Webapps
Web applications or Webapps are now the biggest security problem for IT.
Every week, we hear numerous stories about Web site break-ins and personal information about employees or
customers being harvested by attackers.
The cost of these attacks is high; IT must deal with clean-up, recovery, and redesign.
Management and legal staff must deal with the victims of the attack who face identity theft possibilities
- and maybe the Press, regulators, and shareholders.
The most common reasons for vulnerable Webapps are the choice of vulnerable technologies and the inexperience
or lack of knowledge of the Webapp developers.
Typical Webapps involve a lot of technologies that must come together.
To build robust Webapps, you'll need to at least know HTTP, HTML, cookies, CSS, Javascript,
SQL, and a server-side programming language.
If you plan on implementing AJAX, you need to know more.
Each of these technologies can be a weak link in the chain, resulting in your Web site
being attacked.
This course will bring you up-to-speed on the security issues and suggests ways of hardening your Web site.
Who Should Attend?
This course is for people in three job categories:
- Management - Managers who need to understand Web site vulnerabilities and security solutions
in order to better specify tools and methods used to create the Webapps, or to implement solutions for existing
vulnerable Webapps. You'll come back from the course with materials that will allow your technical people
to understand the vulnerabilities and to implement changes.
- System Administrators - Anyone who installs or configures the computers that Webapps run on or rely
on. This course is especially useful for administrators who have little or no influence over vulnerable Webapps
but are expected to solve security issues.
- Application Developers - Anyone who develops Webapps - regardless of language or programming tools.
Regardless of job category, you should be able to translate what you learn in the class to implementation using
your specific software and systems. This course does not focus on specific environments, though it does use
many examples - most are Open Source-oriented.
Course contents
The course is in three parts.
The first part covers Web technologies and how they are exploited by attackers.
The second part covers the things a system administrator can do to better protect the
Webapps and the platform they're running on.
The third part covers the things Webapp developers can do to reduce the vulnerabilities.
- Part 1 - Typical Web Site Attacks
- HTTP and vulnerable methods
- Javascript
- PHP
- Attacker uses system tools to help conduct the attack
- Attacker relies on trojan horse to make contact with the outside world
- Command injection/SQL Injection attacks
- Cross Site Scripting
- Part 2 - System Administrator remedies
- Isolating the Web/database server from system tools
- Creating a Web server sandbox
- Chrooting Apache instances
- Putting a wrapper around the Microsoft environment
- Running multiple instances of the Web server
- Using HTTP proxies and Web server backends
- General techniques when you have no influence over Webapp creation
- Using security scanners to test your work
- Securing system directories that attackers exploit
- Providing/requiring secure access to the Web server for developers
- Part 3 - Application Developer remedies
- Avoiding SQL Injection attacks - using SQL PREPARE
- PHP
- Distributing the good and bad apps across multiple Web servers
- The wisdom of keeping customer credit card information on-line and solutions.
- Automatic Web server hardening - an overview of tainting
Copyright © 2007 by the Accelerated Learning Center. All rights reserved.
|