0% found this document useful (0 votes)

179 views12 pages

Web Application Security

The document discusses security goals and threats related to web applications. The goal of security is to maintain confidentiality, integrity, and availability of information. Common security threats include spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. Various mitigation approaches are outlined such as authentication, encryption, access controls, and input validation to address these threats. The Open Web Application Security Project (OWASP) provides tools and resources to help developers secure web applications.

Uploaded by

Daffy Duck

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

179 views12 pages

Web Application Security

Uploaded by

Daffy Duck

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 12

Web Application Security

The Goal of Security

The goal of software security is to maintain the conﬁdentiality, integrity,
and availability of information resources in order to enable successful
business operations

This goal is accomplished through the implementation of security controls

The Goal of Security
Information is probably the most valuable item we now have

Malicious users are looking for ways to steal users’ data and identities by
sneaking into insecure applications
Security Attack Categories
Spooﬁng impersonating something or someone else

Tampering modifying something you’re not supposed to modify. It can

include packets on the wire (or wireless), bits on disk, or the bits in memory

Repudiation claiming you didn’t do something

Denial of Service attacks designed to prevent a system from providing

service, including by crashing it, making it unusably slow, or ﬁlling all its
storage
Security Attack Categories
Information Disclosure exposing information to people who are not
authorized to see it

Elevation of Privilege when a program or user is technically able to do things

that they’re not supposed to do
Threat Mitigation Approach
What can you do to prevent these attacks?

Threat Type Property Violated Mitigation Approach

Spooﬁng Authentication

Tampering Integrity

Repudiation Non-repudiation

Information Disclosure Conﬁdentiality

Denial of Service Availability

Elevation of Privilege Authorization

Threat Mitigation Approach
Threat Type Property Violated Mitigation Approach

Passwords, Multi-Factor
Spooﬁng Authentication
Authentication, Digital Signature

Tampering Integrity Permissions/ACLs, Digital Signature

Secure Logging and Auditing, Digital

Repudiation Non-repudiation
Signature

Information Disclosure Conﬁdentiality Encryption, Permissions/ACLs

Denial of Service Availability Quotas, Permissions/ACLs

Elevation of Privilege Authorization Permissions/ACLs, Input Validation

Open Web Application Security Project (OWASP)
The Open Web Application Security Project® (OWASP)

is a nonproﬁt foundation that works to improve the security of software

OWASP Foundation is the source for developers and technologists to

secure the web

OWASP provides

tools and resources

community and networking

education & training

Top 10 Web Application Security Risks
Comparing top 10 during 2017 and 2021

There are new risks in 2021

https://owasp.org/www-project-top-ten/
OWASP Secure Coding Checklist
Input Validation Data Protection

Output Encoding Communication Security

Authentication & Password Management System Conﬁguration

Session Management Database Security

Access Control File Management

Cryptographic Practices Memory Management

Error Handling & Logging

Security in NestJS
https://docs.nestjs.com/security
Further References
https://www.owasp.org/index.php/OWASP_Guide_Project
https://www.owasp.org/index.php/Category:OWASP_Code_Review_P
roject
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practice
s_-_Quick_Reference_Guide
https://www.owasp.org/images/b/ba/Web_Application_Developmen
t_Dos_and_Donts.ppt

Asset Policy
100% (1)
Asset Policy
2 pages
HITRUST CSF Framework FAQ 9.6.0
No ratings yet
HITRUST CSF Framework FAQ 9.6.0
3 pages
IS.000 Enterprise Information Security Policy
No ratings yet
IS.000 Enterprise Information Security Policy
8 pages
Presentation LEGAL BASIS OF DRRM
No ratings yet
Presentation LEGAL BASIS OF DRRM
22 pages
Cox Quality Tech Solutions Incorporation
No ratings yet
Cox Quality Tech Solutions Incorporation
1 page
DORA - DORA Implementation Checklist
100% (1)
DORA - DORA Implementation Checklist
7 pages
User Evidencecollection CC Evidence Collection Checklist v2-2021-11!23!02!35!16
No ratings yet
User Evidencecollection CC Evidence Collection Checklist v2-2021-11!23!02!35!16
71 pages
Isms Certification Readiness Recheck Questionnaire
No ratings yet
Isms Certification Readiness Recheck Questionnaire
19 pages
Application Security & Code Review Guide
No ratings yet
Application Security & Code Review Guide
7 pages
Web Application Security
No ratings yet
Web Application Security
8 pages
Cloud Incident Response Guide
No ratings yet
Cloud Incident Response Guide
36 pages
Cybersecurity 101: Cyber Risks
No ratings yet
Cybersecurity 101: Cyber Risks
2 pages
CISO Proposal 23dec2015
No ratings yet
CISO Proposal 23dec2015
7 pages
Lumu Ransomware Response Playbook
100% (1)
Lumu Ransomware Response Playbook
10 pages
It Service Continuity Management Itscm
No ratings yet
It Service Continuity Management Itscm
4 pages
Incident Response. Computer Forensics Toolkit All
No ratings yet
Incident Response. Computer Forensics Toolkit All
13 pages
Risk MGMT For CComputing
No ratings yet
Risk MGMT For CComputing
24 pages
Cyhex VAPT Report
No ratings yet
Cyhex VAPT Report
6 pages
SOW Security
100% (2)
SOW Security
3 pages
Digital Forensics Analysis and Validation
No ratings yet
Digital Forensics Analysis and Validation
21 pages
Isc2 Cissp 1 13 1 Threat Modeling Concepts and Methodologies
No ratings yet
Isc2 Cissp 1 13 1 Threat Modeling Concepts and Methodologies
2 pages
Web App Security Audit Report
No ratings yet
Web App Security Audit Report
25 pages
Thesis Pentest-Methods Public
No ratings yet
Thesis Pentest-Methods Public
71 pages
Penetration Testing in The Cloud PDF
No ratings yet
Penetration Testing in The Cloud PDF
27 pages
Security Guidance For Critical Areas of Focus in Cloud Computing v5 Release Presentation
No ratings yet
Security Guidance For Critical Areas of Focus in Cloud Computing v5 Release Presentation
51 pages
Report Experts Guide To PAM Success - (P8-P21-Ex-P20)
No ratings yet
Report Experts Guide To PAM Success - (P8-P21-Ex-P20)
34 pages
Penetration Testing Report
No ratings yet
Penetration Testing Report
3 pages
Active Directory IT Audit Checklist 1711870611
No ratings yet
Active Directory IT Audit Checklist 1711870611
5 pages
Security Goals and Mechanisms
No ratings yet
Security Goals and Mechanisms
57 pages
Information Technology Policy Role-Based User Management
No ratings yet
Information Technology Policy Role-Based User Management
7 pages
Cyber Incident Response PDF
No ratings yet
Cyber Incident Response PDF
68 pages
A Physical Security Guide To Nerc Cip Compliance
No ratings yet
A Physical Security Guide To Nerc Cip Compliance
25 pages
Digital Security and Privacy: Presented By: Tanu Gupta Priyanka Gupta Nisha Yadav Shweta Nishad Riya Uttam
100% (2)
Digital Security and Privacy: Presented By: Tanu Gupta Priyanka Gupta Nisha Yadav Shweta Nishad Riya Uttam
27 pages
Azure Security Center Guide
No ratings yet
Azure Security Center Guide
256 pages
CIS Controls v8 Mapping To SOC2 1 2024
No ratings yet
CIS Controls v8 Mapping To SOC2 1 2024
144 pages
Threat Modeling and Risk Management
No ratings yet
Threat Modeling and Risk Management
13 pages
Pentesting Report
100% (2)
Pentesting Report
3 pages
Lecture 7 Incident Response
No ratings yet
Lecture 7 Incident Response
26 pages
How To Response Against Web Security Incident Signed
No ratings yet
How To Response Against Web Security Incident Signed
38 pages
CSF PF To Sp800 53r5 Mappings
No ratings yet
CSF PF To Sp800 53r5 Mappings
285 pages
Cyber+Capability+Toolkit+ +Cyber+Incident+Response+ +Phishing+Playbook+v2.3
No ratings yet
Cyber+Capability+Toolkit+ +Cyber+Incident+Response+ +Phishing+Playbook+v2.3
23 pages
Active Directory Security Assessment (ADSA)
No ratings yet
Active Directory Security Assessment (ADSA)
2 pages
2025 Ransomware Survival Guide
No ratings yet
2025 Ransomware Survival Guide
17 pages
Vulnerability Assessment Sample Report
100% (1)
Vulnerability Assessment Sample Report
120 pages
Nerc Cip
No ratings yet
Nerc Cip
30 pages
Software Security Maturity Guide
No ratings yet
Software Security Maturity Guide
32 pages
Security Audit Tools Guide
100% (1)
Security Audit Tools Guide
7 pages
Sample Network Vulnerability Assessment Report: Sales@purplesec - Us
No ratings yet
Sample Network Vulnerability Assessment Report: Sales@purplesec - Us
5 pages
Bastion Quickstart en
No ratings yet
Bastion Quickstart en
29 pages
Cyber Threats: A 2023 CISO Guide
No ratings yet
Cyber Threats: A 2023 CISO Guide
16 pages
2015 UW-Madison Cybersecurity Strategic Plan Final Jul-01-2015
No ratings yet
2015 UW-Madison Cybersecurity Strategic Plan Final Jul-01-2015
47 pages
Web Application Security Policy
No ratings yet
Web Application Security Policy
4 pages
Security Information and Event Management (SIEM)
No ratings yet
Security Information and Event Management (SIEM)
16 pages
Ebook Data Protection Disaster Recovery Enterprise Cloud
No ratings yet
Ebook Data Protection Disaster Recovery Enterprise Cloud
40 pages
Azure Security Benchmark Guide
No ratings yet
Azure Security Benchmark Guide
290 pages
Differentiating Between Access Control Terms
No ratings yet
Differentiating Between Access Control Terms
12 pages
Module 11: Security Testing and Assessment
No ratings yet
Module 11: Security Testing and Assessment
8 pages
User Access Management
No ratings yet
User Access Management
4 pages
Cybersecurity Sample 1
No ratings yet
Cybersecurity Sample 1
14 pages
OWASP Top 10 API Security Risks - 2023
No ratings yet
OWASP Top 10 API Security Risks - 2023
39 pages
Delinea Privileged Access Management Pam Checklist
100% (1)
Delinea Privileged Access Management Pam Checklist
14 pages
2 Principles and Concepts Data Security Upload
No ratings yet
2 Principles and Concepts Data Security Upload
39 pages
Cyber Security in Uk - 20250221 - 114348 - 0000
No ratings yet
Cyber Security in Uk - 20250221 - 114348 - 0000
11 pages
2022 Cybersecurity Survival Guide
No ratings yet
2022 Cybersecurity Survival Guide
52 pages
UNSC Placards
No ratings yet
UNSC Placards
30 pages
2.5.1 Information System Security
No ratings yet
2.5.1 Information System Security
32 pages
Hammad Resume
No ratings yet
Hammad Resume
2 pages
IT Security Management
No ratings yet
IT Security Management
7 pages
TOP密码增肥全量字典
No ratings yet
TOP密码增肥全量字典
45 pages
Security Convergence - Achieving Integrated Security 2022 Edition - Final
No ratings yet
Security Convergence - Achieving Integrated Security 2022 Edition - Final
35 pages
BAIS4103 Chapter One
No ratings yet
BAIS4103 Chapter One
34 pages
CMMI CP Model Development Approach
No ratings yet
CMMI CP Model Development Approach
15 pages
Incident Response and Digital Forensic
No ratings yet
Incident Response and Digital Forensic
6 pages
Cybersecurity MCQs
No ratings yet
Cybersecurity MCQs
49 pages
Security Survey Template
No ratings yet
Security Survey Template
20 pages
Small Unit Tactics Hanbook Ver 3
67% (3)
Small Unit Tactics Hanbook Ver 3
120 pages
Industrial Cybersecurity Synergy
No ratings yet
Industrial Cybersecurity Synergy
9 pages
Fast Lane - I2-CISSP
No ratings yet
Fast Lane - I2-CISSP
2 pages
Create Risk Management Plan
No ratings yet
Create Risk Management Plan
5 pages
UN Disarmament: China's Stance
No ratings yet
UN Disarmament: China's Stance
4 pages
19CS4602B
No ratings yet
19CS4602B
2 pages
Vels University Ethical Hacking
No ratings yet
Vels University Ethical Hacking
2 pages
Timeline
No ratings yet
Timeline
8 pages
Security Third From Last
No ratings yet
Security Third From Last
9 pages
ASLSK Index For ASL Players 80
No ratings yet
ASLSK Index For ASL Players 80
29 pages
Cyber Threat Intelligence PDF
No ratings yet
Cyber Threat Intelligence PDF
5 pages
SR26 Cyber Security
No ratings yet
SR26 Cyber Security
16 pages
Unit-4 (Digital Signature)
No ratings yet
Unit-4 (Digital Signature)
13 pages
Risks of Cybersecurity Within Aviation
No ratings yet
Risks of Cybersecurity Within Aviation
12 pages

Web Application Security

Uploaded by

Web Application Security

Uploaded by

Web Application Security

The Goal of Security

This goal is accomplished through the implementation of security controls

Tampering modifying something you’re not supposed to modify. It can

Repudiation claiming you didn’t do something

Denial of Service attacks designed to prevent a system from providing

Elevation of Privilege when a program or user is technically able to do things

Threat Type Property Violated Mitigation Approach

Information Disclosure Conﬁdentiality

Denial of Service Availability

Elevation of Privilege Authorization

Tampering Integrity Permissions/ACLs, Digital Signature

Secure Logging and Auditing, Digital

Information Disclosure Conﬁdentiality Encryption, Permissions/ACLs

Denial of Service Availability Quotas, Permissions/ACLs

Elevation of Privilege Authorization Permissions/ACLs, Input Validation

is a nonproﬁt foundation that works to improve the security of software

OWASP Foundation is the source for developers and technologists to

tools and resources

community and networking

education & training

There are new risks in 2021

Output Encoding Communication Security

Authentication & Password Management System Conﬁguration

Session Management Database Security

Access Control File Management

Cryptographic Practices Memory Management

Error Handling & Logging

You might also like