: Web Application Vulnerabilities and the Damage They Can Cause
Lack of Sufficient Authentication
Weak Password Controls
Passwords Submitted Without Encryption
Username Harvesting
Weak Session Management
Weak SSL Ciphers Support
Information Submitted Using the GET Method
Self-Signed Certificates, Insecure Keys, and Passwords
Username Harvesting Applied to Forgotten Password Process
Autocomplete Enabled on Password Fields
Session IDs Nonrandom and Too Short
Weak Access Control
Frameable Response (Clickjacking)
Cached HTTPS Response
Sensitive Information Disclosed in HTML Comments
HTTP Server Type and Version Number Disclosed
Insufficient Session Expiration
HTML Does Not Specify Charset
Session Fixation
Insecure Cookies
Weak Input Validation at the Application Level
Lack of Validated Input Allowing Automatic Script Execution
Unauthorized Access by Parameter Manipulation
Buffer Overflows
Forms Submitted Using the GET Method
Redirects and Forwards to Insecure Sites
Application Susceptible to Brute-Force Attacks
Client-Side Enforcement of Server-Side Security
Injection Flaws
SQL Injection
Blind SQL Injection
Link Injection
HTTP Header Injection Vulnerability
HTTP Response-Splitting Attack
Unauthorized View of Data
Web Application Source Code Disclosure
Web Directories Enumerated
Active Directory Object Default Page on Server
Temporary Files Left in the Environment
Internal IP Address Revealed by Web Server
Server Path Disclosed
Hidden Directory Detected
Unencrypted VIEWSTATE
Obsolete Web Server
Query Parameter in SSL Request
Error Handling
Cross-Site Scripting Attacks
Reflected Cross-Site Scripting Attack
Stored Cross-Site Scripting Attack
Cross-Site Request Forgery Attack
Security Misconfigurations and Use of Known Vulnerable Components
Denial-of-Service Attack
Related Security Issues
Storage of Data at Rest
Storage of Account Lists
Password Storage
Insufficient Patch Management
Summary
Chapter 4: Web Application Vulnerabilities and Countermeasures
Lack of Sufficient Authentication
Weak Password Controls
Passwords Submitted Without Encryption
Username Harvesting
Weak Session Management
Weak SSL Ciphers Support
Information Submitted Using the GET Method
Self-Signed Certificates, Insecure Keys, and Passwords
Username Harvesting Applied to Forgotten Password Process
Autocomplete Enabled on Password Fields
Session IDs Nonrandom and Too Short
Weak Access Control
Frameable Response (Clickjacking)
Cached HTTP Response
Sensitive Information Disclosed in HTML Comments
HTTP Server Type and Version Number Disclosed
Insufficient Session Expiration
HTML Does Not Specify Charset
Session Fixation
Insecure Cookies
Weak Input Validation at the Application Level
Lack of Validated Input Allowing Automatic Script Execution
Unauthorized Access by Parameter Manipulation
Buffer Overflows
Form Submitted Using the GET Method
Redirects and Forwards to Insecure Sites
Application Susceptible to Brute-Force Attacks
Client-Side Enforcement of Server-Side Security
Injection Flaws
SQL Injection
Blind SQL Injection
Link Injection
HTTP Header Injection Vulnerability
HTTP Response-Splitting Attack
Unauthorized View of Data
Web Application Source Code Disclosed
Web Directories Enumerated
Active Directory Object Default Page on Server
Temporary Files Left in the Environment
Internal IP Address Revealed by Web Server
Server Path Disclosed
Hidden Directory Detected
Unencrypted VIEWSTATE
Obsolete Web Server
Query Parameter in SSL Request
Error Handling
Cross-Site Scripting Attacks
Reflected Cross-Site Scripting Attack
Stored Cross-Site Scripting Attack
Cross-Site Request Forgery Attack
Security Misconfigurations and Using Known Vulnerable Components
Denial-of-Service Attack
Related Security Issues
Storage of Data at Rest
Storage of Account Lists
Password Storage
Insufficient Patch Management
Summary
Chapter 5: How to Build Preventative Countermeasures for Web Application Vulnerabilities
Security-in-Software-Development Life Cycle
Framework for Secure Web Application Code
Web Application Security Testing
Manual vs. Automated Code Testing
Multilayered Defense
Security Technology for Protecting Web Applications and Their Environments
Summary
Chapter 6: How to Manage Security on Applications Written by Third Parties
Transparency of Problem Resolution
Liability Insurance as Backup for Transparency of Problem Resolution
Change Management
Summary
Chapter 7: Integrating Compliance with Web Application Security
Regulations, Standards, and Expert Organization Recommendations
Government Regulations
Industry Standards
Recommendations from Expert Organizations
Financial Auditors’ Favorites
Leading Standards and Regulations
COBIT
COBIT 5 for IT Security
E13PA and PCI DSS
ISO 27000
NIST
NERC CIP
Sarbanes-Oxley
Integrating Compliance and Security Reporting
Summary
Chapter 8: How to Create a Business Case for Web Application Security
Assessing the Risk
Identifying Risk and Its Business Impact
Estimating the Chance of Occurrence of Each Event
Qualitative and Quantitative Risk Analysis
Calculating Annual Loss Expectancy
Calculating the Cost of Prevention and Remediation
Calculating the Return on Security Investment
Creating the Business Case for Executives
Measuring and Cost-Justifying Residual Risk
Calculating Security Status and Residual Risk with a Monthly Security Health Score
How to Cost-Justify and Triage Vulnerabilities for Remediation
Noting the Difference Between Remediating and Fixing
Calculating the Cost of Mitigation
Measuring the Effectiveness of Mitigation
Determining Whether Return on Security Investment Objectives Are Met
Summary
Chapter 9: Parting Thoughts
Appendix A: COBIT® 5 for Information Security
F.3 Secure Development
Description of the Service Capability
Attributes
Goals
F.4 Security Assessments
Description of the Service Capability
Attributes
Goals
F.5 Adequately Secured and Configured Systems, Aligned With Security Requirements and Security Architecture
Description of the Service Capability
Attributes
Goals
F.6 User Access and Access Rights in Line With Business Requirements
Description of the Service Capability
Attributes
Goals
F.7 Adequate Protection Against Malware, External Attacks and Intrusion Attempts
Description of the Service Capability
Attributes
Goals
Appendix B: Experian EI3PA Security Assessment
Appendix C: ISO/IEC 17799:2005 and the ISO/IEC 27000:2014 Series
ISO/IEC 17799:2005
The ISO/IEC 27000:2014 Series
Appendix D: North American Energy Council Security Standard for Critical Infrastructure Protection (NERC CIP)
NERC CIP Standards Currently in Force
Future NERC CIP Standards
Future Standard CIP-007-5: Cyber Security — System Security Management
Requirement R1:
Requirement R2:
Requirement R3:
Requirement R4:
Requirement R5:
Rationale for R5:
Appendix E: NIST 800 Guidelines
Appendix F: Payment Card Industry (PCI) Data Security Standard Template for Report on Compliance for use with PCI DSS v3.0
Maintain a Vulnerability Management Program
Appendix G: Sarbanes-Oxley Security Compliance Requirements
Appendix H: Sources of Information
Index
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Title
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset