• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Security Architecture

MIS 5214 - Section 001 - David Lanter

Security Architecture

MIS 5214.001 ■ Spring 2023 ■ David Lanter
  • Homepage
  • Instructor
  • Syllabus
  • Schedule
    • First Half of the Semester
      • Unit 01 – Threat Environment
      • Unit 02 – System Security Plan
      • Unit 03 – Planning and Policy
      • Unit 04 – Cryptography
      • Unit 05 – Secure Networks
      • Unit 06 – Firewalls
      • Unit 07 – Mid-Term Exam
    • Second Half of the Semester
      • Unit 08 – Access Control
      • Unit 9 Host Hardening
      • Unit 10 Application Security
      • Unit 11 Data Protection
      • Unit 12 – Incident and Disaster Response
  • Deliverables
    • Assignments
    • Case Studies
      • Case Study 1 – A High Performance Computing Cluster Under Attack: The Titan Incident
      • Case Study 2 – Data Breach at Equifax
    • Participation
    • Team Project
  • Harvard Coursepack
  • Zoom Meeting

My question to discuss with my classmates

March 22, 2023 by David Lanter 41 Comments

Filed Under: 10 - Application Security Tagged With:

Reader Interactions

Comments

  1. Jill Brummer says

    March 23, 2023 at 8:47 pm

    What do you think is one of the most important controls of the Top 10 OWASP 2021 controls? Why?

    Log in to Reply
    • Chinenye Marylyn Akinola says

      March 24, 2023 at 8:46 am

      Define security requirements is the most important control and this is because for an application, security requirements lay the groundwork for tested security functionality. Standard security requirements enable developers to reuse the definition of security controls and best practices rather than having to develop a unique security strategy for every application. The same thoroughly examined security criteria offer remedies for previous security problems. To avoid the recurrence of previous security errors, requirements are necessary.

      Log in to Reply
    • Frank Kofi Kpotivi says

      March 25, 2023 at 11:32 am

      one of the most important controls is “Injection” prevention

      Injection attacks are one of the most common and devastating types of attacks that can occur in web applications. They occur when untrusted user input is interpreted as code by a web application, allowing an attacker to execute malicious commands on the server-side or to manipulate the database. Injection attacks can result in data loss, data corruption, unauthorized access, or even complete system compromise.

      Preventing injection attacks is critical to the security of web applications, and implementing secure coding practices such as input validation, parameterized queries, and escaping untrusted data can go a long way in mitigating this threat. Without proper controls in place, injection attacks can easily bypass other security measures and compromise the entire application.

      Therefore, protecting against injection attacks is critical to ensuring the security and integrity of web applications, making it one of the most important controls among the OWASP Top 10 2021.

      Log in to Reply
  2. Chinenye Marylyn Akinola says

    March 24, 2023 at 8:50 am

    Looking at this week’s reading on OWASP Top 10, which would you say is the most common web application security risk?

    Log in to Reply
    • Aayush Mittal says

      March 24, 2023 at 2:56 pm

      The current OWASP Top 10 suggests “Broken Access Control” to be the most common web application security risk. However, as per my experience with vulnerability reports for internet facing application, I would suggest “Injection” to be the most common security risk. If you analyze the the OWASP TOP 10 2017 with 2021, “XSS” climbed from A07 to A03 and “SQL Injection” security risk remained high which only dropped from A01 to A03.

      Log in to Reply
    • Jill Brummer says

      March 25, 2023 at 12:32 pm

      The most common web application security risk from OWASP Top 10 would be injection flaws occur when untrusted/invalid data is sent to a code interpreter by the attackers.

      Log in to Reply
    • Asha Kunchakarra says

      March 28, 2023 at 10:43 am

      I think the most common is Broken Authentication. Based off the numerous case studies we have read in class, this seems to be one of the most common ways for an attack to occur.

      Log in to Reply
  3. Aayush Mittal says

    March 24, 2023 at 2:50 pm

    Do you think application-level authentication is superior to operating system authentication? Why?

    Log in to Reply
    • Frank Kofi Kpotivi says

      March 25, 2023 at 12:25 pm

      The choice between application-level authentication and operating system authentication depends on the specific use case and security requirements of the system in question.

      Operating system authentication is a form of authentication that is provided by the underlying operating system. It typically involves the use of usernames and passwords or other authentication methods to verify the identity of users before granting access to the system. Operating system authentication is typically more robust and secure than application-level authentication, as it is often based on industry-standard authentication protocols and is implemented at the system level.

      On the other hand, application-level authentication is authentication that is implemented at the application level. This means that the authentication mechanisms are built into the application itself, rather than being provided by the underlying operating system. Application-level authentication is often used in web applications, where users are required to enter a username and password to access the application.

      The choice between these two forms of authentication depends on the specific needs of the system in question. If the system needs to enforce strong authentication requirements, such as multifactor authentication, or if it needs to integrate with external authentication systems, then operating system authentication may be the better option. However, if the system needs to provide user-friendly and seamless authentication, or if it needs to implement custom authentication logic, then application-level authentication may be the better option.

