Premium Members Get 10% Off and Earn Rewards Find Out More
Testing and Securing Web Applications / Edition 1

Testing and Securing Web Applications / Edition 1

Testing and Securing Web Applications / Edition 1
Add to Wishlist
ISBN-10:
0367333759
ISBN-13:
9780367333751
Pub. Date:
08/04/2020
Publisher:
CRC Press
ISBN-10:
0367333759
ISBN-13:
9780367333751
Pub. Date:
08/04/2020
Publisher:
CRC Press
Testing and Securing Web Applications / Edition 1

Testing and Securing Web Applications / Edition 1

Overview

Web applications occupy a large space within the IT infrastructure of a business or a corporation. They simply just don’t touch a front end or a back end; today’s web apps impact just about every corner of it. Today’s web apps have become complex, which has made them a prime target for sophisticated cyberattacks. As a result, web apps must be literally tested from the inside and out in terms of security before they can be deployed and launched to the public for business transactions to occur.

The primary objective of this book is to address those specific areas that require testing before a web app can be considered to be completely secure. The book specifically examines five key areas:

  • Network security: This encompasses the various network components that are involved in order for the end user to access the particular web app from the server where it is stored at to where it is being transmitted to, whether it is a physical computer itself or a wireless device (such as a smartphone).
  • Cryptography: This area includes not only securing the lines of network communications between the server upon which the web app is stored at and from where it is accessed from but also ensuring that all personally identifiable information (PII) that is stored remains in a ciphertext format and that its integrity remains intact while in transmission.
  • Penetration testing: This involves literally breaking apart a Web app from the external environment and going inside of it, in order to discover all weaknesses and vulnerabilities and making sure that they are patched before the actual Web app is launched into a production state of operation.
  • Threat hunting: This uses both skilled analysts and tools on the Web app and supporting infrastructure to continuously monitor the environment to find all security holes and gaps.
  • The Dark Web: This is that part of the Internet that is not openly visible to the public. As its name implies, this is the "sinister" part of the Internet, and in fact, where much of the PII that is hijacked from a web app cyberattack is sold to other cyberattackers in order to launch more covert and damaging threats to a potential victim.

Testing and Securing Web Applications breaks down the complexity of web application security testing so this critical part of IT and corporate infrastructure remains safe and in operation.

Product Details

ISBN-13: 9780367333751
Publisher: CRC Press
Publication date: 08/04/2020
Pages: 224
Product dimensions: 6.12(w) x 9.19(h) x (d)

About the Author

Ravi Das is a Business Development Specialist for The AST Cybersecurity Group, Inc., a leading Cybersecurity content firm located in the Greater Chicago area. Ravi holds a Master of Science of Degree in Agribusiness Economics (Thesis in International Trade), and Master of Business Administration in Management Information Systems. He has authored five books, with two forthcoming ones on artificial intelligence in cybersecurity, and cybersecurity risk and its impact on cybersecurity insurance policies.

Greg Johnson is the CEO of the penetration test company, Webcheck Security. Greg started Webcheck Security after serving on several executive teams and a long sales and management career with technology companies such as WordPerfect/Novell, SecurityMetrics, A-LIGN, and Secuvant Security. A Brigham Young University graduate, Greg began his career in the days of 64k, 5.25" floppy drives and Mac 128k’s. As the industry evolved, Greg moved into the cyber arena and provided his clients with solutions surrounding compliance, digital forensics, data breach and response, and in 2016 earned the PCI Professional (PCIP) designation. In several business development roles, Greg consulted, guided and educated clients in compliance guidelines and certifications for standards including PCI, HIPAA, ISO 27001, NIST, SOC 1 and SOC 2, GDPR/CCPA, and FedRAMP.
When he is not providing cyber solutions for his clients, he can be found spending time with his wife Kelly, playing with his grandchildren, or rehearsing or performing with the world-renowned Tabernacle Choir on Temple Square.

Table of Contents

Acknowledgments xiii

About the Authors xv

1 Network Security 1

Introduction 1

A Chronological History of the Internet 5

The Evolution of Web Applications 7

The Fundamentals of Network Security - The OSI Model 13

The OSI Model 13

What Is the Significance of the OSI Model to Network Security? 15

The Classification of Threats to the OSI Model 15

The Most Probable Attacks 17

Assessing a Threat to a Web Application 18

Network Security Terminology 19

The Types of Network Security Topologies Best Suited for Web Applications 20

The Types of Attack That Can Take Place against Web Applications 21

How to Protect Web Applications from DDoS Attacks 27

Defending against Buffer Overflow Attacks 28

Defending against IP Spoofing Attacks 28

Defending against Session Hijacking 30

Defending Virus and Trojan Horse Attacks 31

Viruses 31

How a Virus Spreads Itself 31

The Different Types of Viruses 31

Defending Web Applications at a Deeper Level 33

The Firewall 33

Types of Firewalls 34

Blacklisting and Whitelisting 36

How to Properly Implement a Firewall to Safeguard the Web Application 37

The Use of Intrusion Detection Systems 39

Understanding What a Network Intrusion Detection System Is 39

Preemptive Blocking 40

Anomaly Detection 42

Important NiDS Processes and Subcomponents 43

The Use of VPNs to Protect a Web Application Server 44

The Basics of VPN Technology 45

The Virtual Private Network Protocols that are Used to Secure a Web Application Server 46

How PPTP Sessions are Authenticated 46

How Layer 2 Tunneling Protocol (L2TP) Sessions are Authenticated 47

How Password Authentication Protocol (PAP) Sessions are Authenticated 48

How Shiva Password Authentication Protocol (SPAP) Sessions are Authenticated 48

How Kerberos Protocol Sessions are Authenticated 49

How IPSec Protocol Sessions are Authenticated 51

How SSL Protocol Sessions are Authenticated 52

How to Assess the Current State of Security of a Web Application Server 53

Important Risk Assessment Methodologies and How They Relate to Web Application Security 54

