Chapter 8 of Boyle and Panko’s book covers the topic of application security. The chapter discusses various systems, including web based, phone based, and local applications, and the risks associated with them as well as controls to secure them. Systems such as web apps, e-commerce systems, voip services, and local apps are all vulnerable to attacks from bad actors and all may have variable vulnerabilities. What I found intriguing about this chapter was how much it overlaps and flows with our previous material. Learning that application systems are vulnerable to buffer overflow attacks, similar to those discussed in the DoS chapter, or that proper application and OS patching must be used gave me a wider view of how all of our learning objectives are coming together to help us form a clear idea of how security architecture works. Being able to see how our different units interact overall is extremely useful and will hopefully allow us to become better IT specialists
Hey Andrew.
I agree with you here, chapter 8 explained application security, covering web-based, phone-based, and local applications, along with associated risks and security controls. It highlights vulnerabilities in systems like web apps, e-commerce platforms, voip services, and local apps, stressing the importance of measures like patching for OS and applications. This integration of concepts from various chapters offers a holistic understanding of security architecture, aiding in the development of comprehensive defense strategies.
Jeffrey Sullivan
MIS 5214
Week 10
Temple University
Application hardening is essential to having an operational network and to be able to make sure not just the physical environment is protected but the application itself. There were several topics that this week’s chapter covered and did overlap with other chapters as well. What stood out to me the most is the SQL injection. As I read through this section of the chapter, it makes me wonder if I really should start learning programming languages as I think that wouldn’t hurt at all.
Using the SELECT clause as that is on the most common SQL statements you can see on pg.384 how it is identified and how passing the SQL statements that have values on such and usernames and password. These values are then sent to a web server and web application, called middleware, and eventually passed to the database. The reason that this all stuck out to me the most is how our network diagram in the group project is and how certain machines etc., are on a network and got me thinking about how I can set ours up as well. As you can see on this page the middleware servers are the first machine in line to the client. It accepts values passed from users and formatting the SQL statements. Now SQL injection comes in where it sends a malformed input that can alter the statement created by the web application. It then goes down to the database and the subsequent results are sent directly back to the user. So what I gleaned from that is that all you would have to do is inject the later statement that is created by the web application which will then in return get sent back to you that will have the information such as login information which then could get you access to the network as these SQL statements requires users to enter a username and password. Once they are inputted on the statement it gets passed to the web application and checked against values in the database. There are also several other attack methods using SQL injection that you can use. Some of these methods include, out-of-band, blind SQL injection. As I read through the various ways that attackers use SQL injections it also shows how developers can minimize the threat of a SQL injection attack by using parameterized queries with bound parameters and sanitizing input. Sanitizing input involves removing all characters that may be used in the SQL injection but may lead to problems as these characters are often used as input. Overall, I feel that this chapter gives a good amount of knowledge to be able to start to understand the diagram in our presentations.
Jeff, you did a good job in stating that the significance of application hardening is not just for securing the physical environment but also for the applications themselves. It underscores that application hardening is essential for maintaining an operational network. This point highlights the critical role that secure applications play in overall network security and resilience. SQL injection has always been a security concern in the context of web applications. It underscores the potential vulnerabilities that exist within applications, particularly those handling user inputs.
To your question about learning a programming language, go for it.
This chapter delved into the intricacies of application hardening, beginning with general principles such as understanding the server’s threat environment, physical security, backup, OS hardening, application minimization, secure configurations, patch installations, permission minimization, application layer security, cryptographic systems implementation, and custom application security. It then turned our attention to web and e-commerce security, focusing on buffer overflows, SQL injection, and transversal attacks, alongside the necessity for vulnerability assessment tools, log readings, and separate production and testing environments.
Boyle and Panko chapter 8 also examined browser-specific attacks, highlighting potential threats from mobile code, Active-X, Javascript, cookies, and malicious links. The chapter further explored email and VoIP vulnerabilities, underscoring the importance of protective measures such as spam filtering, email encryption, and extrusion prevention tools, given the potential risks of active content transfer, DoS attacks, impersonation, malware, toll fraud, spam, and eavesdropping. The chapter concluded with an overview of two types of instant messaging servers – presence and relay – and the potential misuse of TCP/IP supervisory protocols.
Ikenna your summary highlights the comprehensive approach necessary for application security, covering everything from server environment understanding to specific vulnerabilities like buffer overflows and SQL injection. It’s important to maintain vigilance not only at the application layer but also in regarding browser-specific threats, email, and VoIP vulnerabilities. As we study more into application security, have you encountered any particularly challenging scenarios or threats that you believe require further attention and investigation?
The most important point of this chapter is as simple as it was written NEVER TRUST USER INPUT, whether it be possibly malicious or just unaware users, their input can never be trusted as they can and they will tests the bounds of programming whether it be intentionally stupid inputs or high level attempts at breaking your code any and all things will be inputted. SQL injection is one of the biggest threats with one of the most relatively simple solutions of sanitizing inputs. While other similar attacks such as XSS and AJAX attacks are harder to manage but still involve anticipating wrong or malicious user input. I find these attacks the most interesting out of this chapter as they can usually be quick to break systems and get access to sensitive information.