      In summary, the choice between application-level authentication and operating system authentication depends on the specific security requirements of the system in question, and both have their own strengths and weaknesses.

      Log in to Reply
    • Jill Brummer says

      March 25, 2023 at 12:26 pm

      Yes, I think application-level authentication is superior to operating system authentication because hackers have to find an exploit and also gain access to the server.

      Log in to Reply
    • David Vanaman says

      March 26, 2023 at 12:40 pm

      My experience with systems administration and application design suggests that operating system authentication is generally better than trying to do authentication inside application development. Windows and Linux have very robust authentication mechanisms and store the user data securely. That is very often not the case for one-off developer created solutions.
      Superior to both would be dedicated IAM applications that are designed and tested specifically to handle secure user access. These applications can leverage both operating system level and application level tools along with incorporating multi-factor authentication

      Log in to Reply
  4. Sunam Rijal says

    March 24, 2023 at 10:57 pm

    What role do developers play in web application security, and how can they be empowered to develop more secure code?

    Log in to Reply
    • Frank Kofi Kpotivi says

      March 25, 2023 at 12:27 pm

      Developers play a critical role in web application security. They are responsible for implementing the functionality of the application, including security measures that prevent unauthorized access, data breaches, and other security threats. Developers also need to ensure that the application is designed to handle inputs from users and external systems securely, and that sensitive data is encrypted and protected at all times.

      Log in to Reply
    • Jill Brummer says

      March 25, 2023 at 12:30 pm

      The web developers are the key players in web application security. They are who prevent security problems and close down web vulnerabilities once identified. The developers empowerment to develop more source code would depend on the organization they work for and the structure of that business.

      Log in to Reply
    • Chinenye Marylyn Akinola says

      March 26, 2023 at 10:51 pm

      Application security developers focus on creating software that is designed to protect applications from security threats. They are responsible for identifying vulnerabilities in software and implementing security measures to protect against those vulnerabilities. Developers can be empowered to be the first line of defense in their organization by making security highly visible and providing them with the skills and tools to write secure code at the most efficient stage of the SDLC.

      Log in to Reply
    • Aayush Mittal says

      March 27, 2023 at 5:03 pm

      Developers can be provided with Web vulnerability scanners, such as Netsparker, and Acunetix, as well as source code analyzers, such as Veracode and CodeSonar to empower them to develop more secure code. Moreover, developers can be asked to take mandatory application security training.

      Log in to Reply
  5. Pranavi Yadalam Sekhar says

    March 25, 2023 at 7:28 pm

    What is extrusion prevention?

    Log in to Reply
    • David Vanaman says

      March 26, 2023 at 12:42 pm

      Extrusion detection and prevention revolves around preventing an infected system form spreading or gaining access to other systems. This will help to limit the damage that can occur in the event of malware or security breach.

      Log in to Reply
    • Sunam Rijal says

      March 28, 2023 at 1:47 pm

      Extrusion prevention refers to techniques and technologies used to prevent the unauthorized disclosure or exfiltration of sensitive or confidential data outside of an organization’s authorized boundaries. It typically involves the use of specialized software or hardware tools that monitor network traffic and data transmissions to detect and block attempts to transfer sensitive data outside of an organization’s network. Examples of extrusion prevention techniques include firewalls, intrusion detection and prevention systems (IDPS), and data loss prevention (DLP) systems.

      Log in to Reply
  6. David Vanaman says

    March 26, 2023 at 12:43 pm

    Compare the OWASP Top 10 with the OWSP ASVS Program. Why are they different and when would you use each in a web application development lifecycle?

    Log in to Reply
  7. Shepherd Shenjere says

    March 26, 2023 at 1:34 pm

    Why must you know a server’s role to know how to protect it?

    Log in to Reply
    • Mengqi Xiong says

      March 26, 2023 at 9:57 pm

      Hi Shepherd,

      I think the reason why we need to figure out the role of the server then to protect it is that different servers perform different functions, which place different vulnerabilities that can be exploited by attackers. For example, a web server hosting a public web may be more vulnerable to attacks such as cross-site scripting (XSS) or SQL injection, while an email server may be more vulnerable to attacks such as phishing or spear phishing.

      Log in to Reply
  8. Shadrack Owusu says

    March 26, 2023 at 6:31 pm

    What does RTP add to compensate for the limitations of UDP?

    Log in to Reply
    • Sunam Rijal says

      March 28, 2023 at 1:50 pm

      RTP add several features to UDP including:
      1. sequencing number : allows the receiver to detect and discard duplicate packets and reorder out-of-order packets
      2. timestamp: allows receiver to sync the audio/video stream with the presentation time
      3. error detection and recovery: RTP can forward error correction and retransmission mechanism to recover lost or damaged packets.

      Log in to Reply
  9. Nicholas Foster says

    March 26, 2023 at 8:02 pm

    What are some common points of ingress/egress that you would need to take into consideration when evaluating a threat surface of an application?

