Database Security – Issues and Best PracticesOutline

Database Security – Issues and Best Practices
Outline
• Intro to Database Security
•Need for Database Security
•Database Security Fundamentals
•Database Security Issues
• OWASP Top 10 – A1:2017– Injection
• OWASP Top 10 – A3:2017– Sensitive Data Exposure
•Attacks against Database Security Mechanisms
•Database Security Best Practices
2
Intro to Database Security
3
Intro to Database Security
• How does a web application work?

4
Client
Server
Involves
databases
Intro to Database Security (contd.)
•Database
• A database is “an organized collection of structured
information, or
data, typically stored electronically in a computer system”
• It includes: the data, the DBMS, & applications that use them
•Database Management Systems (DBMS):
• DBMS serve “as an interface between the database and its end
users or programs, allowing users to retrieve, update, and
manage
how the information is organized and optimized”
5
Source: What is a Database – Oracle –
https://www.oracle.com/database/what-is-database.html

•Database Management Systems (DBMS) (continued):
• DBMS also facilitate “oversight and control of databases,
enabling a
variety of administrative operations such as performance
monitoring, tuning, and backup and recovery”
• Types:
• Relational, Object-Oriented, Distributed, Data Warehouses,
Open Source,
Cloud, Autonomous, etc.
• Examples:
• Oracle, SQL Server, MySQL, Microsoft Access, MariaDB,
PostgreSQL, etc.
6
Source: What is a Database – Oracle –
https://www.youtube.com/watch?v=_p00AzHE5U4
•Database Tutorial for Beginners – Lucidchart
7
Source: Lucidchart – Database Tutorial for Beginners –
https://www.youtube.com/watch?v=wR0jg0eQsZA
https://www.youtube.com/watch?v=wR0jg0eQsZA

•Database security refers to “the range of tools, controls, and
measures designed to establish and preserve database
confidentiality, integrity, and availability” (IBM, 2019)
•Database security involves protection of
• The data in the database
• The database management system (DBMS) itself
• Any associated applications (including web applications)
• The physical and/or virtual database server farms and their
underlying hardware
• The computing and/or network infrastructure used to
access
the database (IBM, 2019)
8
https://www.ibm.com/cloud/learn/database-security
•Database security involves securing data
• At rest
• Using techniques such as encryption
• Example: Amazon RDS uses 256-bit Advanced Encryption
Standard (AES) for
securing database instances, automated backups, and snapshots
at rest
• In flight
• Using protocols such as Transport Layer Security (TLS)
• Example: Amazon RDS uses TLS from the web application to
encrypt a

connection to a database instance running MySQL, MariaDB,
SQL Server,
Oracle, or PostgreSQL to protect data in flight
9
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds
-ug.pdf
Need for Database Security
10
Need for Database Security
•As per Oracle (2022):
• Data breaches are “happening everywhere these days, and
hackers
are getting more inventive. It’s more important than ever to
ensure
that data is secure but also easily accessible to users”
•As per IBM (2019):
• The consequences of data breaches include the following:
• Compromised intellectual property
• Damaged brand reputation
• Loss of business continuity
• Fines or penalties for non-compliance
• Expenses related to repairing breaches
11

Need for Database Security (contd.)
•As per the IBM (2021) Cost of a Data Breach Report:
• The average total cost of a data breach in 2021 was $4.24M
• The highest country average cost of a data breach was $9.05M
for
U.S.
• The highest industry average cost of a data breach was $9.23M
(healthcare)
• The cost per lost or stolen record was $161
• The time to identify and contain a data breach was 287 days
12
https://www.ibm.com/downloads/cas/OJDVQGRY
•As per IBM (2021), the four cost components are:
13
https://www.ibm.com/downloads/cas/RDEQK07R
• Data breaches typically involve unauthorized access of
company
databases (Privacy Rights Clearinghouse, 2020)

14
https://privacyrights.org/data-breaches
Database Security Fundamentals
15
Database Security Fundamentals
•Oracle Database Security – Oracle France
Source: Oracle France – Database Security –
https://www.youtube.com/watch?v=GXF3T4g2tJg
16
https://www.youtube.com/watch?v=GXF3T4g2tJg
Database Security Fundamentals (contd.)
•As per Oracle (2021), effective database security involves
using the following powerful preventive and detective
security controls:
• Transparent Data Encryption (TDE)
• Encryption key management
• Privileged user and multifactor access control
• Data classification and discovery
• Database activity monitoring and blocking
• Consolidated auditing and reporting
• Data masking
17

https://download.oracle.com/database/oracle-database-security-
primer.pdf
•Transparent Data Encryption (TDE)
• Helps prevent attacks that attempt to bypass the database and
read
sensitive information from data files at the operating system
level,
from database backups, or from database exports by encrypting
data in the database layer
18
https://www.oracle.com/a/tech/docs/dbsec/aso/advanced-
security-wp-19c.pdf
•Transparent Data Encryption (TDE) (continued)
• It is transparent because the encryption and decryption
processes
do not require any application changes, and the application
users do
not have to directly deal with encrypted data
• It supports tablespace encryption and column encryption
19

•Encryption Key Management
• TDE uses a two-tier key management architecture
• Consists of data encryption keys and a master encryption key
• Enables rotation of master keys without having to re-encrypt
all of the
sensitive data
• Oracle Database 18c introduced support for Bring Your Own
Key (BYOK)
• Data encryption keys
• Are managed automatically by the database
• The master encryption key
• Is used to encrypt the data encryption keys
• Is stored and managed outside of the database within an
Oracle Wallet or in
an Oracle Key Vault
20
https://www.oracle.com/a/tech/docs/dbsec/aso/advanced-
security-wp-19c.pdf
•Privileged User and Multifactor Access Control – Oracle
Database Vault
Source: Oracle – Database Vault –
https://www.youtube.com/watch?v=AomjVCdUp6k

21
https://www.oracle.com/database/technologies/security/db-
vault.html
https://www.youtube.com/watch?v=AomjVCdUp6k
•Data Classification and Discovery
• Oracle Label Security enforces data access requirements and
records data classification levels at the database row level
• Automated discovery of sensitive columns and parent-child
relationships
• The discovery process uses built-in extensible patterns such as
credit card numbers and national identifiers to check metadata
and
column data to identify sensitive columns
• The discovery results are stored as an application data model,
which
is reusable across multiple databases
22
https://www.oracle.com/a/tech/docs/dbsec/dms/oracle-dms-data-
sheet-2019.pdf
https://www.oracle.com/database/technologies/security/label -
security.html

•Database Activity Monitoring and Blocking
• Oracle Database Firewall provides a first line of defense for
databases
23
https://www.oracle.com/technetwork/products/audit-
vault/downloads/ds-security-avdf-4412080.pdf
•Consolidated Auditing and Reporting
• Oracle Audit Vault consolidates audit data from databases,
operating systems, and directories
24
https://www.oracle.com/technetwork/products/audit-
vault/downloads/ds-security-avdf-4412080.pdf
•Data Masking
• Oracle Data Masking provides a flexible option to discover,
mask
and subset sensitive data, enabling the data to be safely shared
across non-production environments
• Non-production environments such as test and development
systems are the potential targets for a cyber attack as they

generally
contain copies of production data
• Compliance costs are lowered as masked non-production
databases
are out of the scope for the audit teams
• Sensitive data such as credit card numbers, national
identifiers, and
other personally identifiable information (PII) can be masked
using
predefined masking formats
25
https://www.oracle.com/security/database-security/data-
masking/
sheet-2019.pdf
Database Security Issues
26
Database Security Issues
•Specific database security issues include:
• Cloud database configuration errors
• SQL injection
• Weak authentication
• Privilege abuse / excessive privileges
• Inadequate logging / weak auditing /
• Unpatched services
• Insecure system architecture

• Inadequate backups
Source: BCS.org – The Chartered Institute for IT –
https://www.bcs.org/articles-opinion-and-research/top-ten-
database-
attacks
27
https://www.bcs.org/articles-opinion-and-research/top-ten-
database-attacks
Database Security Issues (contd.)
•OWASP Top 10 – A1:2017–Injection
Source: OWASP Top 10 2017 A1-Injection –
https://owasp.org/www-project-top-ten/2017/A1_2017-
Injection.html
28
Injection.html
Database Security Issues (contd.)•Common database security
vulnerabilities:
Source: OWASP Top 10 2017 A1-Injection –
Injection.html
29

Injection.html
•OWASP Top 10: SQL Injection – Security Innovation
Source: Security Innovation – OWASP Top 10: SQL Injection –
https://www.youtube.com/watch?v=X34cKt8RfJs
30
https://www.youtube.com/watch?v=X34cKt8RfJs
•OWASP Top 10 – A3:2017–Sensitive Data Exposure
Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –
Sensitive_Data_Exposure
31
•Common database security vulnerabilities:

32
Database Security Attacks
33
Database Security Attacks
•Most common database security attacks include:
Source: OWASP – Attacks –
https://owasp.org/www-community/attacks/
Attack Type Description
SQL Injection An untrusted source uses an application’s user
input features to enter data that is
used to dynamically construct a SQL query to read sensitive
database data
Denial of Service Storing too much information in a user
session object, such as large quantities of
data retrieved from the database, can cause DoS issues
Brute Force The attacker makes requests to a server using pre-
configured values and then
analyzes the response

