Security Issues With Web Based Systems. Security Issues Web Based Systems Security can not be...
-
Upload
della-leonard -
Category
Documents
-
view
212 -
download
0
Transcript of Security Issues With Web Based Systems. Security Issues Web Based Systems Security can not be...
Security Issues WithWeb Based Systems
Security Issues Web Based Systems
Security can not be considered an add-on or afterthought
Security must be integrated into the design
Security should use an algorithm based on a “denied unless specifically allowed” concept
Security Issues Web Based Systems
Depending on security being applied outside of the application is insufficient
Any browser based system with a URL is public
Data in a URL is not secured
Hidden data may still be exposed with a limited search
Security Issues Web Based Systems
Security should be applied to anything with value
Security should be viewed from a “thief’s” perspective
Security is limited to the “weakest link”
No security system is impregnable
Copyrights and other legal restrictions are weak restrictions
Security Issues Web Based Systems
Security must be considered in all areas of a data stream
SSL and Web Security
Physical security of hardware must be considered
Security Issues Web Based Systems
SQL Injection• What is it?
• Malicious method to replace values sent to a SQL statement with values that cause another action.
• Why does it Happen?
• A value sent to a SQL statement is not tested for proper type or format
• No test is applied to verify the proper result from an action
Security Issues Web Based Systems
SQL Injection• Example
• A user name is sent to a page as userName=joe
• The page has a statement likestatement = “SELECT * FROM users WHERE userName = ‘”+userName+’’’;”
• An injection might send a value like userName = a’ OR ‘t’=‘t
• This gives a statement ofstatement = “SELECT * FROM users WHERE userName = ‘a’ OR ‘t’=‘t’;
• Instead of a specific record, it gives all records
• A test for the number of records returned would cause the injection to fail
Security Issues Web Based Systems
SQL Injection• Example
•An injection might send a value like
userName = a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't •This gives a statement of
statement = “SELECT * FROM users WHERE userName = ‘a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't ’;
• Instead of a specific record, it drops the user table entirely and shows all values from the ‘data’ table
• A test for the proper format of ‘userName’ would have prevented the injection.
Security Issues Web Based Systems
SQL Injection• Prevention
• Use arguments to pass valuesUPDATE dbo.Insurance SET Zipcode = :new.Zipcode, Phone = :new.Phone WHERE
IdInsurance = :old.IdInsurance
• :new.Zipcode, :new.Phone and :old.IdInsurance are Alpha arguments
• The method to set arguments will test for proper value type and format
• The actual SQL statement is fixed to use only the specified arguments
• Test the value type and format of any value sent to a statement
• If the value should just be a text string, reject any text containing any specific unexpected characters
• Test for the proper return values and actions
Alpha FiveWeb Security System
Alpha Five Web Security System
Alpha Five Web Security is an access control system
Deny Unless authorized at the file (page) level Checks every file request It is not a data filtering system, although it
can be used to create filters based on user roles
Security can be applied to a single file in the web project, any folder, or by file extension
How Does it Work?
Alpha Five Web Security System
Security can be applied to component elements and actions
Security is integrated into the server technology
The Alpha Five Web Security is highly configurable
How Does it Work?
Alpha Five Web Security System
Security data is saved in isolated data tables
Tables are published to the same folder as the web pages
The tables are not placed in the same location as other data tables
The server prevents direct access to the tables
The data in the tables on the server is not the same as the data shown in the desktop Users and Groups dialog
How Does it Work?
Alpha Five Web Security System
Security data can be linked to other user tables
The “ulink” field
The security session variable
All login processes and authorization processes are integrated into the system code and never exposed to the user
How Does it Work?
Alpha Five Web Security System
Configuring the Web Security
Entering initial values for users and groups
Setting permissions
Publishing the web security
Maintaining web security data From the desktop
From the web
Web security xbasic functions
Building a Web Security System
Alpha FiveWeb Security System