Testing and Securing Web Applications / Edition 1 available in Hardcover, Paperback, eBook
Testing and Securing Web Applications / Edition 1
- ISBN-10:
- 0367333759
- ISBN-13:
- 9780367333751
- Pub. Date:
- 08/04/2020
- Publisher:
- CRC Press
- ISBN-10:
- 0367333759
- ISBN-13:
- 9780367333751
- Pub. Date:
- 08/04/2020
- Publisher:
- CRC Press
Testing and Securing Web Applications / Edition 1
Buy New
$69.95Overview
The primary objective of this book is to address those specific areas that require testing before a web app can be considered to be completely secure. The book specifically examines five key areas:
- Network security: This encompasses the various network components that are involved in order for the end user to access the particular web app from the server where it is stored at to where it is being transmitted to, whether it is a physical computer itself or a wireless device (such as a smartphone).
- Cryptography : This area includes not only securing the lines of network communications between the server upon which the web app is stored at and from where it is accessed from but also ensuring that all personally identifiable information (PII) that is stored remains in a ciphertext format and that its integrity remains intact while in transmission.
- Penetration testing: This involves literally breaking apart a Web app from the external environment and going inside of it, in order to discover all weaknesses and vulnerabilities and making sure that they are patched before the actual Web app is launched into a production state of operation.
- Threat hunting: This uses both skilled analysts and tools on the Web app and supporting infrastructure to continuously monitor the environment to find all security holes and gaps.
- The Dark Web: This is that part of the Internet that is not openly visible to the public. As its name implies, this is the "sinister" part of the Internet, and in fact, where much of the PII that is hijacked from a web app cyberattack is sold to other cyberattackers in order to launch more covert and damaging threats to a potential victim.
Testing and Securing Web Applications breaks down the complexity of web application security testing so this critical part of IT and corporate infrastructure remains safe and in operation.
Product Details
ISBN-13: | 9780367333751 |
---|---|
Publisher: | CRC Press |
Publication date: | 08/04/2020 |
Pages: | 224 |
Product dimensions: | 6.12(w) x 9.19(h) x (d) |
About the Author
Greg Johnson is the CEO of the penetration test company, Webcheck Security. Greg started Webcheck Security after serving on several executive teams and a long sales and management career with technology companies such as WordPerfect/Novell, SecurityMetrics, A-LIGN, and Secuvant Security. A Brigham Young University graduate, Greg began his career in the days of 64k, 5.25" floppy drives and Mac 128k’s. As the industry evolved, Greg moved into the cyber arena and provided his clients with solutions surrounding compliance, digital forensics, data breach and response, and in 2016 earned the PCI Professional (PCIP) designation. In several business development roles, Greg consulted, guided and educated clients in compliance guidelines and certifications for standards including PCI, HIPAA, ISO 27001, NIST, SOC 1 and SOC 2, GDPR/CCPA, and FedRAMP.
When he is not providing cyber solutions for his clients, he can be found spending time with his wife Kelly, playing with his grandchildren, or rehearsing or performing with the world-renowned Tabernacle Choir on Temple Square.
Table of Contents
Acknowledgments xiii
About the Authors xv
1 Network Security 1
Introduction 1
A Chronological History of the Internet 5
The Evolution of Web Applications 7
The Fundamentals of Network Security - The OSI Model 13
The OSI Model 13
What Is the Significance of the OSI Model to Network Security? 15
The Classification of Threats to the OSI Model 15
The Most Probable Attacks 17
Assessing a Threat to a Web Application 18
Network Security Terminology 19
The Types of Network Security Topologies Best Suited for Web Applications 20
The Types of Attack That Can Take Place against Web Applications 21
How to Protect Web Applications from DDoS Attacks 27
Defending against Buffer Overflow Attacks 28
Defending against IP Spoofing Attacks 28
Defending against Session Hijacking 30
Defending Virus and Trojan Horse Attacks 31
Viruses 31
How a Virus Spreads Itself 31
The Different Types of Viruses 31
Defending Web Applications at a Deeper Level 33
The Firewall 33
Types of Firewalls 34
Blacklisting and Whitelisting 36
How to Properly Implement a Firewall to Safeguard the Web Application 37
The Use of Intrusion Detection Systems 39
Understanding What a Network Intrusion Detection System Is 39
Preemptive Blocking 40
Anomaly Detection 42
Important NiDS Processes and Subcomponents 43
The Use of VPNs to Protect a Web Application Server 44
The Basics of VPN Technology 45
The Virtual Private Network Protocols that are Used to Secure a Web Application Server 46
How PPTP Sessions are Authenticated 46
How Layer 2 Tunneling Protocol (L2TP) Sessions are Authenticated 47