Ransomware The attacker encrypts and locks the victim’s data
and then demands a ransom to
unlock and decrypt the data
34
https://owasp.org/www-community/attacks/SQL_Injection
https://owasp.org/www-community/attacks/Denial_of_Service
https://owasp.org/www-community/attacks/Brute_force_attack
http://owasp-stl.org/guides/owasp_ransomware.pdf
Database Security Attacks (contd.)
•As per IBM (2022), some of the most common database
security attacks include:
Insider Threats Abuse of privileged access by a malicious
insider, a negligent insider, or an
infiltrator
Human Error Accidents, weak passwords, password sharing, and
other
unwise or uninformed user behaviors
SQL Injection Insertion of arbitrary SQL attack strings into
database queries served by web
applications
Buffer Overflow A process attempts to write more data to a
fixed-length block of memory than it is
allowed to hold

35
https://www.w3schools.com/sql/sql_injection.asp
Database Security Attacks (contd.)
•Common database security attacks (continued):
Source: IBM – Database Security: An Essential Guide –
DoS/DDoS The attacker floods the database server with so
many requests that the server can
no longer fulfil legitimate requests from actual users
Malware Software written specifically to exploit vulnerabilities
or
otherwise cause damage to the database
Attacks on Backups Organizations fail to protect backup data
with the same stringent controls used to
protect the database itself
36
Database Security
Best Practices
37

Database Security Best Practices
•OWASP recommends the following best practices:
• Connect to the database securely
• Prevent unencrypted traffic at the transport layer
• Configure databases to always require authentication
• Never store database credentials in the application source code
especially if they are unencrypted
• Apply the principle of least privilege to the permissions
assigned to
database user accounts
• Harden the underlying operating system for the database
server
Source: OWASP – Database Security Cheat Sheet –
https://cheatsheetseries.owasp.org/cheatsheets/Database_Securit
y_Che
at_Sheet.html
38
https://cheatsheetseries.owasp.org/cheatsheets/Database_Securit
y_Cheat_Sheet.html
Database Security Best Practices (contd.)
•Best practices to secure databases (as per IBM):
• Consider physical security if the database is not in the cloud
• Restrict number of users, their permissions, and network
access to the

minimum levels necessary
• Focus on end user account/device security
• Use best-in-class encryption to protect the data while at rest
and in transit
• Keep the DBMS version up to date and apply patches as soon
as they are
issued
• Use best practices for application/web server security
• Secure backups / log all operations / perform audi ts regularly
Source: IBM – Database Security: An Essential Guide –
39
Database Security Best Practices (contd.)
•Use the following database security best practices:
• Best practices to protect against SQL Injection:
• Primary defenses:
• Use prepared statements with parameterized queries
• Use stored procedures
• Allow-list input validation
• Escape all user supplied input
• Additional defenses:
• Enforce least privilege
• Perform allow-list input validation as a secondary defense
Source: OWASP – SQL Injection Prevention Cheat Sheet –
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_P
reve

ntion_Cheat_Sheet.html
40
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_P
revention_Cheat_Sheet.html
Recap
• Database security issues continue to be among the OWASP
Top 10 list
of web application security risks
• This is due to weaknesses in database mechanisms such as
dynamic
queries, input validation, key management, access control,
configuration, logging, auditing, backups, etc.
• Hackers are able to exploit the weaknesses using attacks such
as SQL
injection, DoS, brute force, ransomware, etc.
• Best practices to protect databases include understanding what
types
of data needs to be protected, understanding regulatory
compliance,
discovering/classifying databases based on data sensitivity,
using data
masking, monitoring, auditing, encryption, access control,
parameterized queries, stored procedures, allow-list input
validation,
hardening, etc.
41

sheet-2019.pdf
Thank you!!!
42
Browser Security – Issues and Best Practices
Outline
• Intro to Browser Security
•Need for Browser Security
•Browser Security Fundamentals
•Browser Security Issues
• OWASP Top 10 – A7:2017– Cross-Site Scripting XSS
• OWASP Top 10 – A3:2017– Sensitive Data Exposure
•Attacks against Browser Security Mechanisms
•Browser Security Best Practices
2
Intro to Browser Security

3
Intro to Browser Security
4
Client
Server
Involves
browsers
Intro to Browser Security (contd.)
•Browser
• A browser is “an application that finds and displays web
pages”.
• It coordinates communication between your computer and the
web
server where a particular website “lives” by:
• Accepting a website address as a URL
• Submitting a request to the server to retrieve the content for
the page
• Processing the code (HTML, CSS, JavaScript, etc.) from the
server
• Loading active content (Flash, ActiveX, etc.) needed by the
page
• Displaying the complete, formatted web page

• Repeating the process for every single user interaction with
the page
5
Source: Understanding Your Computer: Web Browsers – U.S.
CERT –
https://www.cisa.gov/uscert/ncas/tips/st04-022
https://www.cisa.gov/uscert/ncas/tips/st04-022
•Examples:
• Google Chrome, Mozilla Firefox, Microsoft Edge, Apple
Safari,
Opera, etc.
•Browser Market Share as of February 2022:
6
Source: Global Web Stats – W3Counter–
https://www.w3counter.com/globalstats.php
https://www.w3counter.com/globalstats.php
• Browser security refers to “how differences in design and
implementation of various security technologies in modern web
browsers might affect their security” (X41 Browser Security
White Paper, 2017, pg. 8)
• Browser security involves the following:

• Protection against common client-side attacks
• Protection against phishing
• Management of browser extensions
• Use of adequate cryptography protocols
7
Source: X41 Browser Security White Paper –
https://browser-security.x41-dsec.de/X41-Browser-Security-
White-Paper.pdf
White-Paper.pdf
White-Paper.pdf
• Browser security also involves the following:
• Protection against active content
• Active content refers to scripts that execute programs within
the browser
• e.g.: scripts used to create splash pages or options like drop -
down menus
• JavaScript is widely used to create active content
• ActiveX controls reside on your computer and can be used as
spyware
• Protecting cookies
• Cookies store information such as IP address, domain names,
browser info, browsing
habits, etc.
• Both session cookies and persistent cookies must be protected
from security attacks by

adjusting the browser’s security settings to block or limit access
to cookie information
8
Source: U.S. CERT – Browsing Safely: Understanding Active
Content and Cookies –
https://www.cisa.gov/uscert/ncas/tips/ST04-012
•Browser-specific security features:
• Google Chrome security features
• Apple Safari security features
• Internet Explorer security features
• Microsoft Edge security features
• Mozilla Firefox security features
• Opera security features
9
https://safety.google/chrome/
https://support.apple.com/en-us/HT201265
https://support.microsoft.com/en-us/help/17479/windows-
internet-explorer-11-change-security-privacy-settings
https://www.microsoft.com/en-us/edge/features
https://support.mozilla.org/en-US/products/firefox/privacy-and-
security
https://help.opera.com/en/latest/security-and-privacy/

• Your Browser’s Security Features – GCFLearnFree.org
Source: GCFLearnFree.org – Internet Safety: Your Browser’s
Security Features –
https://www.youtube.com/watch?v=2ZZQlgV2Gus
10
https://www.youtube.com/watch?v=2ZZQlgV2Gus
Need for Browser Security
11
Need for Browser Security
•As per U.S. CERT (2015):
• Browsers such as Firefox, Chrome, Edge, and Safari are
installed on
almost all computers
• Default browsers that come with the Operating Systems are
not
setup using secure default configurations
• Unsecure browsers can lead to spyware being installed on your
computers allowing intruders to take control
• There is an increasing threat from attacks that take advantage
of

vulnerable web browsers
• Hackers are using compromised or malicious websites to
exploit
vulnerabilities in browsers
12
https://www.cisa.gov/uscert/publications/securing-your-web-
browser
Need for Browser Security (contd.)
•As per U.S. CERT (2015), the problem is made worse by a
number of factors including the following:
13
https://www.cisa.gov/uscert/publications/securing-your-web-
browser
•As per the EdgeScan (2019) Vulnerability Statistics Report:
• 19% of all vulnerabilities
were associated with
Layer 7 web applications
• However, the risk
density is much higher
for web application
vulnerabilities compared
to network
vulnerabilities

14
https://www.edgescan.com/wp-
content/uploads/2019/02/edgescan-Vulnerability-Stats-Report-
2019.pdf
•As per the EdgeScan (2019)
Vulnerability Statistics Report,
the most common browser-
related vulnerabilities are:
• Cross-Site Scripting – 14.69%
• Other Injection – 8.18%
• DOM-based Vulnerability –
1.82%
• Cross-Site Request Forgery –
1.75%
15
2019.pdf
•Hackers are increasingly using browsers to cause data
breaches (Privacy Rights Clearinghouse, 2020)
16

•Hackers are increasingly using browsers to cause data
breaches (Privacy Rights Clearinghouse, 2020)
17
Browser Security Fundamentals
18
Browser Security Fundamentals
•How Web Browsers Function – Open Canvas
Source: OpenCanvas – How Web Browsers Function –
https://www.youtube.com/watch?v=z0HN-fG6oT4
19
Browser Security Fundamentals (contd.)
•As per Open Canvas (2016), web browsers use the following
architectural components:
• User interface

• Rendering engine
• Browser engine
• Networking
• JavaScript interpreter
• Data storage – cookies, local storage, etc.
20
•Google Chrome Architecture
Source: Google Chrome Developers – Anatomy of the Browser
101
(Chrome University) –
https://www.youtube.com/watch?v=PzzNuCk-e0Y
21
•Google Chrome Architecture:
• Browser Process
• Includes the User Interface (UI), networking, and storage
• GPU Process
• Handles rich web page content built using features like
WebGL
• Is a separate process to ensure stability and security

