ebook img

Secure Java: For Web Application Development PDF

302 Pages·2010·3.619 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Secure Java: For Web Application Development

Secure Java For Web Application Development BOOkS On SOFTwARE AnD SYSTEMS DEvELOPMEnT AnD EnGInEERInG FROM AUERBACH PUBLICATIOnS AnD CRC PRESS CAD and GIS Integration Quality Assurance of Agent-Based Hassan A. Karimi and Burcu Akinci and Self-Managed Systems ISBN: 978-1-4200-6805-4 Reiner Dumke, Steffen Mencke, and Cornelius Wille Applied Software Product-Line ISBN: 978-1-4398-1266-2 Engineering Kyo C. Kang, Vijayan Sugumaran, and Modeling Software Behavior: Sooyong Park, eds. A Craftsman’s Approach ISBN: 978-1-4200-6841-2 Paul C. Jorgensen ISBN: 978-1-4200-8075-9 Enterprise-Scale Agile Software Development Design and Implementation of Data James Schiel Mining Tools ISBN: 978-1-4398-0321-9 Bhavani Thuraisingham, Latifur Khan, Mamoun Awad, and Lei Wang Handbook of Enterprise Integration ISBN: 978-1-4200-4590-1 Mostafa Hashem Sherif, ed. ISBN: 978-1-4200-7821-3 Model-Oriented Systems Engineering Science: A Unifying Framework for Architecture and Principles of Systems Traditional and Complex Systems Engineering Duane W. Hybertson Charles Dickerson, Dimitri N. Mavris, Paul R. Garvey, and Brian E. White ISBN: 978-1-4200-7251-8 ISBN: 978-1-4200-7253-2 Requirements Engineering for Software Theory of Science and Technology and Systems Transfer and Applications Phillip A. Laplante Sifeng Liu, Zhigeng Fang, Hongxing Shi, ISBN: 978-1-4200-6467-4 and Benhai Guo Software Testing and Continuous ISBN: 978-1-4200-8741-3 Quality Improvement, Third Edition The SIM Guide to Enterprise Architecture William E. Lewis Leon Kappelman, ed. ISBN: 978-1-4200-8073-5 ISBN: 978-1-4398-1113-9 Systemic Yoyos: Some Impacts of the Getting Design Right: A Systems Second Dimension Approach Yi Lin Peter L. Jackson ISBN: 978-1-4200-8820-5 ISBN: 978-1-4398-1115-3 Architecting Secure Software Systems Software Testing as a Service Asoke K. Talukder and Manish Chaitanya Ashfaque Ahmed ISBN: 978-1-4200-8784-0 ISBN: 978-1-4200-9956-0 Delivering Successful Projects Grey Game Theory and Its Applications with TSPSM and Six Sigma: in Economic Decision-Making A Practical Guide to Implementing Zhigeng Fang, Sifeng Liu, Hongxing Shi, Team Software ProcessSM and Yi LinYi Lin Mukesh Jain ISBN: 978-1-4200-8739-0 ISBN: 978-1-4200-6143-7 Secure Java For Web Application Development Abhay Bhargav and B.V. Kumar CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2011 by Taylor and Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-13: 978-1-4398-2356-9 (Ebook-PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the valid- ity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or uti- lized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopy- ing, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http:// www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Foreword ...........................................................................................................................xvii Preface ................................................................................................................................xix Acknowledgments ..........................................................................................................xxiii About the Authors .............................................................................................................xxv SeCtIon I oVeRVIeW 1 The Internet Phenomenon ............................................................................................3 1.1 Evolution of the Internet and the World Wide Web ................................................3 1.1.1 Mainframe Era ...........................................................................................3 1.1.1.1 Initial Mainframe Systems ..........................................................3 1.1.1.2 Mainframe Systems Today..........................................................5 1.1.2 Client/Server Era ........................................................................................5 1.1.2.1 Server .........................................................................................5 1.1.2.2 Client .........................................................................................5 1.1.2.3 Client/Server Architecture ..........................................................6 1.1.3 Distributed Computing Architecture..........................................................6 1.1.3.1 Remote Procedure Call ...............................................................7 1.1.3.2 Messaging ...................................................................................8 1.1.4 Internet and World Wide Web Era .............................................................8 1.1.4.1 B2B E-Commerce .....................................................................10 1.1.4.2 B2C E-Commerce .....................................................................10 1.1.5 Problems with Web Architecture ...............................................................10 1.2 Web Applications and Internet ...............................................................................11 1.3 Role and Significance of Java Technology in Web Applications ..............................11 1.3.1 Applets .....................................................................................................12 1.3.2 Java Servlet ...............................................................................................12 1.3.3 JavaServer Pages Technology .....................................................................13 1.3.4 JavaServer Pages Standard Tag Library ......................................................13 1.3.5 JavaServer Faces Technology......................................................................13 1.3.6 Java Message Service ..................................................................................14 1.3.7 JavaMail API and the JavaBeans Activation Framework ............................14 1.3.8 Java Naming and