Single Loss Expectancy (SLE) 54

The Annualized Loss Expectancy (ALE) 54

The Residual Risk 54

How to Evaluate the Security Risk that is Posed to the Web Application and its Server 55

How to Conduct the Initial Security Assessment on the Web Application 56

Techniques Used by Cyberattackers against the Web Application and Web Application Server 59

The Techniques Used by the Cyberhacker 60

Techniques Used by the Cyberattacker 63

Network Security and Its Relevance for Web Apps 65

Data Confidentiality 65

Common Technical Layouts for Modern Web App Infrastructure 66

Encrypting Data in Flight 69

TLS 69

Certificate 72

Setting Up the Session 73

Finishing the Handshake 74

Site Validity 75

Proving Your Web App Is What It Says It Is 75

Testing Your Web App's Confidentiality and Trust 77

What Kind of Trust? 77

Spoofing and Related Concerns 79

Conclusion 82

Resources 82

References 82

2 Cryptography 83

An Introduction to Cryptography 84

Message Scrambling and Descrambling 85

Encryption and Decryption 86

Ciphertexts 86

Symmetric Key Systems and Asymmetric Key Systems 87

The Caesar Methodology 87

Types of Cryptographic Attacks 88

Polyalphabetic Encryption 88

Block Ciphers 89

Initialization Vectors 90

Cipher Block Chaining 90

Disadvantages of Symmetric Key Cryptography 91

The Key Distribution Center 92

Mathematical Algorithms with Symmetric Cryptography 93

The Hashing Function 94

Asymmetric Key Cryptography 95

Public Keys and Public Private Keys 95

The Differences Between Asymmetric and Symmetric Cryptography 96

The Disadvantages of Asymmetric Cryptography 97

The Mathematical Algorithms of Asymmetric Cryptography 98

The Public Key Infrastructure 99

The Digital Certificates 100

How the Public Key Infrastructure Works 101

Public Key Infrastructure Policies and Rules 101

The LDAP Protocol 102

The Public Cryptography Standards 103

Parameters of Public Keys and Private Keys 104

How Many Servers? 105

Security Policies 105

Securing the Public Keys and the Private Keys 106

Message Digests and Hashes 106

Security Vulnerabilities of Hashes 106

A Technical Review of Cryptography 107

The Digital Encryption Standard 107

The Internal Structure of the DES 109

The Initial and Final Permutations 109

The f-Function 109

The Key Schedule 110

The Decryption Process of the DES Algorithm 111

The Reversed Key Schedule 111

The Decryption in the Feistel Network 111

The Security of the DES 113

The Advanced Encryption Standard 113

The Mathematics behind the DES Algorithm 114

The Internal Structure of the AES Algorithm 117

Decryption of the AES Algorithm 120

Asymmetric and Public Key Cryptography 121

The Mathematics behind Asymmetric Cryptography 124

The RSA Algorithm 125

The Use of Fast Exponentiation in the RSA Algorithm 127

The Use of Fast Encryption with Shorter Public Key Exponentiation 128

The Chinese Remainder Theorem (CRT) 128

How to Find Large Prime Integers for the RSA Algorithm 129

The Use of Padding in the RSA Algorithm 131

Specific Cyberattacks on the RSA Algorithm 132

The Digital Signature Algorithm 133

Digital Signature Computation and Verification Process for the DSA 134

The Prime Number Generation Process in the DSA 135

Security Issues with the DSA 135

The Elliptic Curve Digital Signature Algorithm 136

The Generation of the Public Key and the Private Key Using the ECDSA Algorithm 136

The Signature and the Verification Process of the ECDSA Algorithm 137

The Use of Hash Functions 138

The Security Requirements of Hash Functions 139

A Technical Overview of Hash Function Algorithms 142

Block Cipher-Based Hash Functions 143

Technical Details of the Secure Hash Algorithm SHA-1 144

Key Distribution Centers 146

The Public Key Infrastructure and Certificate Authority 148

Resources 149

3 Penetration Testing 151

Introduction 151

Peeling the Onion 152

True Stories 152

External Testing: Auxiliary System Vulnerabilities 152

Internal Testing 153

Report Narrative 154

Report Narrative 154

Web Application Testing 155

SSID Testing 158

Types of Penetration Tests 159

Definitions of Low, Medium, High, and Critical Findings in Penetration Testing 160

Compliances and Frameworks: Pen Testing Required 161

OWASP and OWASP Top Ten 162

OWASP Top Ten with Commentary 162

Tools of the Trade 164

Pen Test Methodology 167

Penetration Test Checklist for External IPs and Web Applications 167

Chapter Takeaways 172

Resources 174

4 Threat Hunting 175

Not-So-Tall Tales 176

Nation-State Bad Actors: China and Iran 181

Threat Hunting Methods 182

MITRE ATT&CK 183

Technology Tools 183

The SIEM 183

EDR 184

EDR + SIEM 185

IDS 185

When 1 + 1 + 1 = 1: The Visibility Window 185

Threat Hunting Process or Model 186

On Becoming a Threat Hunter 188

Threat Hunting Conclusions 189

Resources 189

5 Conclusions 191

Index 199

From the B&N Reads Blog
Page 1 of

Related Subjects

Computers
Internet & World Wide Web
Networking & Telecommunications
Internet & World Wide Web - General & Miscellaneous
Security - Computer Networks
Computers
Internet & World Wide Web
Networking & Telecommunications
Internet & World Wide Web - General & Miscellaneous
Security - Computer Networks

Customer Reviews