• Utility Process
• Runs untrusted code on behalf of browser in a sandbox
• e.g.: installing an extension, processing JSON
• Is a short-lived process
101
22
•Google Chrome Architecture (continued):
• Extension Process
• Ensures extensions have limited access to browser, page, &
system
• Stops poorly written extension code from adversely affecting
pages
• Pepper Plugins
• Handles plugin code not controlled by Google (Flash, PDF,
etc.)
• Uses new plugin API that is sandboxed
• Renderer – Blink rendering engine
• JavaScript Interpreter – v8 JavaScript engine
101

23
https://developer.chrome.com/extensions/overview
https://www.chromium.org/developers/design-
documents/pepper-plugin-implementation
https://www.chromium.org/blink
https://v8.dev/
•Google Chrome Security:
• Sandboxing
• Limits the impact of many browser vulnerabilities by isolating
different
components of an application from the rest of the system
• Components are run with their access privileges to system
resources and/or
other components limited to the bare essentials needed to
perform its
function
• Thus, the privileges an attacker can gain by exploiti ng a
security issue in these
components is fairly limited
• Process and Origin Isolation
• Chrome uses Site Isolation to isolate websites with different
origins
Source: X41 – Browser Security White Paper –

White-Paper.pdf
24
White-Paper.pdf
•Google Chrome Security:
• Hardening and Exploit Mitigation
• Supports /GS, ASLR, DEP, no direct win32k syscalls, SEHOP,
etc.
• Web Security
• Same Origin Policy Enforcement
• Restricts interaction between websites of different origins
• Port Banning Enforcement
• Denies connections to non-standard TCP ports
• Content Security Policy Enforcement
• Limits what sources of scripts are acceptable
• HTML5 Features Support
• Supports Service Workers, WebRTC, History API, WebGL,
Web Notifications, etc.
Source: X41 – Browser Security White Paper –
White-Paper.pdf
25

White-Paper.pdf
Browser Security Issues
26
Browser Security Issues
• Specific browser security issues include the following:
• Client-side JavaScript code for checking user input is not
enough
• Information sent from the browser can be modified before it
reaches the server
• Plenty of HTTP/HTTPS proxy tools are available to hackers
for this very purpose
• Protocols such as SSL that browsers rely on have their own
issues
• Likewise, attackers can use browser mechanisms such as
cache, cookies, session
IDs, etc. to steal sensitive information
• Java applets are susceptible to Man-in-the-Middle (MITM)
attacks
• Java servlets may be vulnerable to SQL injection
Source: OWASP – Application Security FAQ –
https://owasp.org/www-
community/OWASP_Application_Security_FAQ
27
community/OWASP_Application_Security_FAQ

Browser Security Issues (contd.)
• Specific browser security issues include the following:
• Browsers pose a unique risk to the enterprise infrastructure
because of their
frequent exposure to untrusted dynamic content
• Configuring browser security settings is challenging due to
uncertainty of both
attack mitigation effectiveness and impact on end users
• Administrator-driven manual patching often incurs significant
lag time before
patches are deployed
• Administrators are often hesitant to enable automatic updating
out of fear that
patches will break existing functionality
• 88% of publicly disclosed vulnerabilities exploited within a
day of release
• Browser plugins accounted for 34.5% of browser-related
vulnerabilities
Source: NSA.gov – Steps to Secure Web Browsing –
https://www.nsa.gov/Portals/70/documents/what-we-
do/cybersecurity/professional-
resources/csi-steps-to-secure-web-browsing.pdf
28
do/cybersecurity/professional-resources/csi-steps-to-secure-
web-browsing.pdf

•OWASP Top 10 – A7:2017 – Cross-Site Scripting XSS
Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS –
https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-
Site_Scripting_(XSS)
29
•Common browser security vulnerabilities:
Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS –
30
•Cross-Site Scripting – XSS – Professor Messer
Source: Cross-Site Scripting – XSS – CompTIA Security+ Sy0-
501 – 1.2 –
https://www.youtube.com/watch?v=AjsYOMatAcg

31
https://www.youtube.com/watch?v=AjsYOMatAcg
•OWASP Top 10 – A3:2017–Sensitive Data Exposure
32
•Common browser security vulnerabilities:
33
Browser Security Attacks

34
Browser Security Attacks
•Most common browser security attacks:
Cache Poisoning A maliciously constructed response is cached
by the browser
Clickjacking The attacker hijacks clicks meant for their own
page and routes them to another
page
Cross-Site Request Forgery
(CSRF)
An attack that forces an end user to execute unwanted
actions on a web application in which they’re currently
authenticated
Cross-Site Scripting (XSS) A type of injection in which
malicious scripts are injected into
otherwise benign and trusted websites
35
https://owasp.org/www-community/attacks/Cache_Poisoning
https://owasp.org/www-community/attacks/Clickjacking

https://owasp.org/www-community/attacks/csrf
https://owasp.org/www-community/attacks/xss/
Browser Security Attacks (contd.)
•Most common browser security attacks (continued):
Man-in-the-Browser A previously installed Trojan horse is used
to act between the
browser and the browser’s security mechanism, sniffing or
modifying transactions as they are formed on the browser,
but still displaying back the user’s intended transaction
Session Hijacking An attack that compromises the session token
by stealing or
predicting a valid session token to gain unauthorized access
to the Web Server
Spyware A program that captures statistical information from a
user’s
computer and sends it over internet without user acceptance.
This information is usually obtained from cookies and the
web browser’s history.
36
https://owasp.org/www-community/attacks/Man-in-the-
browser_attack
community/attacks/Session_hijacking_attack
https://owasp.org/www-community/attacks/Spyware

Browser Security
Best Practices
37
Browser Security Best Practices
•Best practices for web browser security include :
• Setting up browsers to Auto Update
• Disabling malicious browser plugins such as Adware
• Connecting to websites only using HTTPS
• Clearing the browser history including cookies
• Disabling the browser’s auto-complete of forms (including
stored
passwords) functionality
• Blocking browser pop-ups using extensions such as AdBlock
• Using VPN or proxy servers
Source: InfoSec Institute – Best Practices for Web Browser
Security –
https://resources.infosecinstitute.com/best-practices-web-
browser-security/
38
https://resources.infosecinstitute.com/best-practices-web-
browser-security/
Browser Security Best Practices (contd.)
•Best practices for web browser security include :

• Enabling automatic updates
• Mitigates 91% of publicly known vulnerabilities
• Enabling reputation services such as Google Safe Browsing or
Microsoft SmartScreen
• Prevents 87.7% of socially engineered malware and phishing
attempts
• Disable unsafe plugins and extensions
• Use advanced mitigation techniques/tools
• Browser isolation, Cloud Browsers, O/S level mitigations, etc.
Source: NSA.gov – Steps to Secure Web Browsing –
do/cybersecurity/professional-
resources/csi-steps-to-secure-web-browsing.pdf
39
https://safebrowsing.google.com/
https://support.microsoft.com/en-us/help/17443/microsoft-edge-
smartscreen-faq
web-browsing.pdf
Browser Security Best Practices (contd.)
•Use the following best practices to protect against XSS:
Source: OWASP Top 10 2017 A7-Cross Site Scripting XSS –
Site_Scripting_(XSS).html

40
Site_Scripting_(XSS).html
Recap
• Browser security issues continue to be among the OWASP Top
10
list of web application security risks
• This is due to weaknesses in browser mechanisms such as
browser processes, renderers, plugins, extensions, etc.
as
cache poisoning, clickjacking, CSRF, XSS, MITM, session
hijacking,
spyware, etc.
• Best practices to protect browsers include using auto update,
HTTPS, pop-up blockers, VPNs or proxy servers, reputation
services, sandboxing, isolation, hardening, same origin policy,
port banning, content security policy, cloud browsers, etc.
41
Thank you!!!
42

Server Security – Issues and Best Practices
Outline
• Intro to Server Security
• Need for Server Security
• Server Security Fundamentals
• Server Security Issues
• OWASP Top 10 – A6:2017– Security Misconfiguration
• OWASP Top 10 – A10:2017– Insufficient Logging and
Monitoring
• Attacks against Server Security Mechanisms
• Server Security Best Practices
2
Intro to Server Security
3
Intro to Server Security
4
Client
Server

Involves
servers
Intro to Server Security (contd.)
• Server
• A server serves as the host for web applications
• It refers to the “server” portion of the client-server
architecture
• It receives the HyperText Transfer Protocol (HTTP) request
message from the client machine’s browser
• It authenticates the client based on the user-supplied
credentials
• It authorizes the client’s access to the requested web
application
after authentication
5
• Server (continued)
• It sends an HTTP response header back to the client machine
with the response
code 200 for successful requests or the response code 404 for
page not found
(maybe due to a broken link)
• It uses ports to make services available to clients