Hi Alex,
Yes! The chapter’s crucial message is clear: **always be wary of user input**. It may be harmful or simply erroneous, but either way, it can challenge the limits of your program. SQL injection stands out as a significant threat, yet it has a straightforward fix—cleanse the inputs. Other attacks like XSS and AJAX as you mentioned are more complex to handle but also revolve around the anticipation of incorrect or harmful input. These types of attacks are particularly notable for their ability to swiftly compromise systems and access confidential data.
Love that you pointed out to never trust user input. The sanitation was something new me and is starting to make sense as it all starts at the root with th0e developers and continues up as team make inputs in the system along the way. SQL injection was one topic that stood out to me as well and reinforces the need to Santizes data and keep education on the forefront, even for the developers. Your points on the XSS and AJAX made me go back and see more in detail on those types of attacks.
Good point Alex. I’ve found both in my career and also the curriculum of this program that unfortunately, the most unpredictable factor in IT security tends to be user activity. Being able to harden and secure apps from a security standpoint is all well and good but user interaction is still one of if not the most unpredictable factors when creating a secure system. This is why security awareness training and information for users is so important
I am in total agreement with never trust the user and this makes sense. With all of the security incidents we have studied, the crux of the most of these issues start with the end user. They are supp0sed to be the first line of defense but unfortunately uninformed and untrained users are the biggest threat to your security posture.
Hi Alex, I like how you point out that the emphasis on never trusting user input is a fundamental security principle that cannot be overstated. It underscores the unpredictability of user behavior and the critical need for defensive programming. The mention of SQL injection as a prime example highlights its prevalence and the straightforward nature of its mitigation through input sanitization. Moreover, the exploration of XSS and AJAX attacks adds depth to the discussion, illustrating the broader spectrum of threats posed by unvalidated input. These examples not only serve as a reminder of the potential for rapid system compromise but also stress the importance of comprehensive input validation strategies to protect sensitive information.
Boyle and Panko Chapter 8 Application Security provides a comprehensive overview of the various aspects and challenges associated with securing applications. The author emphasizes the importance of implementing robust security measures throughout the development lifecycle to mitigate vulnerabilities and protect against potential threats. Developers should incorporate security in the development process, and never trust the user’s input, User input should always be sanitized and should only be used as data and not part of the SQL statement to prevent attacks such as SQL injection. the chapter highlights the significance of controlling deployment which talks about three types of server firms should have, a development server for application development, and a testing server for vulnerability assessment before the applications are released to the production environment, with access to the servers restricted according to respective roles.
In addition to web application security, the chapter delved into Email security and VOIP security. Attackers use email to spread malicious code and spam emails. Spam attacks are evolving and make it challenging for firms to defend against them, Firms must use defense in depth to protect against these attacks. When I thought of applications security I overlooked VOIP, It was very informative to read about different VOIP vulnerabilities and understand how they can be exploited by attackers.
Similar to host hardening, the chapter emphasizes the importance of application hardening, which encompasses practices such as installing patches and updates, minimizing permissions and services, implementing application-layer authentication, authorization, auditing, and implementing cryptographic systems to strengthen application security.
I never really knew but now starting to understand that that it all starts at the root in CS. I’m currently in a software lifecycle security class as I’m on the audit end and just like how the author here points out the security measures needed at the begging and along the way of a project it is so important on the developers end to uphold security education as well. The sanitization of data input and the SQL injections were also topics that stood out to me and is starting to make sense. VOIP security was very interesting to me as I sell VOIP systems at Comcast but do not get to see the backend systems and security measure Comcast put in place. Hopefully one day I do.
Good job, Mariam. You underscored the implementation of robust security measures throughout the development lifecycle of applications. Security should be part of the code base not bolted on it. By prioritizing security from the outset, developers can build applications that are more resilient to cyber threats.
Chapter 8 of Boyle and Panko’s work on Application Security emphasizes the importance of protecting software applications from threats and vulnerabilities throughout their lifecycle. Key takeaways for me includes:
Email Security: Many companies filter emails for dangerous or inappropriate content, as email attachments can harbor viruses, worms, and other malicious codes. Spam, which constitutes a significant portion of all internet mail traffic, can slow down computers and annoy users. To combat this, filters should be applied at various points, including user PCs
Buffer Overflows: Attackers can exploit applications by sending more data than the application expects, known as buffer overflows. This can lead to overwritten data in RAM and the execution of malicious commands. Stack overflow, a common form of buffer overflow attack, involves sending malicious commands to overwrite the return address in the RAM stack of an insecure program1.
SQL Injections: A top security concern for web applications is SQL injection, where attackers input database commands into text fields to manipulate or damage data.
These points highlight the need for robust security measures in application development and maintenance to protect against various cyber threats.