Directory Interface ........................................................14 v vi  ◾  Contents 1.3.9 Miscellaneous ............................................................................................14 1.4 Security in Java Web Applications ..........................................................................15 1.5 Summary ................................................................................................................16 2 Introducing Information Security ..............................................................................19 2.1 Information Security: The Need of the Hour .........................................................19 2.1.1 The Need for Information Security ............................................................19 2.1.1.1 Internet .....................................................................................20 2.1.1.2 Hackers and Their Backers .......................................................20 2.1.1.3 Digitization ...............................................................................21 2.1.1.4 Legal and Compliance Requirements ........................................21 2.1.2 The Motivation for Security ......................................................................22 2.1.2.1 Reputation ................................................................................22 2.1.2.2 Business Value ..........................................................................22 2.1.2.3 Financial Impact .......................................................................23 2.1.2.4 Legal and Compliance ..............................................................23 2.2 Some Basic Security Concepts ...............................................................................24 2.2.1 The Pillars of Security—The CIA Triad ....................................................24 2.2.1.1 Confidentiality .........................................................................24 2.2.1.2 Integrity .....................................................................................25 2.2.1.3 Availability ................................................................................25 2.2.2 Risk 101 ....................................................................................................25 2.2.2.1 Vulnerability .............................................................................26 2.2.2.2 Threat .......................................................................................26 2.2.2.3 Risk ..........................................................................................26 2.2.3 Defense-in-Depth .....................................................................................27 2.2.3.1 Network Security .....................................................................27 2.2.3.2 Host Security ............................................................................28 2.2.3.3 Application Security .................................................................29 2.2.3.4 Physical Security .......................................................................29 2.3 Internet Security Incidents and Their Evolution ....................................................30 2.3.1 The 1970s ..................................................................................................31 2.3.2 The 1980s ..................................................................................................31 2.3.3 The 1990s .................................................................................................32 2.3.4 The 2000s–Present Day ............................................................................32 2.4 Security—Myths and Realities ...............................................................................33 2.4.1 There Is No Insider Threat ........................................................................34 2.4.2 Hacking Is Really Difficult .......................................................................34 2.4.3 Geographic Location Is Hacker-Proof........................................................35 2.4.4 One Device Protects against All ................................................................35 2.5 Summary ...............................................................................................................36 3 Introducing Web Application Security ......................................................................37 3.1 Web Applications in the Enterprise .......................................................................37 3.1.1 What Is a Web Application? .....................................................................37 3.1.2 Ubiquity of Web Applications ..................................................................38 3.1.3 Web Application Technologies .................................................................39 Contents  ◾  vii 3.1.4 Java as Mainstream Web Application Technology ....................................39 3.2 Why Web Application Security? ............................................................................39 3.2.1 A Glimpse into Organizational Information Security ...............................40 3.2.1.1 Physical Security .......................................................................40 3.2.1.2 Network Security .....................................................................40 3.2.1.3 Host Security .............................................................................41 3.2.1.4 Application Security .................................................................42 3.2.2 The Need for Web Application Security ...................................................43 3.2.2.1 Ubiquity of Web Applications in the Enterprise Scenario .........43 3.2.2.2 Web Application Development Diversity ..................................44 3.2.2.3 Cost Savings .............................................................................44 3.2.2.4 Reputation and Customer Protection ........................................45 3.3 Web Application Incidents ....................................................................................46 