• Common port numbers: 80 for HTTP traffic, 443 for HTTPS
traffic, 25 for
SMTP traffic, 21 for FTP traffic, 23 for telnet traffic, etc.
• Examples:
• Apache HTTP Server, Apache Tomcat, Microsoft IIS, IBM
WebSphere, Oracle
WebLogic, Red Hat JBoss EAP, etc.
6
• Server Market Share:
7
Source: Web and Application Servers Market Share Report –
Datanyze –
https://www.datanyze.com/market-share/web-and-application-
servers--425
https://www.datanyze.com/market-share/web-and-application-
servers--425
• What is a Server? – PowerCert Animated Videos
8
Source: PowerCert Animated Videos – What is a Server? –
https://www.youtube.com/watch?v=UjCDWCeHCzY

https://www.youtube.com/watch?v=UjCDWCeHCzY
• Server security refers to “the fundamental activities performed
as part
of securing and maintaining the security of servers that provide
services over network communications as a main function”
(NIST SP
800-123, pg.10)
• Server security involves the following (NIST SP 800-44,
pg.18):
• Installing, configuring, and securing the server Operating
System (OS)
• Installing, configuring, and securing the server software
• Employing appropriate network protection mechanisms
• Firewalls, packet filtering routers, proxies, etc.
• Ensuring that the hosted web applications are securely coded
• Employing secure administration and maintenance processes
• Patching and upgrading, testing, monitoring of logs, backing
up data and OS
• Protecting information and data in a careful/systemic manner
• Conducting initial/periodic vulnerability scans of
server/network
infrastructure
9
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati
on800-123.pdf

on800-44ver2.pdf
• Server security (by technology):
• Apache HTTP Server security settings
• NGINX security settings
• Internet Information Services (IIS) security settings
• LiteSpeed Web Server security settings
• OpenResty security settings
• Server security (by Operating System)
• Ubuntu Linux Server guide
• Windows Server security guide
• macOS Server Guide
10
http://httpd.apache.org/docs/2.4/misc/security_tips.h tml
https://docs.nginx.com/nginx/admin-guide/security-controls/
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-
iis-10-version-1709/new-features-introduced-in-iis-10-1709
https://www.litespeedtech.com/products/litespeed-web-
server/features/feature-explanations
https://openresty.org/en/ann-1015008002.html
https://assets.ubuntu.com/v1/f954307f-ubuntu-server-guide.pdf
https://docs.microsoft.com/en-us/windows-server/get-
started/whats-new-in-windows-server-2022
https://support.apple.com/guide/server/welcome/mac
Need for Server Security
11

Need for Server Security
• As per NIST SP 800-123:
• Servers are frequently targeted by attackers because of the
value
of their data and services
• Servers might contain personally identifiable information that
could be used to perform identity theft
• Most organizations install servers with standard directory
names,
directory locations, and filenames making it easy for attackers
to
target those servers
• The failure of organizations to fully recognize the amount of
expense and skills required to field a secure server often results
in
overworked employees and insecure systems
12
on800-123.pdf
Need for Server Security (contd.)
• As per NIST SP 800-123 (continued):
• Default hardware and software configurations are typically set
by
manufacturers to emphasize features, functions, and ease of use,
at the expense of security

• The default configuration of the OS often includes guest
accounts
(with and without passwords), administrator or root level
accounts, and accounts associated with local and network
services
• Because manufacturers are unaware of each organization’s
security needs, server administrators need to configure new
servers to reflect their organizations’ security requirements and
reconfigure them as needed
13
on800-123.pdf
• As per NIST SP 800-44:
• Compromised web sites can serve as an entry point for
intrusions
into many organizations’ internal networks
• Organizations can face monetary losses, damage to reputation,
or
legal action if an intruder successfully violates the
confidentiality
of their data
• Hackers could compromise web server security by:
• defacing organizations’ web site or otherwise affecting
integrity
• executing unauthorized commands on the host OS
• launching attacks on external sites from the web server

• using the server to deliver attacks against vulnerable clients
• using the server to distribute illegally copied software
14
on800-44ver2.pdf
• As per the EdgeScan (2019) Vulnerability Statistics
Report, the most common infrastructure
vulnerabilities include the following server-related
issues:
• 44.70% – SSL / TLS Version & Configuration Issues
• 29.53% – SMB Security Issues
• 8.61% – OpenSSH Vulnerabilities & Configuration Issues
• 6.25% – Windows Remote Desktop Protocol Server
MITM
• 4.15% – Unencrypted Telnet Services
• 1.69% – Unsupported & Unpatched Server Detection
15
2019.pdf
• As per the EdgeScan (2019) Vulnerability Statistics Report:
• 33.33% of all high and critical risk vulnerabilities discovered
in

2018 were in relation to unsupported Windows Server 2003
systems (no patching, support, end-of-life systems)
• 7.53% of all high and critical risk vulnerabilities discovered in
2018
related to exposure to NotPetya CVEs (CVE-2017-0144, CVE-
2017-
0145) – Windows Server Message Block (SMB) Remote Code
Execution Vulnerability
• Systems using Apache and PHP also contributed to the Top 10
due
to weak component security and traditional patch management
of
exposed systems
16
2019.pdf
https://www.cisa.gov/uscert/ncas/alerts/TA17-181A
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0145
• Hackers are increasingly using servers to cause data breaches
(Privacy
Rights Clearinghouse, 2020)
17

Server Security
Fundamentals
18
Server Security Fundamentals• What is the Apache HTTP
Server? – CBT Nuggets
19
Source: CBT Nuggets – What is the Apache HTTP Server? –
https://www.youtube.com/watch?v=fRLJ3bnbHmE
https://www.youtube.com/watch?v=fRLJ3bnbHmE
Server Security Fundamentals (contd.)
• A basic Apache web server architecture includes the
following components (Kew, 2007):
• Modules
• Multi-Processing Modules
(MPM)
• Apache Portable Runtime (APR)
Libraries
20
http://ptgmedia.pearsoncmg.com/images/9780132409674/sample
chapter/kew_ch02.pdf

• Apache web server architecture:
• Modules
• Functionality that can be used to do things such as
authentication, dynamic
content generation, encryption, virus scanning, file
compression, email
services, file transfer services, etc.
• Multi Processing Modules (MPM)
• Special module which allows Apache to be configured as a
pure process-
based server, a pure threaded server, or both
• Apache Portable Runtime (APR) Libraries
• Provides for platform-specific tuning and optimization
21
Source: Apache – Apache HTTP Server Version 2.4
Documentation –
https://httpd.apache.org/docs/2.4/
https://httpd.apache.org/docs/2.4/mod/
https://httpd.apache.org/docs/2.4/mod/
http://apr.apache.org/
• Apache web server security:
• Modular architecture
• Allows modules to be enabled or disabled to add and remove

web server
functionality
• Only MPM modules can interact directly with the Operating
System
• Authentication
• Modules can authenticate against plain text files and database
files
including Oracle, MySQL, PostgreSQL, etc.
• E.g. mod_auth_basic, mod_auth_digest, mod_auth_form,
mod_authn_dbd, etc.
22
Source: Apache – Apache HTTP Server Version 2.4
Documentation –
https://httpd.apache.org/docs/2.4/mod/mod_auth_basic.html
https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html
https://httpd.apache.org/docs/2.4/mod/mod_auth_form.html
https://httpd.apache.org/docs/2.4/mod/mod_authn_dbd.html
• Apache web server security (continued):
• Access Control
• The mod_access_compat module can restrict access to
resources based on
IP address or hostname of the client
• SSL / TLS

• The mod_ssl module provides strong encryption to protect
data
transmitted between the web server and the client
• Proxy
• Apache supports both a traditional HTTP proxy and a reverse
proxy
• Reverse proxy can be used for load balancing
• Virtual Hosting Support and XML Security
23
Source: TLDP.org – Apache Overview HOWTO –
https://www.tldp.org/HOWTO/pdf/Apache-Overview-
HOWTO.pdf
https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
http://santuario.apache.org/
https://www.tldp.org/HOWTO/pdf/Apache-Overview-
HOWTO.pdf
• Apache web server security (continued):
• Configuration Settings
• Modules come with several directives related to timeouts,
resource
consumption, request processing, concurrent connections, etc.
• Common Gateway Interface (CGI) & Server Side Includes
(SSI)
• The suEXEC feature can reduce considerably the security risks

involved with
allowing users to develop and run private CGI or SSI programs
• Logs
• The mod_log_config, mod_log_forensic modules can be used
to log
everything that happens on the server
24
Source: Apache.org – Apache HTTP Server Documentation
Version 2.4 –
https://archive.apache.org/dist/httpd/docs/httpd-docs-
2.4.33.en.pdf
https://httpd.apache.org/docs/2.4/mod/mod_log_config.html
https://httpd.apache.org/docs/2.4/mod/mod_log_forensic.html
https://archive.apache.org/dist/httpd/docs/httpd-docs-
2.4.33.en.pdf
Server Security Issues
25
Server Security Issues
• As per NIST SP 800-123 (pg. 7), server security issues
include:
26
Source: NIST SP 800-123 – Guide to General Server Security –

on800-123.pdf
on800-123.pdf
on800-123.pdf
Server Security Issues (contd.)
• As per NIST SP 800-44 (pg. 17-18), other server security
issues include
the following:
• Misconfiguration or other improper operation of the Web
server, which may
result, for example, in the disclosure or alteration of proprietary
or sensitive
information. This information can include items such as:
• Assets of the organization
• Configuration of the server or network that could be exploited
for subsequent attacks
• Credentials of the users or administrator(s) of the Web server
• Inadequate or unavailable defense mechanisms for the Web
server to prevent
certain classes of attacks, such as DoS attacks, which disrupt
the availability of
the Web server and prevent authorized users from accessing the
Web site when
required
27
Source: NIST SP 800-44 – Guidelines on Securing Public Web
Servers –

https://nvlpubs.nist.gov/nistpubs/Legac y/SP/nistspecialpublicati
on800-
44ver2.pdf
on800-44ver2.pdf
on800-44ver2.pdf
• Other server security issues include the following (continued):
• Vulnerabilities within the Web server that might allow, for
example, attackers to
compromise the security of the server and other hosts on the
organization’s
network by taking actions such as the following:
28
Servers –
on800-
44ver2.pdf
on800-44ver2.pdf
• OWASP Top 10–A6:2017 – Security Misconfiguration

29
Source: OWASP Top 10 2017 A6 – Security Misconfiguration –
Security_Misconfiguration.html
• Common server security vulnerabilities:
30
• OWASP Top 10–A10:2017 – Insufficient Logging &
Monitoring
31
Source: OWASP Top 10 2017 A10 – Insufficient Logging &
Monitoring –
Insufficient_Logging%2526Monitoring