Nice summary on the topics. SQL injection was also one of the topics that stood out to me as well. I went as far in my summary to think about starting to learn some type of programming language just to familiarize myself with it. I have done HTML sites in the past, but I know in the past twenty years a lot has changed in the programming world. You also point out email security which is a big one at my company as there are weekly test spam emails that go out and there is always someone that clicks on it. Now when that happens it takes you right to a training video on cybersecuity, which is great as they are creating awareness and training all by sending out test emails.
Chapter 8 explores application hardening, focusing on server roles, threat environment, physical security, backup procedures, and operating system hardening. It advocates for minimal applications, configuring them securely, and maintaining up-to-date patches. Security concerns within web and e-commerce realms are explored, shedding light on vulnerabilities such as buffer overflows, SQL injection, and traversal attacks. The chapter underscores the importance of employing vulnerability assessment utilities, monitoring log files, and maintaining separate production and testing environments. Additionally, it delves into browser-specific threats, including mobile code, Active-X, JavaScript, cookies, and deceptive links. Application vulnerabilities pertaining to email and Voice over Internet Protocol (VoIP) are discussed, stressing the implementation of safeguards like spam filters, email encryption, and measures to prevent data leakage. Furthermore, potential misuse of TCP/IP supervisory protocols for malicious ends is examined. The chapter concludes by examining the implications of instant messaging servers on corporate settings.
This chapter emphasizes the significance of application security and hardening as a critical component of overall cybersecurity, paralleling it with the previously discussed concept of host hardening which focuses on the operating system. Application hardening is highlighted as more labor-intensive than operating system hardening due to the multiplicity and complexity of applications running on both clients and servers, each presenting challenges akin to those of securing an entire operating system. It discusses the heightened risk associated with applications, particularly noting that attackers, upon compromising an application, can execute commands with the same privileges as the application itself. This is especially concerning for applications running with root or superuser privileges, as it potentially grants attackers complete control over a host. The ease with which attackers can exploit applications with a single message is contrasted with the more challenging task of conducting attacks on operating systems, underscoring the shift towards application exploits as the preferred method of attack in contemporary cybersecurity threats.
Chapter 8 starts off with a review of the previous chapter briefly talking about host hardening which is securing your operating system. The chapter then brings up the importance of how application systems hardening that are run on a host. Clients and servers run a multitude of applications which is why application security requires more work than operating system security. When a hacker now has control of an application, they can run commands that could give absolute control to whomever the hacker deems appropriate. These types of attacks are much easier to execute than operating system attacks as they only need a single message gaining root privileges. As the text mentions, taking over applications is the dominate vector which can in turn give you access to the operating system.
The item that I want to focus on is email security. This on one of the most common means of attack that hacker use to conduct their nefarious activities. The use of content filtering scans incoming and outgoing messages for unsafe and unsuitable content. This not only protects your systems but can also save a company from potential lawsuits. Also filtering can be done to prevent the sending of PII as well as what is called “extrusion prevention” which can prevent employees from sending intellectual property. Although client based filtering is most common is has proven not to be as through. This calls for the end-user to maintain the updates and sometimes subscriptions for the service, which does not always happen. This is why filtering at the corporate e-mail server to increase defense-in-depth practices.
Excellent analysis, Erskine. Email security is a crucial layer, especially with attackers targeting applications. While client-side filtering helps, server-side filtering strengthens your defenses and protects against human error in keeping client software updated.
Chapter 8 of Boyle and Panko warns about the risks of insecure web applications. Hackers can exploit vulnerabilities to steal data, disrupt services, or deface websites. Common attacks include SQL injection, which involves tricking applications into running malicious code, and cross-site scripting, where hackers inject scripts into websites to steal user data. The chapter stresses the importance of secure coding practices, such as validating user input and following the principle of least privilege, which involves giving applications only the necessary access. It also highlights the need for strong user authentication and encryption to safeguard sensitive information. By adopting these security measures, businesses can build more robust defenses and protect their applications from threats.
Your discussion about Chapter 8 of Boyle and Panko effectively highlights the significant risks associated with insecure web applications and the importance of implementing robust security measures. I completely agree with the emphasis on secure coding practices, user authentication, and encryption to mitigate potential threats.
I’m particularly interested in exploring further how businesses can effectively prioritize and implement these security measures. In your opinion, what are some common challenges businesses face when trying to adopt and enforce these practices, and what strategies can they employ to overcome these challenges effectively?
Hi Kelly,
I agree with you that it is important to secure source code to avoid SQL Injection. User privileges should be limited to what they need. Also, the user’s input should be validated and sanitized to ensure that suspicious inputs are rejected.
Reading this chapter taught me that programs frequently store information temporarily in RAM spaces known as buffers. A buffer overflow occurs when an attacker transmits more bytes of a message than the program has allotted for the buffer, causing the attacker’s information to overflow to other parts of RAM.