    Log in to Reply
    • Nishant Shah says

      March 26, 2023 at 9:53 pm

      Hi Nick! Some points I would consider for evaluating the threat surface of an application are connectivity (internal/external facing), insecure default sockets, error message display, improper access configurations and vulnerable libraries.

      Log in to Reply
  10. Nishant Shah says

    March 26, 2023 at 9:44 pm

    From security perspective, would you recommend using custom applications or off-the-shelf applications? What are your reasons?

    Log in to Reply
    • Aayush Mittal says

      March 27, 2023 at 5:09 pm

      I think due to the higher market visibility of off-the-shelf application has higher security risks than custom application. Potential hackers have relatively higher access to the software and will try to attack it. The risk is relatively lower in the case of custom development as lower visibility translates to a reduced probability of cyberattacks.

      Log in to Reply
      • Wei Zhang says

        March 28, 2023 at 12:30 am

        Hey Aayush,
        I agree with you. Inevitably, however, a custom application may have unexpected vulnerabilities due to programmer negligence or other reason, which increases unknown risks and the organization does not realize where to remedy them. So I think there are pros and cons to both custom and off-the-shelf applications, depending on how much risk the organization is willing to take.

        Log in to Reply
    • Nicholas Foster says

      March 28, 2023 at 7:40 pm

      Hi Nishant,

      This is a great question. There are a couple prerequisite questions such as how much time you have, how much money you’re willing to spend, what do you need from the app, etc. If you’re solely judging based on a security perspective, I would agree that in-house apps, especially if the app is not web connected would be best. When you expose this app to the web, things become a bit muddier in that it heavily depends on how well your organization can manage the application.

      Log in to Reply
  11. Mengqi Xiong says

    March 26, 2023 at 9:50 pm

    What are some IT security control strategies that web applications could implement to protect against attacks (such as Spam, Phishing, SQL injection, cross-site scripting (XSS), etc.)?

    Log in to Reply
    • Shadrack Owusu says

      March 26, 2023 at 11:24 pm

      Some IT security control strategies for a SQL injection for instance involve
      a) Restricting database code.
      b) Monitoring application and database inputs and communications.
      c)Restricting database access and
      d) Maintaining applications and databases through patching.

      Log in to Reply
  12. Parmita Patel says

    March 26, 2023 at 10:59 pm

    What would be a better way to track browser attacks or make them more secure?

    Log in to Reply
    • Shadrack Owusu says

      March 26, 2023 at 11:17 pm

      A better way to track browser attacks or make them more secure will be to install an anti-spyware package. I believe in keeping your operation system, apps, and browser up-to-date as well ad using virtualization will provide more security.

      Log in to Reply
  13. Wei Zhang says

    March 26, 2023 at 11:11 pm

    Do you think application security is more complex than the host hardening mentioned in the previous chapter?

    Log in to Reply
    • Nicholas Foster says

      March 28, 2023 at 7:44 pm

      Hi Wei,

      This is an interesting question as you mention host. What kind of host are you referring to? If for example, we’re comparing an entire OS or VM to a singular app. Then I would say the OS/VM is more difficult as there are far more moving pieces. However, the more apps you add to the mix, the shorter the gap between difficulty becomes. Eventually, if you have enough apps, they will trump in difficulty a VM and even an OS.

      Log in to Reply
  14. Abayomi Aiyedebinu says

    March 26, 2023 at 11:26 pm

    How frequently should application server and web server be patched??

    Log in to Reply
    • Sunam Rijal says

      March 28, 2023 at 1:52 pm

      It basically depends on several factors, including the severity of vulnerabilities, the risk of exploitation, and the organization’s risk tolerance. However, application servers and web servers should be patched as soon as security updates become available.

      Log in to Reply
  15. Asha Kunchakarra says

    March 28, 2023 at 10:31 am

    Out of the OWASP top 10 application risks, which one do you believe have the most effect on CIA?

    Log in to Reply
  16. Samuel Omotosho says

    March 28, 2023 at 5:18 pm

    Which of the following web application security risks is the most common, according to our reading this week on the OWASP Top 10?

    Log in to Reply
    • Nicholas Foster says

      March 28, 2023 at 7:46 pm

      Hi Samuel,

      According to the reading, the most common web application security risk as of 2021 was Broken Access Control. Noting “the contributed data indicates that on average, 3.81% of applications tested had one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category.”

      Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Weekly Discussions

  • 01 – Introduction (1)
  • 01 – Threat Environment (3)
  • 02 – System Security Plan (6)
  • 03 – Planning and Policy (7)
  • 04 – Cryptography (4)
  • 05 – Secure Networks (7)
  • 06 – Firewalls (5)
  • 08 – Access Control (7)
  • 09 – Host Hardening (5)
  • 10 – Application Security (6)
  • 11 – Data Protection (4)
  • 12 – Incident and Disaster Response (5)
Fox School of Business

Copyright © 2023 · Course News Pro on Genesis Framework · WordPress · Log in