• Common server security vulnerabilities:
32
Monitoring –
Insufficient_Logging%2526Moni toring
Server Security Attacks
33
Server Security Attacks
• Most common server security attacks:
34
Denial of Service
(DoS)

Attacks may be directed to the server or its supporting
network infrastructure, denying or hindering valid users from
making use of its services.
Attacks may take advantage of the server’s account lockout
policy.
Attacks may involve uploading many large files
Attacks take advantage of simultaneous network connections.
Malware Malicious entities may gain unauthorized access to
resources
elsewhere in the organization’s network via a successful
attack on the server
on800-123.pdf
on800-123.pdf
Server Security Attacks (contd.)
• Most common server security attacks (continued):
35
Man-in-the Middle
(MITM)
Password information can be intercepted using network
sniffers and used by an attacker to masquerade as an
authorized user
SYN Flood If the maximum number of open connections (or

connections
that are half-open—that is, the first part of the TCP
handshake was successful) is set to a low number, an attacker
can easily consume the available connections with
illegitimate requests (often called a SYN flood)
on800-123.pdf
https://www.sciencedirect.com/topics/computer-science/three-
way-handshake
on800-123.pdf
• Most common server security attacks (continued):
36
Brute Force Attackers try every possible password to attempt to
gain
access to a user’s account
Command Injection Compromise of sensitive information on
backend databases
that are used to support a web application
Directory Traversal Unauthorized access including gaining
access to files or
folders and being able to execute commands and/or install
software on the web server

Replay Attack An impostor verifier replays the OTP
authenticator output to
the verifier and successfully authenticates to the web server
(NIST SP 800-63b)
Servers –
on800-
44ver2.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-63b.pdf
on800-44ver2.pdf
• Replay Attacks – Professor Messer
37
Source: Replay Attacks – CompTIA Security+ Sy0-401: 3.2 –
https://www.youtube.com/watch?v=Ar97HbWLijU
https://www.youtube.com/watch?v=Ar97HbWLijU
Server Security
Best Practices
38

Server Security Best Practices
• Best practices for web server security include :
• Planning and managing web servers (pg. 33)
• Plan the configuration and deployment of the web server
• Choose an appropriate Operating System (OS) for the web
server
• Choose an appropriate platform for the web server
• General purpose OS, Trusted OS, web server appliance,
virtualized platform, etc.
• Securing the web server OS (pg. 41)
• Patch and upgrade the OS
• Remove or disable unnecessary services and applications
• Configure OS user authentication
• Configure resource controls appropriately
• Install and configure additional security controls
• Test the security of the OS
39
Servers –
on800-
44ver2.pdf
on800-44ver2.pdf
Server Security Best Practices (contd.)

• Securing the web server (pg. 51)
• Securely install the web server
• Configure IS and web server access controls
• Configure a secure web content directory
• Securing web content (pg. 70)
• Ensure that sensitive information is not available on the web
server
• Establish an organizational-wide documented formal policy
and process for
approving public web content
• Maintain Web user privacy
• Mitigate indirect attacks on content
• Consider client-side active content security
• Maintain server-side active content security
40
Servers –
on800-
44ver2.pdf
on800-44ver2.pdf
• Using authentication and encryption technologies (pg. 86)
• Configure web authentication and encryption technologies
• Configure SSL / TLS

• Protect against brute force attacks
• Implementing a secure network infrastructure (pg. 99)
• Identify a network location
• Assess firewall configuration
• Evaluate intrusion detection and prevention systems
• Assess network switches
• Evaluate load balancers
• Evaluate reverse proxies
41
Servers –
on800-
44ver2.pdf
on800-44ver2.pdf
• Administering the web server (pg. 113)
• Perform logging
• Perform web server backups
• Recover from a compromise
• Test security
• Conduct remote administration and content updates
42

Servers –
on800-
44ver2.pdf
on800-44ver2.pdf
• Use the following server security best practices to protect
against security misconfiguration:
43
Security_Misconfiguration
• Use the following server security best practices to protect
against insufficient logging and monitoring:
44
Monitoring –

Insufficient_Logging%2526Moni toring
Recap
• Server security issues continue to be among the OWASP Top
10 list of
web application security risks
• This is due to weaknesses in server technologies such as
authentication, access controls, configuration, connections,
encryption, active content, logs, etc.
as DoS,
malware, MITM, SYN flood, brute force, command injection,
directory
traversal, replay attacks, etc.
• Best practices to protect servers include planning and
managing web
servers, securing the web server OS, securing the web server,
securing
web content, using authentication and encryption technologies,
implementing a secure network infrastructure, administering the
web
server, etc.
45

Thank you!!!
46
Code Security – Issues and Best Practices
Outline
Intro to Code Security
Need for Code Security
Code Security Fundamentals
Code Security Issues
◦ OWASP Top 10 – A4:2017– XML External Entities (XXE)
◦ OWASP Top 10 – A8:2017– Insecure Deserialization
◦ OWASP Top 10 – A9:2017– Using Components with Known
Vulnerabilities
Attacks against Code Security Mechanisms
Code Security Best Practices
2
Intro to Code
Security

3
Intro to Code Security
What is Code?
◦ Code refers to instructions issued to a computer that tells it
which
actions to perform and in what order
◦ Code is made of strings of typed letters, numbers, and figures,
which
constitute a language complete with spelling rules and syntax
◦ Code is used to do all sorts of activities including:
◦ Building websites
◦ Flying airplanes
◦ Running NASA satellites
◦ Making cars/cellphones/TVs/gaming consoles, etc. work
4
Source: Indeed.com – How to Write Code in 6 Steps? –
https://www.indeed.com/career-advice/career-development/how-
to-write-code
https://www.indeed.com/career-advice/career-development/how-
to-write-code
Intro to Code Security (contd.)
Code Types
◦ Markup Languages – Use start tags (<>) and end tags (</>)

to represent different
components
◦ Examples:
◦ HTML – Is the code that describes the structure and content of
a web application
◦ XML – Is code that is designed to store and transport data in
both human– and machine–readable format
◦ SAML – Is a framework for describing and exchanging
security information between online business partners
5
https://www.w3schools.com/html/default.asp
https://www.w3schools.com/xml/default.asp
https://wiki.oasis-open.org/security/FrontPage
Code Types (continued)
◦ Scripting Languages – Used to write small programs that are
usually
interpreted at runtime by a runtime environment
◦ Examples (client-side):
◦ JavaScript – Is a cross-platform scripting language that can be
embedded within
web pages to create interactive documents
◦ AJAX – Is a collection of technologies that allows web
developers to improve the
response times between web pages
6

Servers –
on800-
44ver2.pdf
https://www.w3schools.com/js/default.asp
https://www.w3schools.com/xml/ajax_intro.asp
on800-44ver2.pdf
◦ Scripting Languages – Can also be used from server-side
◦ Examples (server-side):
◦ CGI – Is used to make web sites interact with databases and
other applications
◦ SSI – Is a limited scripting language supported by most web
servers
◦ ASP – Is used to create dynamic and interactive web
applications for servers that
serve “.asp” web pages using the .NET framework
◦ PHP – Is used to create dynamic web pages that extract data
from a database and
present it on a web page
7
Servers –

on800-
44ver2.pdf
https://tools.ietf.org/html/rfc3875
https://httpd.apache.org/docs/current/ howto/ssi.html
https://www.w3schools.com/asp/default.ASP
https://www.w3schools.com/php/
on800-44ver2.pdf
◦ Programming Languages – Used to code the business logic
behind the
web applications
◦ Examples:
◦ Java – Is a cross-platform programming language that is
secure, fast, powerful,
open-source, and free
◦ C# – Is an object-oriented programming language created by
Microsoft that runs
on the .NET framework
◦ Python – Is an interpreted programming language used to
create web applications
that can be used to handle big data and perform complex math
◦ Ruby – Is an open-source programming language with a focus
on simplicity and
productivity

8
https://www.w3schools.com/java/default.asp
https://www.w3schools.com/cs/default.asp
https://www.w3schools.com/python/default.asp
https://www.ruby-lang.org/en/
Code Market Share:
9
Source: Programming Languages Market Share Report –
Datanyze –
https://www.datanyze.com/market-share/programming-
languages--67/
https://www.datanyze.com/market-share/programming-
languages--67/
Secure Coding Concepts – Professor Messer
10
Source: Professor Messer – Secure Coding Concepts –
CompTIA Security+
SY0-401: 4.1 –
https://www.youtube.com/watch?v=N-tQtS5uQoo
https://www.youtube.com/watch?v=N-tQtS5uQoo

Code security refers to “a set of technologies and best practices
for
making software as secure and stable as possible. It
encompasses
everything from encryption, certificates, and federated identity
to
recommendations for moving sensitive data, accessing a file
system, and
managing memory” (Red Hat, 2020)
As per Apple (2016), code security involves writing software
that:
◦ Is resistant to attack by malicious or mischievous people or
programs
◦ Stops an attacker from accessing and taking control of a server
or a user’s computer
resulting in denial of service, compromise of secrets, or damage
to the systems of
thousands of users
◦ Protects a user’s data from theft or corruption
◦ Is secure regardless of whether it is a small script
or a
commercial application
11
https://developers.redhat.com/topics/secure-coding/
https://developer.apple.com/library/archive/documentation/Secu
rity/Conceptual/SecureCodingGuide/Introduction.html
Need for Code