On the other side, I discovered that the mechanics of vulnerabilities, exploits, patches, and workarounds are the same across operating systems and apps. Companies may use applications from dozens of application software companies. The majority of all vulnerabilities and remedies are application-related. Every organization must have a unique system for downloading and implementing patches. Companies should reduce the number of programs operating on the mainframe, because fewer apps equal less opportunities to take over the system.
I agree with you Samuel, managing security across numerous applications can indeed be challenging to organizations. I think one of the best practices is leveraging automation as this will streamline some of the security processes such as vulnerability scanning, patch management, and log analysis and ensure real-time response to threats.
Hello Samuel, I agree with what you’re saying, but it’s interesting to me because someone might say that more programs mean more layers of security, since there is added complexity. But, this isn’t the case because by having a smaller amount of applications, it means less of an opprotunity for vulnerabilites. While I agree with this, I would think that is there a possibility that having more applications would benefit the system? these don’t necessarily have to be cyber security oriented either. Perhaps these added programs can confuse or cause an attacker to shift direction? Let’s say that there was a software that had all of the features of different programs into one. Wouldn’t those same vulnerabilities be on the all in one software instead of having a variety? Or if the all in one option doesn’t have these same vulnerabilities, couldn’t the softwares just patch them?
8.4 is what stuck out to me the most because email is a big part of our daily life. It’s what we get our order confirmations from, it’s how we apply for accounts online, and it’s still used as one of the main methods of communication for a work environment. The fact that shocked me the most is the section about spam. According to the reading, spam is behind 60 to 90 percent of internal mail traffic daily. This made me wonder how effective spam must actually be, because if it’s this common, then why is it that so many people don’t end up getting information compromised?. The following paragraph brought forth an important message and I think it’s the reason why there will never truly be a fix for spam. It explains that there are programs that filter spam but what was found is that there was over filtering, meaning that emails that may have appeared to be spam got filtered out, which would be very unideal for someone who is looking forward to an important email, only to have it get removed.
Like you mentioned, many email services offer some layer of spam filtering to remove most of the unnecessary email traffic from our personal inboxes; however, as you mentioned, this also means that legitimate emails may also be filtered out. It’s difficult to strike the right balance between filtering out the bad and keeping the good. Ultimately, many organizations take advantage of the basic system in place that flags messages that come from external email addresses outside of the corporate network.
This article discusses the importance of securing applications against cyber threats. An important point that was discussed in the chapter is the increase in the rate at which email servers are being attacked. The ability to attach files makes email servers an attack surface. It is important to have email servers always secured.
You bring up an interesting point about how email servers are being continuously attacked. Emails are one of the largest points of entry for many threat actors as emails are usually publicly available to send to, allowing threat actors to craft malicious emails with potentially malicious attachments and escalate their access once an employee runs a malicious executable. Additionally, cyber criminals may want access to an email server to further prolong their attacks by utilizing a corporate email server to push more malicious emails.
Chapter 8 of the book covers application security. Specifically, it lists the steps to secure applications, how to secure WWW services and e-commerce, describes vulnerabilities in browsers, explains securing emails, securing VoIP, and securing other user applications. One particular point of interest I wanted to explore was securing the process of securing VoIP.
VoIP, or voice over IP, is utilizing IP to call someone instead of a traditional public switched telephone network. In securing VoIP, you need to understand the difference between transport (talking back and forth) versus signaling (communication to manage the network). In VoIP, there are two signaling standards: H.323 (older) and IETF (newer). In IP telephone, there are SIP proxy servers that manage the process of initiating the session for VoIP. There are also gateways to reach public switched telephone networks.
Some threats do exist in VoIP since it is not a closed system, and can be attacked through the internet and LAN access points. These threats include eavesdropping, DoS, impersonation, cyberattacks, toll fraud to place free calls through a corporate network, spam through IP telephony, and potentially newer threats. To counter these threats, good basic security helps. Authentication can be done to ensure proper connections, encryption can keep confidentiality, firewalls, NAT specifications for VoIP NAT traversal, and separation designated for VoIP through VLANs.
Hi Kenneth, I agree that the focus on securing VoIP in the chapter is rightly highlighted, emphasizing the importance of differentiating transport and signaling vulnerabilities. Beyond the measures mentioned, incorporating end-to-end encryption protocols, such as SRTP, can significantly bolster voice communication security. This approach, coupled with robust authentication and network separation, provides a well-rounded defense against the multifaceted threats facing VoIP systems today.
Andrew Young says
Chapter 8 of Boyle and Panko’s book covers the topic of application security. The chapter discusses various systems, including web based, phone based, and local applications, and the risks associated with them as well as controls to secure them. Systems such as web apps, e-commerce systems, voip services, and local apps are all vulnerable to attacks from bad actors and all may have variable vulnerabilities. What I found intriguing about this chapter was how much it overlaps and flows with our previous material. Learning that application systems are vulnerable to buffer overflow attacks, similar to those discussed in the DoS chapter, or that proper application and OS patching must be used gave me a wider view of how all of our learning objectives are coming together to help us form a clear idea of how security architecture works. Being able to see how our different units interact overall is extremely useful and will hopefully allow us to become better IT specialists
Ikenna Alajemba says
Hey Andrew.
