CHAPTER FOUR

APPLICATION AND OS SECURITY

1
 Application Security
 The process of protecting software applications from a

wide range of threats, such as malware, buffer overflow

attacks, SQL injection attacks, and cross-site

scripting (XSS) attacks.

 It involves a combination of measures such as secure

coding practices, input validation, encryption, and

access control to prevent unauthorized access or

modification of data.

2
 Application Security
 Applying application security throughout the software development

lifecycle (SDLC) is an essential process to ensure that applications are

secure and protected against potential threats.

 Introduce security standards and tools during design and application

development phases. E.g. vulnerability scanning during early

development.

 Implement security procedures and systems to protect applications in

production environments. E.g. perform continuous security testing.

 Implement strong authentication for applications that contain

sensitive data or mission critical.

 Use security systems such as firewalls, web application firewalls

(WAF), and intrusion prevention systems (IPS). 3

 Application Security Architecture
 Application security architectures are used to
identify and assess security weaknesses due to
architectural flaws in an application.
 A holistic approach to security, with multiple layers of
protection and a focus on identifying and mitigating
potential risks and vulnerabilities.

4
 Application Security Attack
 Application Security Attack is a type of cyber attack

that targets software applications in order to exploit

vulnerabilities and gain unauthorized access to data or
systems.

Security issues with web applications range from large-

scale network disruption to focused database tampering.

5
 Application Security attack …
 The following are some application security attack:

1. Broken Access Control:- type of security vulnerability

that occurs when an application fails to properly enforce
access control rules, allowing unauthorized users to access
sensitive data or perform unauthorized actions.

The most common issues:

a.Vertical privilege escalation: occurs when an attacker is

able to gain access to higher-level privileges than they are
authorized for, such as exploiting a vulnerability in an
application's authentication mechanism.

b.Cryptographic Failures:- sensitive data exposure 6

 Application Security attack…
2. Security Misconfiguration: is a type of security
vulnerability that occurs when an application or system is
configured in a way that leaves it vulnerable to attack.

 Common security misconfigurations:

 Using default passwords or admin accounts

Outdated software

Unsecured ports and services:

Failing to apply updates or patches, or misconfiguring

security settings.

XML External Entities (XXE) vulnerabilities: occur when

7
an application processes XML input from an untrusted source
 Application Security attack
3. Buffer Overflow(buffer overrun): is a type of software
vulnerability that can be exploited by attackers to execute
arbitrary code or cause a denial of service (DoS) attack.
It occurs when the volume of data exceeds the storage
capacity of the memory buffer.

This can cause the data to spill over into adjacent memory
locations, potentially overwriting other critical data causing
the program to behave unpredictably or crash.

E.g. C, C++

8
 Application Security attack
 Solution for Buffer overflow
a. Address space randomization (ASR)-randomly
moves around the address space locations of data
regions.
b. Data execution prevention:-flags certain areas of
memory as non-executable or executable, which stops
an attack from running code in a non-executable region.
c. Input validation

4. Fuzzing attack is a type of automated software testing

that involves sending random or malformed inputs to a target
system to identify vulnerabilities or defects.

 An attacker uses a fuzzing tool to generate a large number

of random or mutated inputs and sends them to the target
9
 Application Security attack
4. Fuzzing attack ….

 Generation-based fuzzing, to generate inputs that are

designed to trigger specific types of vulnerabilities, such as
buffer overflow or SQL injection.

 Protection mechanisms
 Implement secure coding practices, such as input
validation and error handling, to handle
unexpected inputs.
 Use specialized tools, such as fuzzing frameworks and
security scanners, to test the security and robustness
of the applications and systems before deployed
10
in
 Application Security attack
5. Cross-site scripting attacks(XSS) : occur when an
attacker is able to inject malicious code, in the form of a
script, into a web page that is then executed by the user's
browser.

 There are two main types of XSS attacks:

1. Stored XSS attack, the attacker is able to inject
malicious code directly into the web application's
database,

2. Reflected XSS attack, the attacker is able to inject

malicious code into a web page that is immediately returned
to the user's browser as part of a response from11 the
 Application Security attack
 Cross-site scripting attacks(XSS) :

 Protection
 Software developers must validate user input and encode
12
output.
 Application Security attack
6. SQL injection attacks : are a type of cyber attack that
target web applications that use SQL databases.

 The attacks inserting malicious SQL code into an

application's input fields, which can be executed by the
underlying database.

 The goal SQL injection attack is to manipulate the

database to perform unauthorized actions, such as
retrieving sensitive data or modifying database records.

 It can occur when an application does not properly

validate user input or sanitize user input before using it in
SQL queries. 13
 Application Security attack
 SQL injection attacks

 Retrieve any number of items, including sensitive company

data, user lists or private customer details.
SELECT ItemName, ItemDescription
FROM Item
WHERE ItemNumber = ItemNumber

14
 Application Security attack
7. Hijacking is a type of network attack in which the
attacker takes over control and communication between the
victim system and the network.

 Any kind of information theft including password, email

information, bank account information, etc.