Security
12
Need for Code Security
As per OWASP (2010):
◦ It is much less expensive to build secure software than to
correct
security issues after the software package has been completed,
not to
mention the costs that may be associated with a security breach
◦ Securing critical software resources is more important than
ever as the
focus of attackers has steadily moved toward the application
layer
◦ Failure to do secure coding can compromise:
◦ The software and its associated information
◦ The operating systems of the associated servers
◦ The backend database
◦ Other applications in a shared environment
13
https://owasp.org/www-pdf-
archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf
Need for Code Security (contd.)
As per Veracode (2020):
◦ Code security analysis is a must for competitive enterprises
◦ Most current threats are directed at the application layer

◦ It is critical to search code for vulnerabilities such as
backdoors and
malicious code before hackers discover and exploit those
vulnerabilities using a variety of attacks
◦ Such code-targeted attacks on the enterprise can have severe
consequences:
◦ Reduce productivity
◦ Tie up valuable organizational resources
◦ Damage brand reputation
◦ Cut into profits
14
https://www.veracode.com/security/code-security-analysis
As per the Veracode (2019) State of Software Security Report,
web applications coded in most common languages have at
least 1 vulnerability:
15
https://www.veracode.com/sites/default/files/pdf/resources/soss
reports/state-of-software-security-volume-10-veracode-
report.pdf
the flaw intensity vs flaw prevalence are:
16

report.pdf
the flaw intensity vs flaw prevalence are :
17
report.pdf
the flaw debt types by language are :
18
report.pdf
Poor code security continues to be a major cause data breaches
(Privacy
19

Code Security
Fundamentals
20
Code Security Fundamentals
Secure Coding Standards – SEI | CMU | CERT
21
Source: SEI | CMU | CERT – Secure Coding Standards –
https://www.youtube.com/watch?v=WYKSivnp3gA
https://www.youtube.com/watch?v=WYKSivnp3gA
Code Security Fundamentals (contd.)
Code security (by code type):
◦ Markup language security
◦ HTML security
◦ XML security
◦ SAML security
◦ Scripting language (client-side) security
◦ JavaScript security (in Firefox)
◦ AJAX security
22
https://html.spec.whatwg.org/multipage/introduction.html
https://www.w3.org/standards/xml/security.html
https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_

Cheat_Sheet.html
https://firefox-source-
docs.mozilla.org/dom/scriptSecurity/index.html
https://cheatsheetseries.owasp.org/cheats heets/AJAX_Security_
Cheat_Sheet.html
Code Security Fundamentals (contd.)
Code security (by code type):
◦ Scripting language (server-side) security
◦ CGI security
◦ SSI security
◦ ASP security
◦ PHP security
◦ Programming language security
◦ Java security
◦ C++ security
◦ Python security
◦ Ruby security
23
https://datatracker.ietf.org/doc/html/rfc3875
on800-44ver2.pdf
https://www.w3schools.com/asp/webpages_security.asp
https://www.php.net/manual/en/security.php
https://wiki.sei.cmu.edu/confluence/display/java/Java%20Codin
g%20Guidelines
https://docs.microsoft.com/en-us/cpp/security/security-best-
practices-for-cpp?view=msvc-170
https://docs.python.org/3/library/security_warnings.html?highli
ght=security
https://www.ruby-lang.org/en/security/

Code Security
Issues
24
Code Security Issues
Specific code security issues include the following:
◦ Vulnerabilities in C amounted to 50% of all reported
vulnerabilities
◦ The most common CWEs across most programming languages
are Cross-Site-
Scripting (XSS), Input Validation, Permissions, Privileges, and
Access Control,
and Information Leak / Disclosure
◦ A significant rise was seen in reported vulnerabilities as a
result of the use of
automated tools and the trend of bug bounty programs
◦ While there was a spike in the number of reported security
vulnerabilities in
the past couple of years, the number of high severity
vulnerabilities has
decreased in most languages.
25
Source: Whitesource – Most Secure Programming Languages –
https://www.whitesourcesoftware.com/most-secure-
programming-languages/

Code Security Issues (contd.)
Specific code security issues include the following:
◦ Total reported vulnerabilities per language
26
Top 3 vulnerabilities per language
27
Top 3 vulnerabilities per language
28

OWASP Top 10–A4:2017 – XML External Entities (XXE)
29
Source: OWASP Top 10 2017 A4 – XML External Entities
(XXE) –
XML_External_Entities_(XXE).html
Common code security vulnerabilities:
30
(XXE) –

OWASP Top 10–A8:2017 – Insecure Deserialization
31
Source: OWASP Top 10 2017 A8 – Insecure Deserialization –
Insecure_Deserialization
32
OWASP Top 10–A9:2017 – Using Components with Known
Vulnerabilities
33

Source: OWASP Top 10 2017 A9 – Using Components with
Known Vulnerabilities –
Using_Components_with_Known_Vulnerabilities
34
Code Security
Attacks
35
Code Security Attacks
Most common code security attacks:
36

Billion Laughs
Attack / XML Bomb
A block of XML that is both well-formed and valid according
to the rules of an XML schema but which crashes or hangs a
program when that program attempts to parse it (Microsoft,
2015)
Buffer Overflow An attack which consists of overwriting
memory fragments of
a process resulting in errors that end execution of the
application in an unexpected way
Code Injection An attack which consists of injecting code that
is then
interpreted/executed by the application
https://owasp.org/www-pdf-archive/XML_Based_Attacks_-
_OWASP.pdf
https://docs.microsoft.com/en-us/archive/msdn-
magazine/2009/november/xml-denial-of-service-attacks-and-
defenses
community/attacks/Buffer_overflow_attack
https://owasp.org/www-community/attacks/Code_Injection
Code Security Attacks (contd.)
Most common code security attacks (continued):
37

JSON Injection A simple server-side attack that could be
performed in PHP to
grant admin privileges to a regular user
SSI Injection An attack allows the exploitation of a web
application by
injecting scripts in HTML pages or executing arbitrary codes
remotely
XXE Attack The attacker breaks out of the usual processing
schema and
bypasses the security verification and reads locally stored files
https://www.acunetix.com/blog/web-security-zone/what-are-
json-injections/
https://owasp.org/www-community/attacks/Server-
Side_Includes_(SSI)_Injection
http://sso-attacks.org/XML_External_Entity_Attack
Code Security Attacks (contd.)
What is an XXE Attack – Hacksplaining
38
Source: Hacksplaining – What is an XXE Attack? –
https://www.youtube.com/watch?v=hIHrGuG3r5w
https://www.youtube.com/watch?v=hIHrGuG3r5w
Code Security
Best Practices
39

Code Security Best Practices
Best practices for code security include :
◦ Establishing coding standards and conventions
◦ Select languages based on security issues they inherit
◦ Use built-in security features
◦ Use loosely coupled frameworks / libraries / components
◦ Enforce standards
◦ Using safe functions / APIs only
◦ Provide guidance to developers on what functions / APIs to
avoid
◦ Use appropriate tools to assist in identifying and reviewing the
usage of dangerous functions
◦ Use the latest versions of compliers / interpreters / runtime
environments
40
Source: SAFEcode.org – Fundamental Practices for Secure
Software Development –
https://safecode.org/wp-
content/uploads/2018/03/SAFECode_Fundamental_Practices_for
_Secure_Software_Develo
pment_March_2018.pdf
_Secure_Software_Development_March_2018.pdf
Code Security Best Practices (contd.)

Best practices for code security include (continued):
◦ Using code analysis tools to find security issues early
◦ Use tools to analyze code to identify deviation from
requirements
◦ Use tools that plug in directly into the IDE
◦ Use secure code review to identify logical errors in the source
code
◦ Handling data safely / handling errors gracefully
◦ Use input validation techniques to begin with
◦ Enforce data segregation to prevent data from becoming
application logic
◦ Use encoding so that data is interpreted in the context in
which it is used
◦ Use data binding which prevents data from being interpreted
as control logic
◦ Use sanitization techniques to remove, replace, or encode
unwanted characters
41
Source: SAFEcode.org – Fundamental Practices for Secure
Software Development –
_Secure_Software_Develo
pment_March_2018.pdf
_Secure_Software_Development_March_2018.pdf

Best practices for code security include the following:
◦ Take Security Requirements and Risk Information into
Account During
Software Design
◦ Review the Software Design to Verify Compliance with
Security
Requirements and Risk Information
◦ Verify Third-Party Software Complies with Security
Requirements
◦ Reuse Existing, Well-Secured Software When Feasible Instead
of Duplicating
Functionality
◦ Create Source Code Adhering to Secure Coding Practices
42
Source: NIST – Cybersecurity White Paper –
https://csrc.nist.gov/CSRC/media/Publications/white-
paper/2019/06/07/mitigating-risk-of-
software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-
mitigating-risk-of-software-
vulns-draft.pdf
paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-
with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-
vulns-draft.pdf
Best practices for code security include the following:
◦ Configure the Compilation and Build Processes to Improve

Executable
Security
◦ Review and/or Analyze Human-Readable Code to Identify
Vulnerabilities and
Verify Compliance with Security Requirements
◦ Test Executable Code to Identify Vulnerabilities and Verify
Compliance with
Security Requirements
◦ Configure the Software to Have Secure Settings by Default
43
Source: NIST – Cybersecurity White Paper –
paper/2019/06/07/mitigating-risk-of-
software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-
mitigating-risk-of-software-
vulns-draft.pdf
paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-
with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-
vulns-draft.pdf
Use the following code security best practices to protect against
XML
External Entities (XXE):
44

(XXE) –
insecure
deserialization:
45
Insecure_Deserialization.html
Insecure_Deserialization.html
using
components with known vulnerabilities:
46

Using_Components_with_Known_Vulnerabilities.html
Using_Components_with_Known_Vulnerabilities.html
Recap
Code security issues are among the OWASP Top 10 list of web
application
security risks
This is due to weaknesses in coding technologies such as
markup
languages, scripting languages (client- and server-side),
programming
languages, etc.
Hackers are able to exploit the weaknesses using attacks such as
billion
laughs, buffer overflow, code/SSI/JSON injection, XXE attacks,
etc.
Best practices to protect code include establishing coding
standards,
protecting data, performing input validation/error
handling/logging,
ensuring proper memory management, using code analysis tools
to do
secure code review, etc.
47
Thank you!!!