I agree with you here, chapter 8 explained application security, covering web-based, phone-based, and local applications, along with associated risks and security controls. It highlights vulnerabilities in systems like web apps, e-commerce platforms, voip services, and local apps, stressing the importance of measures like patching for OS and applications. This integration of concepts from various chapters offers a holistic understanding of security architecture, aiding in the development of comprehensive defense strategies.
Jeffrey Sullivan says
Jeffrey Sullivan
MIS 5214
Week 10
Temple University
Application hardening is essential to having an operational network and to be able to make sure not just the physical environment is protected but the application itself. There were several topics that this week’s chapter covered and did overlap with other chapters as well. What stood out to me the most is the SQL injection. As I read through this section of the chapter, it makes me wonder if I really should start learning programming languages as I think that wouldn’t hurt at all.
Using the SELECT clause as that is on the most common SQL statements you can see on pg.384 how it is identified and how passing the SQL statements that have values on such and usernames and password. These values are then sent to a web server and web application, called middleware, and eventually passed to the database. The reason that this all stuck out to me the most is how our network diagram in the group project is and how certain machines etc., are on a network and got me thinking about how I can set ours up as well. As you can see on this page the middleware servers are the first machine in line to the client. It accepts values passed from users and formatting the SQL statements. Now SQL injection comes in where it sends a malformed input that can alter the statement created by the web application. It then goes down to the database and the subsequent results are sent directly back to the user. So what I gleaned from that is that all you would have to do is inject the later statement that is created by the web application which will then in return get sent back to you that will have the information such as login information which then could get you access to the network as these SQL statements requires users to enter a username and password. Once they are inputted on the statement it gets passed to the web application and checked against values in the database. There are also several other attack methods using SQL injection that you can use. Some of these methods include, out-of-band, blind SQL injection. As I read through the various ways that attackers use SQL injections it also shows how developers can minimize the threat of a SQL injection attack by using parameterized queries with bound parameters and sanitizing input. Sanitizing input involves removing all characters that may be used in the SQL injection but may lead to problems as these characters are often used as input. Overall, I feel that this chapter gives a good amount of knowledge to be able to start to understand the diagram in our presentations.
Chidi Okafor says
Jeff, you did a good job in stating that the significance of application hardening is not just for securing the physical environment but also for the applications themselves. It underscores that application hardening is essential for maintaining an operational network. This point highlights the critical role that secure applications play in overall network security and resilience. SQL injection has always been a security concern in the context of web applications. It underscores the potential vulnerabilities that exist within applications, particularly those handling user inputs.
To your question about learning a programming language, go for it.
Ikenna Alajemba says
This chapter delved into the intricacies of application hardening, beginning with general principles such as understanding the server’s threat environment, physical security, backup, OS hardening, application minimization, secure configurations, patch installations, permission minimization, application layer security, cryptographic systems implementation, and custom application security. It then turned our attention to web and e-commerce security, focusing on buffer overflows, SQL injection, and transversal attacks, alongside the necessity for vulnerability assessment tools, log readings, and separate production and testing environments.
Boyle and Panko chapter 8 also examined browser-specific attacks, highlighting potential threats from mobile code, Active-X, Javascript, cookies, and malicious links. The chapter further explored email and VoIP vulnerabilities, underscoring the importance of protective measures such as spam filtering, email encryption, and extrusion prevention tools, given the potential risks of active content transfer, DoS attacks, impersonation, malware, toll fraud, spam, and eavesdropping. The chapter concluded with an overview of two types of instant messaging servers – presence and relay – and the potential misuse of TCP/IP supervisory protocols.
Alex Ruiz says
Ikenna your summary highlights the comprehensive approach necessary for application security, covering everything from server environment understanding to specific vulnerabilities like buffer overflows and SQL injection. It’s important to maintain vigilance not only at the application layer but also in regarding browser-specific threats, email, and VoIP vulnerabilities. As we study more into application security, have you encountered any particularly challenging scenarios or threats that you believe require further attention and investigation?
Alex Ruiz says
The most important point of this chapter is as simple as it was written NEVER TRUST USER INPUT, whether it be possibly malicious or just unaware users, their input can never be trusted as they can and they will tests the bounds of programming whether it be intentionally stupid inputs or high level attempts at breaking your code any and all things will be inputted. SQL injection is one of the biggest threats with one of the most relatively simple solutions of sanitizing inputs. While other similar attacks such as XSS and AJAX attacks are harder to manage but still involve anticipating wrong or malicious user input. I find these attacks the most interesting out of this chapter as they can usually be quick to break systems and get access to sensitive information.