3.4 Web Application Security—The Challenges ..........................................................48 3.4.1 Client-Side Control and Trust ..................................................................49 3.4.2 Pangs of the Creator .................................................................................50 3.4.3 Flawed Application Development Life Cycle ............................................50 3.4.4 Awareness ..................................................................................................52 3.4.5 Legacy Code ..............................................................................................52 3.4.6 Business Case Issues ..................................................................................53 3.5 Summary ................................................................................................................53 4 Web Application Security—A Case Study ..................................................................55 4.1 The Business Need—An E-Commerce Application ................................................55 4.1.1 The Company ............................................................................................55 4.1.1.1 Proprietary Solution .................................................................56 4.1.1.2 Vendor Lock-In ........................................................................56 4.1.1.3 Security Vulnerabilities .............................................................56 4.1.1.4 Lack of Support for Security Compliance .................................56 4.1.1.5 Integration Issues ......................................................................56 4.1.1.6 Capacity Issues ..........................................................................57 4.1.2 The Existing Application Environment ......................................................57 4.1.2.1 Web Server ................................................................................57 4.1.2.2 Database Server ........................................................................58 4.1.2.3 Email and Messaging Server .....................................................58 4.1.3 Importance of Security .............................................................................58 4.1.3.1 Security Incidents .....................................................................58 4.1.3.2 Security Compliance and Regulation ........................................59 4.1.4 Panthera’s Plan for Information Security ...................................................59 4.1.4.1 Physical Security ........................................................................59 4.1.4.2 Network Security .....................................................................60 4.1.4.3 Host Security ............................................................................60 4.1.4.4 Application Security ..................................................................61 4.2 Outlining the Application Requirements ................................................................61 4.2.1 The Request for Proposal ...........................................................................61 4.2.1.1 Purpose......................................................................................61 4.2.1.2 Users ..........................................................................................61 viii  ◾  Contents 4.2.1.3 Communication Interfaces ........................................................61 4.2.1.4 Security Requirements in the Request for Proposal ..................63 4.3 An Overview of the Application Development Process ..........................................63 4.3.1 The Application Development Process ......................................................63 4.3.1.1 Detailed Application Requirements ..........................................63 4.3.1.2 Application Design ....................................................................65 4.3.1.3 Application Development ..........................................................65 4.3.1.4 White- and Black-Box Testing ...................................................65 4.3.1.5 User Acceptance Testing ...........................................................66 4.3.1.6 Deployment ..............................................................................66 4.4 Summary ................................................................................................................67 SeCtIon II FoUnDAtIonS oF A SeCURe JAVA WeB APPLICAtIon 5 Insights into Web Application Security Risk .............................................................71 5.1 The Need for Web Application Security Risk Management ...................................71 5.1.1 Risk Management ....................................................................................72 5.1.1.1 Risk Assessment ........................................................................72 5.1.1.2 Risk Mitigation ........................................................................72 5.1.1.3 Continuous Evaluation .............................................................72 5.1.2 The Benefits of Risk Management for Web Applications ..........................73 5.1.2.1 Clarity on Security Functionality .............................................73 5.1.2.2 Software Development Life Cycle .............................................75 5.1.2.3 Compliance ..............................................................................75 5.1.2.4 Cost Savings ..............................................................................76 5.1.2.5 Security Awareness ....................................................................76 5.1.2.6 Facilitates Security Testing .......................................................77 5.1.3 Overview of the Risk Assessment Phase. ...................................................77 5.2 System Characterization Process—Risk Assessment ..............................................78 5.2.1 An Overview of the System Characterization Process ...............................78 5.2.2 Identifying Critical Information Assets ......................................................79 5.2.2.1 Developing a List of Critical Information Assets ......................80 5.2.3 User Roles and Access to Critical Information Assets ................................81 5.2.4 Understanding Basic Application Architecture .........................................82 5.2.4.1 Deployment Topology ..............................................................82 5.2.4.2 System Interfaces ......................................................................82 5.3 Developing Security Policies for the Web Application ...........................................83 5.3.1 A Broad Overview of Security Policies for the Web Application ...............83 5.3.1.1 Financial Risk and Impact ........................................................83 5.3.1.2 Regulatory and Compliance .....................................................84 5.3.1.3 Contractual Obligations ...........................................................84 5.3.1.4 Reputation and Goodwill .........................................................84 5.3.2 Security Compliance and Web Application Security ................................84 5.3.2.1 PCI-DSS....................................................................................85 5.3.2.2 PA-DSS ....................................................................................86 5.3.2.3 SOX ..........................................................................................87 5.3.2.4 HIPAA .....................................................................................88 Contents  ◾  ix 5.3.2.5 GLBA .......................................................................................89 5.4 Threat Analysis ......................................................................................................89 5.4.1 Understanding and Categorizing Security Vulnerabilities ........................89 5.4.1.1 Design Vulnerabilities ..............................................................90 5.4.1.2 Development Vulnerabilities ......................................................91 5.4.1.3 Configuration Vulnerabilities ....................................................91 5.4.2 Common Web Application Vulnerabilities ................................................91 5.4.2.1 Cross-Site Scripting ..................................................................92 5.4.2.2 SQL Injection ...........................................................................95 5.4.2.3 Malicious File Execution ..........................................................96 5.4.2.4 Cross-Site Request Forgery .......................................................97 5.4.2.5 Cryptographic Flaws .................................................................97 5.4.2.6 Flawed Error Handling and Information Disclosure ................98 5.4.2.7 Authentication and Session Management Flaws .......................99 5.4.2.8 Unrestricted URL Access .......................................................100 5.4.3 Basic Understanding of Threats and Associated Concepts ......................100 5.4.3.1 Threat Actor ............................................................................101 5.4.3.2 Threat Motive ..........................................................................101 5.4.3.3 Threat Access ...........................................................................101 5.4.3.4 Threat Outcome ......................................................................102 5.4.4 Threat Profiling and Threat Modeling .....................................................102 5.4.4.1 Threat Profiling .......................................................................103 5.4.4.2 Threat Modeling ......................................................................104 5.5 Risk Mitigation Strategy—Formulation of Detailed Security Requirements for the Web Application .......................................................................................104 5.6 Risk Assessment for an Existing Web Application ................................................107 5.7 Summary ..............................................................................................................107 6 Risk Assessment for the Typical E-Commerce Web Application .............................109 6.1 System Characterization of Panthera’s E-Commerce Application .........................109 6.1.1 Identification of Critical Information Assets ............................................109 6.1.2 Practical Techniques to Identify Critical Information Assets ...................109 6.1.3 Identified Critical Information Assets for Panthera’s Web Application ....110 6.1.3.1 Customer Credit Card Information .........................................111 6.1.3.2 Customer Information .............................................................111 6.1.3.3 Gift Card Information .............................................................112 6.1.3.4 Stock/Inventory Information ...................................................112 6.1.4 User Roles and Access to Critical Information Assets ..............................112 6.1.5 Application Deployment Architecture and Environment .........................113 6.1.5.1 Network Diagram of the Deployment Environment ...............113 6.1.5.2 Application Architecture Overview .........................................113 6.2 Security Policies for the Web Application and Requirements ................................115 6.2.1 Panthera’s Security Policies ......................................................................116 6.2.1.1 Critical Information Assets ......................................................116 6.2.1.2 Financial Impact ......................................................................117 6.2.1.3 Security Compliance and Regulations .....................................117 6.3 Threat Analysis .....................................................................................................117

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.