48
Cloud Security – Issues and Best Practices
Outline
Intro to Cloud Security
Need for Cloud Security
Cloud Security Fundamentals
Cloud Security Issues
◦ OWASP Top 10 – A6:2017– Security Misconfiguration
◦ OWASP Cloud-Native Application Security Top 10
Attacks against Cloud Security Mechanisms
Cloud Security Best Practices
2
Intro to Cloud
Security
3

Intro to Cloud Security
What is the cloud?
◦ According to Microsoft (2022) the cloud refers to “a vast
network of
remote servers around the globe which are hooked together and
meant to operate as a single ecosystem”
◦ Cloud servers are designed to:
◦ Store and manage data
◦ Run applications
◦ Deliver content/service such as streaming videos, web mail,
office productivity
software, social media to any Internet-connected device
◦ According to NSA (2018), cloud browsers can be used to
completely
separate the web browser from the user’s O/S by hosting the
browser
in a remote cloud environment
4
https://azure.microsoft.com/en-us/overview/what-is-the-cloud/
https://www.nsa.gov/portals/75/documents/what-we-
web-browsing.pdf
Intro to Cloud Security (contd.)
What is the cloud? – PowerCert Animated Videos
5

Source: PowerCert Animated Videos – Cloud Computing
Explained –
https://www.youtube.com/watch?v=_a6us8kaq0g/
https://www.youtube.com/watch?v=_a6us8kaq0g/
Cloud deployment methods
◦ Public cloud – shares resources and offers services over the
public
Internet
◦ Private cloud – does not share resources and offers services
over a
private internal network typically hosted in an on-premise
datacenter
◦ Hybrid cloud – shares resources between public and private
clouds
depending on their purpose
◦ Community cloud – shares resources only between specific
organizations such as government institutions
6
Source: Microsoft.com – What is the Cloud? –
https://azure.microsoft.com/en-us/overview/what-is-a-public-
cloud/
https://azure.microsoft.com/en-us/overview/what-is-a-private-
cloud/
https://azure.microsoft.com/en-us/overview/what-is-hybrid-

cloud-computing/
Cloud service models:
◦ SaaS
◦ Examples: Amazon SaaS Factory, Office 365, Google
Kubernetes Engine
◦ PaaS
◦ Examples: Elastic Beanstalk, Azure App Service, Google
Cloud Run
◦ IaaS
◦ Examples: Amazon EC2, Azure IaaS, Google Compute Engine
7
Cloud Service
Model
Hardware Operating
System
Applications Data
SaaS
PaaS
IaaS
SP – Service Provider C – Customer

https://azure.microsoft.com/en-us/overview/what-is-saas/
https://aws.amazon.com/partners/programs/saas-factory/
https://azure.microsoft.com/en-us/overview/what-is-saas/
https://cloud.google.com/kubernetes-engine
https://azure.microsoft.com/en-us/overview/what-is-paas/
https://aws.amazon.com/elasticbeanstalk/
https://azure.microsoft.com/en-us/services/app-service/
https://cloud.google.com/run
https://azure.microsoft.com/en-us/overview/what-is-iaas/
https://aws.amazon.com/ec2/
https://azure.microsoft.com/en-us/overview/what-is-azure/iaas/
https://cloud.google.com/compute
Cloud market share:
8
Source: 64 Significant Cloud Computing Statistics for 2022 –
FinancesOnline –
https://financesonline.com/cloud-computing-statistics/
https://financesonline.com/cloud-computing-statistics/
The big 3 cloud service providers:
9
Source: AWS vs Azure vs GCP – bmc –
https://www.bmc.com/blogs/aws-vs-azure-vs-google-cloud-
platforms/
Customers:

• Netflix
• Airbnb
• Lyft
• FDA
• Coinbase
Customers:
• Starbucks
• Walgreens
• 3M
• HP
• CDC
Customers:
• Toyota
• Spotify
• Target
• Twitter
• UPS
https://www.bmc.com/blogs/aws-vs-azure-vs-google-cloud-
platforms/
Cloud security refers to “a broad set of technologies, policies,
and
applications that are applied to defend online IP, services,
applications,
and other imperative data against cyber threats and malicious
activity”
(Cisco, 2022)
As per Cisco, 2022, cloud security involves securing data and
applications
in the cloud by:

◦ Protecting apps, data, and users in the cloud against
compromised accounts,
malware, and data breaches
◦ Stopping malware before it spreads across the network
◦ Decreasing the time spent remediating data breaches
◦ Improving security without impacting end-user productivity
◦ Extending protection by securing users anywhere and anytime
10
https://www.cisco.com/c/en/us/products/security/cloud-
security/what-is-cloud-security.html
https://www.cisco.com/c/en/us/products/security/cloud-
security/what-is-cloud-security.html
Cloud security can enable better business outcomes by being:
11
Source: Secure Cloud – Accenture –
https://www.accenture.com/_acnmedia/PDF-143/Accenture-
Secure-Cloud.pdf
Secure-Cloud.pdf
Need for Cloud
Security
12

Need for Cloud Security
As per IBM (2022):
◦ Organizations need cloud security as they incorporate cloud-
based
tools and services as a part of their digital strategy
◦ Organizations must make their own considerations when
protecting
data and applications on the cloud since the responsibility of
data
asset security and accountability does not necessarily shift to
the
cloud service provider
◦ Threats targeting cloud providers continues to evolve
◦ Lack of cloud security can make organizations face significant
governance and compliance risks
◦ Cloud security is a necessity to ensure continuity of business
operations
13
https://www.ibm.com/topics/cloud-security
Need for Cloud Security (contd.)
As per the Accenture (2021) Cyber Threat Intelligence Report:
◦ Spending on public cloud services are expected to rise 21.7%
from
2021 ($396B) to 2022 ($482B)
◦ Cloud centricity prompts new attack vectors

◦ Public-facing cloud environments serve as initial entry vectors
through
which threat actors can gain access to individual endpoint
devices
◦ Some organizations do not monitor cloud platforms as closely
as they
do their own on-premise servers
14
Cyber-Threat-Intelligence-Report-Vol-2.pdf
As per the Accenture (2021) Cyber Threat Intelligence Report
(contd.):
◦ Ransomware attacks on cloud infrastructure is on the rise
◦ Cloud malware has evolved faster than traditional ones
◦ Cloud-centric toolset threats are escalating
◦ Expanding cloud infrastructure also creates highly scalable
and reliable
command-and-control infrastructure and botnets
◦ Moving to the cloud has increased both the risk and
consequences of
supply chain attacks
15

According to the McAfee (2019) Cloud Adoption and Risk
Report:
16
• Sharing of sensitive data in the cloud
has increased 53%
• An average organization has 2,269
IaaS misconfiguration incidents per
month
• 80% of organizations will experience
at least 1 compromised account
threat in the cloud each month
• 92% of organizations currently have
stolen cloud credentials for sale on
the Dark Web
https://www.mcafee.com/blogs/enterprise/cloud-security/5-key-
findings-from-2019-cloud-adoption-and-risk-report/
According to the McAfee (2019) Cloud Adoption and Risk
Report:
17
https://www.mcafee.com/blogs/enterprise/cloud-security/5-key-
findings-from-2019-cloud-adoption-and-risk-report/

Poor cloud security continues to be a major cause data breaches
(Privacy
18
Poor cloud security continues to be a major cause data breaches
(Privacy
19
Cloud Security
Fundamentals
20
Cloud Security Fundamentals
What is AWS Security? – Amazon Web Services
21
Source: Amazon Web Services – What is AWS Security? –
https://www.youtube.com/watch?v=_2HFqANE4gw
https://www.youtube.com/watch?v=_2HFqANE4gw

Cloud Security Fundamentals (contd.)
AWS cloud architecture for web application hosting:
22
Source: AWS – Web Application Hosting in the AWS Cloud –
https://docs.aws.amazon.com/whitepapers/latest/web-
application-hosting-best-
practices/web-application-hosting-best-practices.pdf
https://docs.aws.amazon.com/whitepapers/latest/web-
application-hosting-best-practices/web-application-hosting-
best-practices.pdf
AWS cloud security includes:
◦ Infrastructure security
◦ AWS WAF defends against XSS, SQL injection, & DDoS
◦ AWS Shield provides DDoS mitigation technologies available
for layer 3, 4, and 7 protection
◦ Amazon VPC offers built-in network firewalls
◦ Inventory and configuration management
◦ Deployment tools offered
◦ Inventory and configuration management tools available
◦ Template tools exist to create standard, preconfigured,
hardened VMs for EC2 instances
23
https://aws.amazon.com/waf/

https://aws.amazon.com/shield/
https://aws.amazon.com/vpc/
◦ Data encryption
◦ At rest built into EBS, S3, RDS, and most other services
◦ AWS Key Management Service available
◦ AWS CloudHSM for secure key storage
◦ Identity and access control
◦ AWS IAM allows account and permission management
◦ AWS MFA available for privileged accounts
◦ AWS SSO allows central management of SSO access
24
https://aws.amazon.com/ebs/
https://aws.amazon.com/s3/
https://aws.amazon.com/rds/
https://aws.amazon.com/kms/
https://aws.amazon.com/cloudhsm/
https://aws.amazon.com/iam/
https://aws.amazon.com/iam/features/mfa/
https://aws.amazon.com/single-sign-on/
◦ Monitoring and logging
◦ AWS CloudTrail can monitor AWS deployments including
API call history
◦ Amazon CloudWatch provides a reliable, scalable, and

flexible monitoring solution
◦ Amazon GuardDuty available for intelligent threat detection
and notification
◦ AWS Nitro System
25
https://aws.amazon.com/cloudtrail/
https://aws.amazon.com/cloudwatch/
https://aws.amazon.com/guardduty/
https://aws.amazon.com/ec2/nitro/
Cloud Security
Issues
26
Cloud Security Issues
Specific cloud security issues include the following:
◦ Lack of visibility
◦ Multitenancy
◦ Access management and shadow IT
◦ Access control may be more challenging in cloud
environments
◦ Compliance
◦ Accountability for data privacy and security still rests with the
enterprise
◦ Misconfigurations
◦ Accounted for 86% of breached records in 2019