How Password Authentication Protocol (PAP) Sessions are Authenticated 48
How Shiva Password Authentication Protocol (SPAP) Sessions are Authenticated 48
How Kerberos Protocol Sessions are Authenticated 49
How IPSec Protocol Sessions are Authenticated 51
How SSL Protocol Sessions are Authenticated 52
How to Assess the Current State of Security of a Web Application Server 53
Important Risk Assessment Methodologies and How They Relate to Web Application Security 54
Single Loss Expectancy (SLE) 54
The Annualized Loss Expectancy (ALE) 54
The Residual Risk 54
How to Evaluate the Security Risk that is Posed to the Web Application and its Server 55
How to Conduct the Initial Security Assessment on the Web Application 56
Techniques Used by Cyberattackers against the Web Application and Web Application Server 59
The Techniques Used by the Cyberhacker 60
Techniques Used by the Cyberattacker 63
Network Security and Its Relevance for Web Apps 65
Data Confidentiality 65
Common Technical Layouts for Modern Web App Infrastructure 66
Encrypting Data in Flight 69
TLS 69
Certificate 72
Setting Up the Session 73
Finishing the Handshake 74
Site Validity 75
Proving Your Web App Is What It Says It Is 75
Testing Your Web App's Confidentiality and Trust 77
What Kind of Trust? 77
Spoofing and Related Concerns 79
Conclusion 82
Resources 82
References 82
2 Cryptography 83
An Introduction to Cryptography 84
Message Scrambling and Descrambling 85
Encryption and Decryption 86
Ciphertexts 86
Symmetric Key Systems and Asymmetric Key Systems 87
The Caesar Methodology 87
Types of Cryptographic Attacks 88
Polyalphabetic Encryption 88
Block Ciphers 89
Initialization Vectors 90
Cipher Block Chaining 90
Disadvantages of Symmetric Key Cryptography 91
The Key Distribution Center 92
Mathematical Algorithms with Symmetric Cryptography 93
The Hashing Function 94
Asymmetric Key Cryptography 95
Public Keys and Public Private Keys 95
The Differences Between Asymmetric and Symmetric Cryptography 96
The Disadvantages of Asymmetric Cryptography 97
The Mathematical Algorithms of Asymmetric Cryptography 98
The Public Key Infrastructure 99
The Digital Certificates 100
How the Public Key Infrastructure Works 101
Public Key Infrastructure Policies and Rules 101
The LDAP Protocol 102
The Public Cryptography Standards 103
Parameters of Public Keys and Private Keys 104
How Many Servers? 105
Security Policies 105
Securing the Public Keys and the Private Keys 106
Message Digests and Hashes 106
Security Vulnerabilities of Hashes 106
A Technical Review of Cryptography 107
The Digital Encryption Standard 107
The Internal Structure of the DES 109
The Initial and Final Permutations 109
The f-Function 109
The Key Schedule 110
The Decryption Process of the DES Algorithm 111
The Reversed Key Schedule 111
The Decryption in the Feistel Network 111
The Security of the DES 113
The Advanced Encryption Standard 113
The Mathematics behind the DES Algorithm 114
The Internal Structure of the AES Algorithm 117
Decryption of the AES Algorithm 120
Asymmetric and Public Key Cryptography 121
The Mathematics behind Asymmetric Cryptography 124
The RSA Algorithm 125
The Use of Fast Exponentiation in the RSA Algorithm 127
The Use of Fast Encryption with Shorter Public Key Exponentiation 128
The Chinese Remainder Theorem (CRT) 128
How to Find Large Prime Integers for the RSA Algorithm 129
The Use of Padding in the RSA Algorithm 131
Specific Cyberattacks on the RSA Algorithm 132
The Digital Signature Algorithm 133
Digital Signature Computation and Verification Process for the DSA 134
The Prime Number Generation Process in the DSA 135
Security Issues with the DSA 135
The Elliptic Curve Digital Signature Algorithm 136
The Generation of the Public Key and the Private Key Using the ECDSA Algorithm 136
The Signature and the Verification Process of the ECDSA Algorithm 137
The Use of Hash Functions 138
The Security Requirements of Hash Functions 139
A Technical Overview of Hash Function Algorithms 142
Block Cipher-Based Hash Functions 143
Technical Details of the Secure Hash Algorithm SHA-1 144
Key Distribution Centers 146
The Public Key Infrastructure and Certificate Authority 148
Resources 149
3 Penetration Testing 151
Introduction 151
Peeling the Onion 152
True Stories 152
External Testing: Auxiliary System Vulnerabilities 152
Internal Testing 153
Report Narrative 154
Report Narrative 154
Web Application Testing 155
SSID Testing 158
Types of Penetration Tests 159
Definitions of Low, Medium, High, and Critical Findings in Penetration Testing 160
Compliances and Frameworks: Pen Testing Required 161
OWASP and OWASP Top Ten 162
OWASP Top Ten with Commentary 162
Tools of the Trade 164
Pen Test Methodology 167
Penetration Test Checklist for External IPs and Web Applications 167
Chapter Takeaways 172
Resources 174
4 Threat Hunting 175
Not-So-Tall Tales 176
Nation-State Bad Actors: China and Iran 181
Threat Hunting Methods 182
MITRE ATT&CK 183
Technology Tools 183
The SIEM 183
EDR 184
EDR + SIEM 185
IDS 185
When 1 + 1 + 1 = 1: The Visibility Window 185
Threat Hunting Process or Model 186
On Becoming a Threat Hunter 188
Threat Hunting Conclusions 189
Resources 189
5 Conclusions 191
Index 199