 Prevention
 Encrypting all data transmitted on a web page.
15
 Using HTTPS certification on websites.
 Types of Application Security
 Authentication, authorization, encryption, logging,
and application security testing are all examples of
application security features.

 Authentication and Access Control: involves

implementing strong authentication mechanisms such as
passwords, biometric authentication, and multi-factor
authentication to ensure that only authorized users can
access the application.

 The developers include protocols in an application to

ensure that only authorized users have access to it. e.g.
SSH, LDAP etc
16
 Types of Application Security
 Authorization:- a user may be authorized to access and use the
application after being authenticated.

 Comparing the user's identification to a list of authorized users, the

system may verify that the user has permission to access the application.

 Encryption:- a security measures can safeguard sensitive data from

being seen or utilized by a cybercriminal after a user has been verified
and using the application.

 Traffic containing sensitive data that flows between end-user and cloud
in cloud-based applications can be encrypted to keep the data safe.

 Logging :-it can assist in determining who gained access to the data and
how they did.

 Application log files keep track of which parts of the application have
been accessed and by whom. 17
 Tools for Application Security
 A complete application security approach used for detection,
remediation and resolution of a variety of application
vulnerabilities and security challenges.

 Finding the right application security technologies for

organization is crucial to the effectiveness of any security
measures for security team implements.
 Application Security Testing:- is the process of
evaluating an application's security posture to identify
vulnerabilities and weaknesses that could be exploited by
attackers.
 Application security Testing can be divided into
numerous categories:

1. Static Application Security Testing (SAST)

18
 Application security Testing
1. Static Application Security Testing (SAST)

 It is white-box testing with access to source code, at

rest, identifies weaknesses that may lead to a
vulnerability and generates a report.

 Analyzing the source code of an application for

security vulnerabilities.

 This testing can detect issues of buffer overflows, SQL

injection etc., which performed during the
development phase of an application.

 E.g. syntax errors, input validation issues

19
 Application security Testing
2. Dynamic Application Security Testing (DAST)

 It is a more reactive approach, simulating security

breaches on a live web application to deliver precise
information about exploitable flaws.

 It is useful for detecting runtime or environment-

related errors because it evaluates applications in
production.

 Helps identify issues such as query strings, use of

scripts, requests and responses, memory leakage,
authentication, cookie and session handling, execution
20
 Application security Testing
3. Interactive Application Security Testing (IAST)

 It combines parts of SAST and DAST

 It scans the source code for vulnerabilities while

running the application and simulating the ways a user
would commonly interact with it.

 Helps make remediation easier by providing

information about root cause of vulnerabilities and
analyze data flow, source code, configuration, and
third-party libraries.

 It has access to all the application's code and

21
 Application security Testing
 Run-Time Application Security Protection (RASP)

 Tools could be considered a combination of testing and

shielding.

 It provides continuous security checks and automatic

responses to possible breaches, e.g. send alerts ,
terminate session or terminate the app itself if
compromised.

 Tools are continuously monitoring behavior of the app,

which is useful particularly in mobile environments when
apps can be rewritten, run on a rooted phone or have
privilege abuse to turn them into doing wicked things.
22
 Application Security Approaches
1.Design Review: -architecture and design of the

application can be examined for security flaws before

code is created.

The construction of a threat model is a popular strategy

used at this phase.

2. White-box Security Review or Code Review

The security engineer inspecting source code and

looking for security issues.

 Vulnerabilities unique to the application can be
23
discovered through understanding the application.
 Application Security Approaches
3. Black-box Security Audit:- accomplished only through the use of

an application to test for security flaws, no source code is necessary.

4. Automated Tooling:-security tools can be automated by including

in the development or testing process.

 Automated DAST/SAST tools that incorporated into code editors or

continuous integration (CI)/continuous deployment(CD )systems

5. Coordinated Vulnerability Platform:-Many websites and

software providers offer hacker-powered application security

solutions through which individuals can be recognized and

compensated for reporting defects.

24
 OS Security
 The process of protecting the underlying software and hardware that
runs a computer or other digital device.

 It is responsible for managing system resources, controlling access to

sensitive data, and providing a platform for running applications.

 Common OS Security Threats:

 Malware is malicious software that is designed to compromise
the security of a system. E.g. viruses, worms, Trojans, and
ransomware.

 It can be used to steal sensitive data, hijack system resources, or

cause damage to the OS or other software installed on the system.
 A Denial of Service (DoS) attack is intended to clog a system with
fake requests so it becomes overloaded, and eventually stops serving
25
legitimate requests.
 OS Security
 Trojan Horse: it seem to be attractive and harmless cover
programs but are really harmful hidden programs that can
be used as the virus carrier.

 Worms: a type of malware that replicates itself and infects

other computers while remaining active on affected systems.

 Port scanning is a mechanism or means by which a hacker

can detects system vulnerabilities to make an attack on the
system.

 Network intrusion:- occurs when an individual gains access

to a system for improper use.

 Buffer Overflow: temporary data stores are overflowing

26
with data.
 Operating System Security
 Authentication: is the responsibility of the Operating System to
create a protection system which ensures that a user who is running
a particular program is authentic. E.g. user name and password,
Biometric signatures etc.