27
Source: IBM – What is Cloud Security? –
Cloud Security Issues (contd.)
Specific cloud security issues include the following:
28
Source: Accenture – State of Cybersecurity Resilience 2021 –
State-Of-
Cybersecurity-2021.pdf
• More than 66% of workloads will shift
to the cloud
• 32% of organizations
• will move more than 75% into the cloud
• say security is not part of the cloud
discussion to begin with
• say poor governance and compliance
practices are an issue
• say cloud security is too complex
• do not have the skills needed
State-Of-Cybersecurity-2021.pdf

OWASP Top 10–A6:2017 – Security Misconfiguration
29
Common cloud security vulnerabilities:
30
OWASP Cloud-Native Application Security Top 10:
31
Source: OWASP Foundation – OWASP CNAS Top 10 –

https://www.youtube.com/watch?v=BG4Kn6dcGtI
https://www.youtube.com/watch?v=BG4Kn6dcGtI
OWASP Cloud-Native Application Security Top 10:
1. Insecure cloud, container or orchestration configuration
2. Injection flaws
3. Improper authentication & authorizatio n
4. CI/CD pipeline & software supply chain flaws
5. Insecure secrets storage
6. Over-permissive or insecure network policies
7. Using components with known vulnerabilities
8. Improper assets management
9. Inadequate compute resource quota limits
10. Ineffective logging & monitoring
32
https://owasp.org/www-project-cloud-native-application-
security-top-10/
Cloud Security
Attacks
33
Cloud Security Attacks
Most common cloud security attacks:
34

Cross-Site Scripting
(XSS)
A type of injection in which malicious scripts are injected into
otherwise benign and trusted websites
SQL Injection An untrusted source uses an application’s user
input features
to enter data that is used to dynamically construct a SQL
query to read sensitive database data
DDoS The attacker floods the server with so many requests
from
compromised computers that act as a part of a larger botnet
that the server can no longer fulfill requests from legitimate
users
Human Error Accidents, weak passwords, password sharing, and
other
unwise or uninformed user behaviors
https://owasp.org/www-community/attacks/xss/
https://owasp.org/www-community/attacks/SQL_Injection
Cloud Security Attacks (contd.)
Most common cloud security attacks (continued):
35
Ransomware The attacker encrypts and locks the victim’s data

and then
demands a ransom to unlock and decrypt the data.
Ransomware operators abused cloud infrastructure and
introduced new encryption techniques to better evade
detection (Accenture, 2021).
Malware Software written specifically to exploit vulnerabilities.
Cloud-
related malware has evolved faster than more traditional
malware (Accenture, 2021).
Server-Side Request
Forgery (SSRF)
The attacker can abuse functionality on the server to read or
update internal resources
http://owasp-stl.org/guides/owasp_ransomware.pdf
community/attacks/Server_Side_Request_Forgery
Cloud Security Attacks (contd.)
What is an SSRF Attack? – Professor Messer
36
Source: Professor Messer – Request Forgeries – SY0-601
CompTIA Security+: 1.3 –
https://www.youtube.com/watch?v=fmtqMzP7aXI
https://www.youtube.com/watch?v=fmtqMzP7aXI

Cloud Security
Best Practices
37
Cloud Security Best Practices
Best practices for cloud security include :
◦ Implementing a strong identity foundation
◦ Enabling traceability
◦ Applying security at all layers
◦ Automating security best practices
◦ Protecting data in transit and at rest
◦ Keeping people away from data
◦ Preparing for security events
38
Source: AWS – Well-Architected Framework –
https://docs.aws.amazon.com/wellarchitected/latest/security-
pillar/wellarchitected-security-
pillar.pdf
https://docs.aws.amazon.com/wellarchitected/latest/security-
pillar/wellarchitected-security-pillar.pdf
Cloud Security Best Practices (contd.)
Best practices for cloud security include :
◦ Implementing a cloud-based secure web gateway (SWG) so
corporate devices are

protected against web-based threats without routing through
VPN
◦ Protecting data with a cloud access security broker (CASB)
◦ Setting CASB policy to include device checks, data controls,
and protection for SaaS
accounts
◦ Implementing MFA to reduce the risk of stolen credentials
being used to access
accounts
◦ Letting employees use their personal devices to access SaaS
applications for
productivity with conditional access to sensitive data
39
Source: McAfee – Cloud Adoption and Risk Report –
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-
cloud-adoption-and-risk-
report-work-from-home-edition.pdf
https://www.mcafee.com/blogs/enterprise/cloud-security/what-
to-expect-from-the-next-generation-of-secure-web-gateways/
https://www.gartner.com/en/information-
technology/glossary/cloud-access-security-brokers-casbs
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-
cloud-adoption-and-risk-report-work-from-home-edition.pdf
Best practices for cloud security include (continued):
◦ Taking a risk-based view
◦ Understanding the shared responsibility model

◦ Driving a collaborative culture between application, IT/ops,
and
security teams
◦ Considering security as a forethought and not an afterthought
◦ Monitoring continuously for security and compliance
◦ Planning proactively for cybersecurity events
40
Source: IBM – Cloud Security White Paper –
https://www.ibm.com/cloud/architecture/files/ibm-cloud-
security-white-paper.pdf
https://www.ibm.com/cloud/architecture/files/ibm-cloud-
security-white-paper.pdf
Use the following cloud security best practices to protect
against security misconfiguration:
41
Recap
Cloud security issues are among the OWASP Top 10 list of web

application security risks
This is due to issues in cloud security such as misconfiguration,
lack of
visibility, multitenancy, identity and access management,
compliance,
monitoring and logging, etc.
Hackers are able to exploit the weaknesses using attacks such as
XSS, SQL
injection, DDoS, human error, ransomware, malware, SSRF, etc.
Cloud security best practices include understanding the shared
responsibility model, using strong IAM policies, implementing
MFA, using
CASBs, using SWGs, encrypting data in transit and at rest,
enabling
traceability, preparing proactively for security events, etc.
42
Thank you!!!
43
1 Database Security - Issues and Best Practices2
BrowserSecurity-IssuesandBestPractices3 ServerSecurity-
IssuesandBestPractices4 CodeSecurity-IssuesandBestPractices5
CloudSecurity-IssuesandBestPractices
Question 1: [NOTE: Answer each part of the question in
paragraph format]
a. What is Transparent Data Encryption? Why is it transparent?
What types of encryption does it support? Explain how TDE

protects against attacks by privileged OS users? (4 points)
b. Identify and explain 4 primary defenses against SQL
injection attacks. (4 points)
c. What specific encryption techniques does Amazon RDS use
for protecting databases at rest? What encryption techniques
and protocols does Amazon RDS use to protect data in flight?
(2 points)
paragraph format]
a. Explain how a reflected XSS attack is different from a
persistent XSS attack. Provide examples of attack scenarios for
each. (2 points)
b. As per the OpenCanvas Learning YouTube video, there are 6
components which come together to make a web browser work.
Pick 4 out of the 6 components and explain what each of those
components does to get the browser to function. (4 points)
c. Describe the main difference between session cookies and
persistent cookies. Describe 3 steps that we used to exploit
information contained in cookies to launch a privilege
escalation attack (based on one of the lab exercises). (4 points)

paragraph format. It is okay if your answers to this questi on
spill into the next page due to the table that I have included as a
part of the question stem for part d.]
a. Explain what server hardening means in your own words.
Which specific web application security risk in the OWASP Top
10 list from 2017 is hardening supposed to best protect against?
(2 points)
b. Explain how a replay attack works using your own words. (2
points)
c. Explain what a web application firewall is and how it is
different from a traditional network firewall. Which layer in
the 7-layer OSI architecture does each operate at? (2 points)
d. Complete the following table of cloud service models by
specifying whether the customer (C) or the service provider
(SP) is responsible for hardware, operating system,
applications, and data. From a customer perspective, which of
the 3 cloud service models is most secure (theoretically)? (4
points)
Cloud Service Model
Hardware
Operating System
Applications
Data
SaaS
PaaS

IaaS
paragraph format. It is okay if your answers to this question
spill into the next page due to the screen capture that I have
included as a part of the question stem for part c.]
a. Describe two main differences between Java and JavaScript.
(2 points)
b. Explain what an XML external entity is in your own words.
Provide an example of XML code that uses an external entity.
Explain how an XML external entities injection attack can be
used to display the contents of the /etc/passwd file. (4 points)
c. Describe what flaw debt is in your own words. Provide 3
main takeaways from the chart provided below. (4 points)

Database Security – Issues and Best PracticesOutline

More Related Content

Similar to Database Security – Issues and Best PracticesOutline(20)

More from OllieShoresna(20)

Recently uploaded(20)

Database Security – Issues and Best PracticesOutline