Michael Obiukwu says
Hi Alex,
Yes! The chapter’s crucial message is clear: **always be wary of user input**. It may be harmful or simply erroneous, but either way, it can challenge the limits of your program. SQL injection stands out as a significant threat, yet it has a straightforward fix—cleanse the inputs. Other attacks like XSS and AJAX as you mentioned are more complex to handle but also revolve around the anticipation of incorrect or harmful input. These types of attacks are particularly notable for their ability to swiftly compromise systems and access confidential data.
Jeffrey Sullivan says
Love that you pointed out to never trust user input. The sanitation was something new me and is starting to make sense as it all starts at the root with th0e developers and continues up as team make inputs in the system along the way. SQL injection was one topic that stood out to me as well and reinforces the need to Santizes data and keep education on the forefront, even for the developers. Your points on the XSS and AJAX made me go back and see more in detail on those types of attacks.
Andrew Young says
Good point Alex. I’ve found both in my career and also the curriculum of this program that unfortunately, the most unpredictable factor in IT security tends to be user activity. Being able to harden and secure apps from a security standpoint is all well and good but user interaction is still one of if not the most unpredictable factors when creating a secure system. This is why security awareness training and information for users is so important
Erskine Payton says
Hello Alex,
I am in total agreement with never trust the user and this makes sense. With all of the security incidents we have studied, the crux of the most of these issues start with the end user. They are supp0sed to be the first line of defense but unfortunately uninformed and untrained users are the biggest threat to your security posture.
Nicholas Nirenberg says
Hi Alex, I like how you point out that the emphasis on never trusting user input is a fundamental security principle that cannot be overstated. It underscores the unpredictability of user behavior and the critical need for defensive programming. The mention of SQL injection as a prime example highlights its prevalence and the straightforward nature of its mitigation through input sanitization. Moreover, the exploration of XSS and AJAX attacks adds depth to the discussion, illustrating the broader spectrum of threats posed by unvalidated input. These examples not only serve as a reminder of the potential for rapid system compromise but also stress the importance of comprehensive input validation strategies to protect sensitive information.
Mariam Hazali says
Boyle and Panko Chapter 8 Application Security provides a comprehensive overview of the various aspects and challenges associated with securing applications. The author emphasizes the importance of implementing robust security measures throughout the development lifecycle to mitigate vulnerabilities and protect against potential threats. Developers should incorporate security in the development process, and never trust the user’s input, User input should always be sanitized and should only be used as data and not part of the SQL statement to prevent attacks such as SQL injection. the chapter highlights the significance of controlling deployment which talks about three types of server firms should have, a development server for application development, and a testing server for vulnerability assessment before the applications are released to the production environment, with access to the servers restricted according to respective roles.
In addition to web application security, the chapter delved into Email security and VOIP security. Attackers use email to spread malicious code and spam emails. Spam attacks are evolving and make it challenging for firms to defend against them, Firms must use defense in depth to protect against these attacks. When I thought of applications security I overlooked VOIP, It was very informative to read about different VOIP vulnerabilities and understand how they can be exploited by attackers.
Similar to host hardening, the chapter emphasizes the importance of application hardening, which encompasses practices such as installing patches and updates, minimizing permissions and services, implementing application-layer authentication, authorization, auditing, and implementing cryptographic systems to strengthen application security.
Jeffrey Sullivan says
I never really knew but now starting to understand that that it all starts at the root in CS. I’m currently in a software lifecycle security class as I’m on the audit end and just like how the author here points out the security measures needed at the begging and along the way of a project it is so important on the developers end to uphold security education as well. The sanitization of data input and the SQL injections were also topics that stood out to me and is starting to make sense. VOIP security was very interesting to me as I sell VOIP systems at Comcast but do not get to see the backend systems and security measure Comcast put in place. Hopefully one day I do.
Chidi Okafor says
Good job, Mariam. You underscored the implementation of robust security measures throughout the development lifecycle of applications. Security should be part of the code base not bolted on it. By prioritizing security from the outset, developers can build applications that are more resilient to cyber threats.
Michael Obiukwu says
Chapter 8 of Boyle and Panko’s work on Application Security emphasizes the importance of protecting software applications from threats and vulnerabilities throughout their lifecycle. Key takeaways for me includes:
Email Security: Many companies filter emails for dangerous or inappropriate content, as email attachments can harbor viruses, worms, and other malicious codes. Spam, which constitutes a significant portion of all internet mail traffic, can slow down computers and annoy users. To combat this, filters should be applied at various points, including user PCs
Buffer Overflows: Attackers can exploit applications by sending more data than the application expects, known as buffer overflows. This can lead to overwritten data in RAM and the execution of malicious commands. Stack overflow, a common form of buffer overflow attack, involves sending malicious commands to overwrite the return address in the RAM stack of an insecure program1.
SQL Injections: A top security concern for web applications is SQL injection, where attackers input database commands into text fields to manipulate or damage data.
These points highlight the need for robust security measures in application development and maintenance to protect against various cyber threats.