 One Time passwords :- a unique password is required every time

user tries to login into the system.

Operating system policy and procedures are :

 Installing and updating anti-virus software

 Ensure the systems are patched or updated regularly

 Implementing user management policies to protect user accounts and

privileges.

 Installing a firewall and ensuring that properly set to monitor all

27
 Operating System Security
 Access control:- specifies who can have access to a
system resource and what type of access each entity has.

 User management:- enables users to access and control

digital assets, such as applications, devices, networks

 Information security policy:- is a set of rules, policies

and procedures designed to ensure all end users and
networks within an organization meet minimum IT
security and data protection security requirements.

E.g. Password policy , data backup policy, security

system management policy.

 Computer forensic reading assignment ??? 28

 Application and Operating System
Security
 Comprehensive security

29
 Mobile security the protection of mobile devices,
such as smartphones and tablets, from unauthorized
access, theft, malware, and other security threats.
 Mobile devices can be attacked by potentially
malicious apps, network-level attacks, and exploitation
of vulnerabilities within the devices and mobile OS.
Protection
 Keep your software updated
 Install a firewall.
 Download apps from official app stores.
 Always read the end-user agreement 30
 Web security: the practice of protecting websites and
web applications from various types of cybersecurity
threats, such as hacking, data breaches, and
malware.
 Websites and web applications often handle sensitive
information, such as user passwords and financial
data, and a security breach can have serious
consequences for both users and businesses.
 Protection: browser policies, session mgmt, user
authentication
 HTTPS 31
 Network security: the practice of protecting computer
networks from various types of cybersecurity threats,
such as unauthorized access, data breaches, and
malware.
 Network security is important because computer
networks often handle sensitive information, such as
personal data, financial information, and
intellectual property, and a security breach can have
serious consequences for both individuals and
organizations.
 Protection:
32

 Risk
management
 It is the process of identifying, assessing, and
controlling risks that may impact an organization's
operations, projects, or assets.
 It involves developing strategies and techniques to
mitigate risks and minimize their potential impact on
the organization.
 It is an essential component of business planning and
decision-making, and it helps organizations to protect
their assets, reduce losses, and improve their overall
resilience.
Risk management process involves the33
 Risk
management…
2. Risk assessment: assessing the likelihood and
potential impact of each identified risk, and prioritizing
them based on their level of risk.
3. Risk mitigation: developing strategies and
techniques to mitigate the potential impact of identified
risks, such as implementing control measures,
transferring risk to an insurance provider, or
avoiding the risk altogether.
4. Risk monitoring and review: monitoring the
effectiveness of the risk management strategies and
reviewing the risk management plan on a regular basis
34
 Risk
management…
 Four main risk management strategies, or risk
treatment options:
1. Risk Avoidance: avoiding the activity or situation that
poses the risk, either by not engaging in the activity or
by changing the approach to eliminate the risk
altogether.
2. Risk Reduction: taking steps to reduce the likelihood or
impact of the risk.
 By implementing controls or safeguards, such as security
measures to minimize the chances of the risk occurring
or lessen its impact.
3. Risk Transfer: transferring the risk to another party,
35
 Risk management
frameworks
 Are set of processes, policies, and procedures that
are used to identify, assess, and manage risks in an
organization.
 The goal of a risk management framework is to
minimize the impact of potential risks on an
organization's operations, assets, and reputation.
 It includes risk identification, risk measurement
and assessment, risk mitigation, risk reporting
and monitoring, and risk governance.

36
 Security System assessment and
evaluation
 Security System assessment is the process of
evaluating the security of a system or application to
identify vulnerabilities and weaknesses that could be
exploited by attackers.

 The assessment typically involves a combination of

manual and automated testing techniques, and may
be performed by internal or external security
experts.

 Security system evaluation: is the process of

determining whether a system or application meets a
37
set of predefined security requirements or standards.
 Security System assessment and
evaluation
 The choice of assessment type depends on the goals and
needs of the organization, as well as the specific risks and
threats faced by the system or application.

 Types of Security system assessment

 Vulnerability assessment:- is the process of identifying

potential vulnerabilities in a system or application, and
assessing the potential risks associated with those
vulnerabilities.

 The goal of a vulnerability assessment is to identify

potential weaknesses that could be exploited by attackers
and to provide recommendations for mitigating those
38
 Security System assessment
 Penetrate Testing:- this type of assessment involves
attempting to exploit vulnerabilities in the system to gain
unauthorized access or to perform other malicious
activities.

 The goal is to simulate a real-world attack and to identify

areas where the security controls are insufficient.

 Security Audit or Review:-a comprehensive assessment

of an organization's security posture, policies, procedures,
and controls.

 The goal of a security audit is to identify potential security

risks and to provide recommendations for improving the
39
 Security System assessment
 Static code analysis: This type of assessment
involves reviewing the source code of the system or
application to identify potential security
vulnerabilities, such as buffer overflows, SQL
injection, or cross-site scripting (XSS) attacks.

 The goal is to identify coding errors and to

recommend remediation actions..

 Abuse case development reading assignment

40
End of Chapter Four
Questions

! !!
OU
Y
N K
A
TH

41