Application Layer Security
A pp lica ti o n La y e r Se cu rity
John Rouda July 25, 2006
Table of Contents
Abstract Acknowledgement Background Introduction Design Vulnerabilities Development Vulnerabilities Deployment Vulnerabilities Conclusion Appendix A (OSI Model) Appendix B (SQL Injection) Appendix C (Top 10 Security Flaws) References Page 1 Page 1 Page 1 Page 2 Page 2 Page 4 Page 5 Page 5 Page 6 Page 7 Page 8 Page 9
Application Layer Security 1
Abstract The purpose of this paper is to identify common application layer security holes, describe common fixes of these problems and discuss the importance of application layer security in development of software. This paper will also discuss common practices for securing applications. The three main aspects of information security include: confidentiality, integrity and availability. These aspects of data security are at risk by three main categories of vulnerabilities that will be discussed in this paper. They are design vulnerabilities, development vulnerabilities, and deployment vulnerabilities. In beginning my research on this topic I anticipated learning about encryption on and authentication on software applications, but as the paper indicates those are only a small part of security. Acknowledgments I would like to thank and acknowledge Ms. Edie Dille from York Technical College for the use of her presentation on the OSI Model, Dr. Garrison from Winthrop University for the opportunity to research software security and Ms. Valerie Chantry from MassMutual for access to Symantec security documents and presentations. Background The OSI (Open Systems Interconnect) model is a reference model for how data should be transmitted between any two devices in a network. It was developed to guide implementers in standardizing their products so that communications can occur between different bands of equipment, different protocols, different media types, and different operating systems. The OSI model simplifies the networking process for
John Rouda July 25, 2006
Table of Contents
Abstract Acknowledgement Background Introduction Design Vulnerabilities Development Vulnerabilities Deployment Vulnerabilities Conclusion Appendix A (OSI Model) Appendix B (SQL Injection) Appendix C (Top 10 Security Flaws) References Page 1 Page 1 Page 1 Page 2 Page 2 Page 4 Page 5 Page 5 Page 6 Page 7 Page 8 Page 9
Application Layer Security 1
Abstract The purpose of this paper is to identify common application layer security holes, describe common fixes of these problems and discuss the importance of application layer security in development of software. This paper will also discuss common practices for securing applications. The three main aspects of information security include: confidentiality, integrity and availability. These aspects of data security are at risk by three main categories of vulnerabilities that will be discussed in this paper. They are design vulnerabilities, development vulnerabilities, and deployment vulnerabilities. In beginning my research on this topic I anticipated learning about encryption on and authentication on software applications, but as the paper indicates those are only a small part of security. Acknowledgments I would like to thank and acknowledge Ms. Edie Dille from York Technical College for the use of her presentation on the OSI Model, Dr. Garrison from Winthrop University for the opportunity to research software security and Ms. Valerie Chantry from MassMutual for access to Symantec security documents and presentations. Background The OSI (Open Systems Interconnect) model is a reference model for how data should be transmitted between any two devices in a network. It was developed to guide implementers in standardizing their products so that communications can occur between different bands of equipment, different protocols, different media types, and different operating systems. The OSI model simplifies the networking process for
References: Alexander, Michael. (2004) Software deployment should include security plan. ADTmag.com. Published 9/22/2004. Retrieved March 1, 2006 from http://www.adtmag.com/print.asp?id=10017 Chapela, Victor. (2005) Advanced SQL Injection. The OWASP Foundation. Retrieved February 27, 2006 from http://www.owasp.org/docroot/owasp/misc/Advanced_SQL_Injection.ppt Desa, Andres. (5/2005) Document Security in Web Applications. OWASP Papers Program. Retrieved February 27, 2006 from http://www.owasp.org/docroot/owasp/misc/Document_Security_in_Web_Applications. doc Dille, Edie. Chapter 4 –Model. York Technical College. Presented January 1, 2005. OSI Hansen, Royal. (7/2005) Symantec Secure Development Lifecycle. White Paper: Enterprise Security. Symantec Corporation. Keary, Eoin. (2005) Integration into the SDLC. The OWASP Foundation. Retrieved February 27, 2006 from http://www.owasp.org/docroot/owasp/misc/Integration_into_the_SDLC.ppt Levine, Matthew. (8/2005). The Importance of Application Security. White Paper: Symantec Enterprise Solutions. Symantec Corporation. Mandal, Arindam. Thick Client Application Security. OWASP Papers Program. Retrieved February 27, 2006 from http://www.owasp.org/docroot/owasp/misc/Thick_Client_Application_Security.doc OWASP. The Open Web Application Security Project. Retrieved March 1, 2006 from http://www.owasp.org/documentation/topten.html Symantec (2005). Application Security Principles Course Book 2005. Symantec Corporation. Wikipedia. Application Security. Wikipedia.org. Retrieved February 25, 2006 from http://en.wikipedia.org/wiki/Application_security Wikipedia. Encryption. Wikipedia.org. Retrieved February 25, 2006 from http://en.wikipedia.org/wiki/Encryption Application Layer Security 10 Wikipedia. Information Security. Wikipedia.org. Retrieved February 25, 2006 from http://en.wikipedia.org/wiki/It_security