Jeffrey Sullivan says
Nice summary on the topics. SQL injection was also one of the topics that stood out to me as well. I went as far in my summary to think about starting to learn some type of programming language just to familiarize myself with it. I have done HTML sites in the past, but I know in the past twenty years a lot has changed in the programming world. You also point out email security which is a big one at my company as there are weekly test spam emails that go out and there is always someone that clicks on it. Now when that happens it takes you right to a training video on cybersecuity, which is great as they are creating awareness and training all by sending out test emails.
Chidi Okafor says
Chapter 8 explores application hardening, focusing on server roles, threat environment, physical security, backup procedures, and operating system hardening. It advocates for minimal applications, configuring them securely, and maintaining up-to-date patches. Security concerns within web and e-commerce realms are explored, shedding light on vulnerabilities such as buffer overflows, SQL injection, and traversal attacks. The chapter underscores the importance of employing vulnerability assessment utilities, monitoring log files, and maintaining separate production and testing environments. Additionally, it delves into browser-specific threats, including mobile code, Active-X, JavaScript, cookies, and deceptive links. Application vulnerabilities pertaining to email and Voice over Internet Protocol (VoIP) are discussed, stressing the implementation of safeguards like spam filters, email encryption, and measures to prevent data leakage. Furthermore, potential misuse of TCP/IP supervisory protocols for malicious ends is examined. The chapter concludes by examining the implications of instant messaging servers on corporate settings.
Nicholas Nirenberg says
This chapter emphasizes the significance of application security and hardening as a critical component of overall cybersecurity, paralleling it with the previously discussed concept of host hardening which focuses on the operating system. Application hardening is highlighted as more labor-intensive than operating system hardening due to the multiplicity and complexity of applications running on both clients and servers, each presenting challenges akin to those of securing an entire operating system. It discusses the heightened risk associated with applications, particularly noting that attackers, upon compromising an application, can execute commands with the same privileges as the application itself. This is especially concerning for applications running with root or superuser privileges, as it potentially grants attackers complete control over a host. The ease with which attackers can exploit applications with a single message is contrasted with the more challenging task of conducting attacks on operating systems, underscoring the shift towards application exploits as the preferred method of attack in contemporary cybersecurity threats.
Erskine Payton says
Chapter 8 starts off with a review of the previous chapter briefly talking about host hardening which is securing your operating system. The chapter then brings up the importance of how application systems hardening that are run on a host. Clients and servers run a multitude of applications which is why application security requires more work than operating system security. When a hacker now has control of an application, they can run commands that could give absolute control to whomever the hacker deems appropriate. These types of attacks are much easier to execute than operating system attacks as they only need a single message gaining root privileges. As the text mentions, taking over applications is the dominate vector which can in turn give you access to the operating system.
The item that I want to focus on is email security. This on one of the most common means of attack that hacker use to conduct their nefarious activities. The use of content filtering scans incoming and outgoing messages for unsafe and unsuitable content. This not only protects your systems but can also save a company from potential lawsuits. Also filtering can be done to prevent the sending of PII as well as what is called “extrusion prevention” which can prevent employees from sending intellectual property. Although client based filtering is most common is has proven not to be as through. This calls for the end-user to maintain the updates and sometimes subscriptions for the service, which does not always happen. This is why filtering at the corporate e-mail server to increase defense-in-depth practices.
Kelly Conger says
Excellent analysis, Erskine. Email security is a crucial layer, especially with attackers targeting applications. While client-side filtering helps, server-side filtering strengthens your defenses and protects against human error in keeping client software updated.
Kelly Conger says
Chapter 8 of Boyle and Panko warns about the risks of insecure web applications. Hackers can exploit vulnerabilities to steal data, disrupt services, or deface websites. Common attacks include SQL injection, which involves tricking applications into running malicious code, and cross-site scripting, where hackers inject scripts into websites to steal user data. The chapter stresses the importance of secure coding practices, such as validating user input and following the principle of least privilege, which involves giving applications only the necessary access. It also highlights the need for strong user authentication and encryption to safeguard sensitive information. By adopting these security measures, businesses can build more robust defenses and protect their applications from threats.
Samuel Omotosho says
Hi Kelly,
Your discussion about Chapter 8 of Boyle and Panko effectively highlights the significant risks associated with insecure web applications and the importance of implementing robust security measures. I completely agree with the emphasis on secure coding practices, user authentication, and encryption to mitigate potential threats.
I’m particularly interested in exploring further how businesses can effectively prioritize and implement these security measures. In your opinion, what are some common challenges businesses face when trying to adopt and enforce these practices, and what strategies can they employ to overcome these challenges effectively?
Akintunde Akinmusire says
Hi Kelly,
I agree with you that it is important to secure source code to avoid SQL Injection. User privileges should be limited to what they need. Also, the user’s input should be validated and sanitized to ensure that suspicious inputs are rejected.
