Security Issues WithWeb Based Systems

Security Issues Web Based Systems

Security can not be considered an add-on or afterthought

Security must be integrated into the design

Security should use an algorithm based on a “denied unless specifically allowed” concept

Security Issues Web Based Systems

Depending on security being applied outside of the application is insufficient

Any browser based system with a URL is public

Data in a URL is not secured

Hidden data may still be exposed with a limited search

Security Issues Web Based Systems

Security should be applied to anything with value

Security should be viewed from a “thief’s” perspective

Security is limited to the “weakest link”

No security system is impregnable

Copyrights and other legal restrictions are weak restrictions

Security Issues Web Based Systems

Security must be considered in all areas of a data stream

SSL and Web Security

Physical security of hardware must be considered

Security Issues Web Based Systems

SQL Injection• What is it?

• Malicious method to replace values sent to a SQL statement with values that cause another action.

• Why does it Happen?

• A value sent to a SQL statement is not tested for proper type or format

• No test is applied to verify the proper result from an action

Security Issues Web Based Systems

SQL Injection• Example

• A user name is sent to a page as userName=joe

• The page has a statement likestatement = “SELECT * FROM users WHERE userName = ‘”+userName+’’’;”

• An injection might send a value like userName = a’ OR ‘t’=‘t

• This gives a statement ofstatement = “SELECT * FROM users WHERE userName = ‘a’ OR ‘t’=‘t’;

• Instead of a specific record, it gives all records

• A test for the number of records returned would cause the injection to fail

Security Issues Web Based Systems

SQL Injection• Example

•An injection might send a value like

userName = a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't •This gives a statement of

statement = “SELECT * FROM users WHERE userName = ‘a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't ’;

• Instead of a specific record, it drops the user table entirely and shows all values from the ‘data’ table

• A test for the proper format of ‘userName’ would have prevented the injection.

Security Issues Web Based Systems

SQL Injection• Prevention

• Use arguments to pass valuesUPDATE dbo.Insurance SET Zipcode = :new.Zipcode, Phone = :new.Phone WHERE

IdInsurance = :old.IdInsurance

• :new.Zipcode, :new.Phone and :old.IdInsurance are Alpha arguments

• The method to set arguments will test for proper value type and format

• The actual SQL statement is fixed to use only the specified arguments

• Test the value type and format of any value sent to a statement

• If the value should just be a text string, reject any text containing any specific unexpected characters

• Test for the proper return values and actions

Alpha FiveWeb Security System

Alpha Five Web Security System

Alpha Five Web Security is an access control system

Deny Unless authorized at the file (page) level Checks every file request It is not a data filtering system, although it

can be used to create filters based on user roles

Security can be applied to a single file in the web project, any folder, or by file extension

How Does it Work?

Alpha Five Web Security System

Security can be applied to component elements and actions

Security is integrated into the server technology

The Alpha Five Web Security is highly configurable

How Does it Work?

Alpha Five Web Security System

Security data is saved in isolated data tables

Tables are published to the same folder as the web pages

The tables are not placed in the same location as other data tables

The server prevents direct access to the tables

The data in the tables on the server is not the same as the data shown in the desktop Users and Groups dialog

How Does it Work?

Alpha Five Web Security System

Security data can be linked to other user tables

The “ulink” field

The security session variable

All login processes and authorization processes are integrated into the system code and never exposed to the user

How Does it Work?

Alpha Five Web Security System

Configuring the Web Security

Entering initial values for users and groups

Setting permissions

Publishing the web security

Maintaining web security data From the desktop

From the web

Web security xbasic functions

Building a Web Security System

Alpha FiveWeb Security System