Samuel Omotosho says
Reading this chapter taught me that programs frequently store information temporarily in RAM spaces known as buffers. A buffer overflow occurs when an attacker transmits more bytes of a message than the program has allotted for the buffer, causing the attacker’s information to overflow to other parts of RAM.
On the other side, I discovered that the mechanics of vulnerabilities, exploits, patches, and workarounds are the same across operating systems and apps. Companies may use applications from dozens of application software companies. The majority of all vulnerabilities and remedies are application-related. Every organization must have a unique system for downloading and implementing patches. Companies should reduce the number of programs operating on the mainframe, because fewer apps equal less opportunities to take over the system.
Mariam Hazali says
I agree with you Samuel, managing security across numerous applications can indeed be challenging to organizations. I think one of the best practices is leveraging automation as this will streamline some of the security processes such as vulnerability scanning, patch management, and log analysis and ensure real-time response to threats.
Hashem Alsharif says
Hello Samuel, I agree with what you’re saying, but it’s interesting to me because someone might say that more programs mean more layers of security, since there is added complexity. But, this isn’t the case because by having a smaller amount of applications, it means less of an opprotunity for vulnerabilites. While I agree with this, I would think that is there a possibility that having more applications would benefit the system? these don’t necessarily have to be cyber security oriented either. Perhaps these added programs can confuse or cause an attacker to shift direction? Let’s say that there was a software that had all of the features of different programs into one. Wouldn’t those same vulnerabilities be on the all in one software instead of having a variety? Or if the all in one option doesn’t have these same vulnerabilities, couldn’t the softwares just patch them?
Hashem Alsharif says
8.4 is what stuck out to me the most because email is a big part of our daily life. It’s what we get our order confirmations from, it’s how we apply for accounts online, and it’s still used as one of the main methods of communication for a work environment. The fact that shocked me the most is the section about spam. According to the reading, spam is behind 60 to 90 percent of internal mail traffic daily. This made me wonder how effective spam must actually be, because if it’s this common, then why is it that so many people don’t end up getting information compromised?. The following paragraph brought forth an important message and I think it’s the reason why there will never truly be a fix for spam. It explains that there are programs that filter spam but what was found is that there was over filtering, meaning that emails that may have appeared to be spam got filtered out, which would be very unideal for someone who is looking forward to an important email, only to have it get removed.
Kenneth Saltisky says
Hi Hashem,
Like you mentioned, many email services offer some layer of spam filtering to remove most of the unnecessary email traffic from our personal inboxes; however, as you mentioned, this also means that legitimate emails may also be filtered out. It’s difficult to strike the right balance between filtering out the bad and keeping the good. Ultimately, many organizations take advantage of the basic system in place that flags messages that come from external email addresses outside of the corporate network.
Akintunde Akinmusire says
This article discusses the importance of securing applications against cyber threats. An important point that was discussed in the chapter is the increase in the rate at which email servers are being attacked. The ability to attach files makes email servers an attack surface. It is important to have email servers always secured.
Kenneth Saltisky says
Hi Akintunde,
You bring up an interesting point about how email servers are being continuously attacked. Emails are one of the largest points of entry for many threat actors as emails are usually publicly available to send to, allowing threat actors to craft malicious emails with potentially malicious attachments and escalate their access once an employee runs a malicious executable. Additionally, cyber criminals may want access to an email server to further prolong their attacks by utilizing a corporate email server to push more malicious emails.
Kenneth Saltisky says
Chapter 8 of the book covers application security. Specifically, it lists the steps to secure applications, how to secure WWW services and e-commerce, describes vulnerabilities in browsers, explains securing emails, securing VoIP, and securing other user applications. One particular point of interest I wanted to explore was securing the process of securing VoIP.
VoIP, or voice over IP, is utilizing IP to call someone instead of a traditional public switched telephone network. In securing VoIP, you need to understand the difference between transport (talking back and forth) versus signaling (communication to manage the network). In VoIP, there are two signaling standards: H.323 (older) and IETF (newer). In IP telephone, there are SIP proxy servers that manage the process of initiating the session for VoIP. There are also gateways to reach public switched telephone networks.
Some threats do exist in VoIP since it is not a closed system, and can be attacked through the internet and LAN access points. These threats include eavesdropping, DoS, impersonation, cyberattacks, toll fraud to place free calls through a corporate network, spam through IP telephony, and potentially newer threats. To counter these threats, good basic security helps. Authentication can be done to ensure proper connections, encryption can keep confidentiality, firewalls, NAT specifications for VoIP NAT traversal, and separation designated for VoIP through VLANs.
Nicholas Nirenberg says
Hi Kenneth, I agree that the focus on securing VoIP in the chapter is rightly highlighted, emphasizing the importance of differentiating transport and signaling vulnerabilities. Beyond the measures mentioned, incorporating end-to-end encryption protocols, such as SRTP, can significantly bolster voice communication security. This approach, coupled with robust authentication and network separation, provides a well-rounded defense against the multifaceted threats facing VoIP systems today.