Muutke küpsiste eelistusi

Testing and Securing Web Applications [Kõva köide]

,
  • Formaat: Hardback, 208 pages, kõrgus x laius: 234x156 mm, kaal: 458 g, 10 Tables, black and white; 25 Illustrations, black and white
  • Ilmumisaeg: 04-Aug-2020
  • Kirjastus: CRC Press
  • ISBN-10: 0367532719
  • ISBN-13: 9780367532710
Teised raamatud teemal:
Testing and Securing Web ApplicationsSuurem pilt
  • Formaat: Hardback, 208 pages, kõrgus x laius: 234x156 mm, kaal: 458 g, 10 Tables, black and white; 25 Illustrations, black and white
  • Ilmumisaeg: 04-Aug-2020
  • Kirjastus: CRC Press
  • ISBN-10: 0367532719
  • ISBN-13: 9780367532710
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9780367532710.html
Märksõnad:

Web applications occupy a large space within the IT infrastructure of a business or a corporation. They simply just don’t touch a front end or a back end; today’s web apps impact just about every corner of it. Today’s web apps have become complex, which has made them a prime target for sophisticated cyberattacks. As a result, web apps must be literally tested from the inside and out in terms of security before they can be deployed and launched to the public for business transactions to occur.

The primary objective of this book is to address those specific areas that require testing before a web app can be considered to be completely secure. The book specifically examines five key areas:

  • Network security:

  • This encompasses the various network components that are involved in order for the end user to access the particular web app from the server where it is stored at to where it is being transmitted to, whether it is a physical computer itself or a wireless device (such as a smartphone).
  • Cryptography
  • : This area includes not only securing the lines of network communications between the server upon which the web app is stored at and from where it is accessed from but also ensuring that all personally identifiable information (PII) that is stored remains in a ciphertext format and that its integrity remains intact while in transmission.
  • Penetration testing: This involves literally breaking apart a Web app from the external environment and going inside of it, in order to discover all weaknesses and vulnerabilities and making sure that they are patched before the actual Web app is launched into a production state of operation.
  • Threat hunting: This uses both skilled analysts and tools on the Web app and supporting infrastructure to continuously monitor the environment to find all security holes and gaps.
  • The Dark Web: This is that part of the Internet that is not openly visible to the public. As its name implies, this is the "sinister" part of the Internet, and in fact, where much of the PII that is hijacked from a web app cyberattack is sold to other cyberattackers in order to launch more covert and damaging threats to a potential victim.

Testing and Securing Web Applications

breaks down the complexity of web application security testing so this critical part of IT and corporate infrastructure remains safe and in operation.

Acknowledgments xiii
About the Authors xv
1 Network Security
1(82)
Introduction
1(4)
A Chronological History of the Internet
5(2)
The Evolution of Web Applications
7(6)
The Fundamentals of Network Security - The OSI Model
13(5)
The OSI Model
13(2)
What Is the Significance of the OSI Model to Network Security?
15(1)
The Classification of Threats to the OSI Model
15(2)
The Most Probable Attacks
17(1)
Assessing a Threat to a Web Application
18(1)
Network Security Terminology
19(1)
The Types of Network Security Topologies Best Suited for Web Applications
20(1)
The Types of Attack That Can Take Place against Web Applications
21(6)
How to Protect Web Applications from DDoS Attacks
27(6)
Defending against Buffer Overflow Attacks
28(1)
Defending against IP Spoofing Attacks
28(2)
Defending against Session Hijacking
30(1)
Defending Virus and Trojan Horse Attacks
31(1)
Viruses
31(1)
How a Virus Spreads Itself
31(1)
The Different Types of Viruses
31(2)
Defending Web Applications at a Deeper Level
33(4)
The Firewall
33(1)
Types of Firewalls
34(2)
Blacklisting and Whitelisting
36(1)
How to Properly Implement a Firewall to Safeguard the Web Application
37(2)
The Use of Intrusion Detection Systems
39(14)
Understanding What a Network Intrusion Detection System Is
39(1)
Preemptive Blocking
40(2)
Anomaly Detection
42(1)
Important NIDS Processes and Subcomponents
43(1)
The Use of VPNs to Protect a Web Application Server
44(1)
The Basics of VPN Technology
45(1)
The Virtual Private Network Protocols that are Used to Secure a Web Application Server
46(1)
How PPTP Sessions are Authenticated
46(1)
How Layer 2 Tunneling Protocol (L2TP) Sessions are Authenticated
47(1)
How Password Authentication Protocol (PAP) Sessions are Authenticated
48(1)
How Shiva Password Authentication Protocol (SPAP) Sessions are Authenticated
48(1)
How Kerberos Protocol Sessions are Authenticated
49(2)
How IPSec Protocol Sessions are Authenticated
51(1)
How SSL Protocol Sessions are Authenticated
52(1)
How to Assess the Current State of Security of a Web Application Server
53(3)
Important Risk Assessment Methodologies and How They Relate to Web Application Security
54(1)
Single Loss Expectancy (SLE)
54(1)
The Annualized Loss Expectancy (ALE)
54(1)
The Residual Risk
54(1)
How to Evaluate the Security Risk that is Posed to the Web Application and its Server
55(1)
How to Conduct the Initial Security Assessment on the Web Application
56(3)
Techniques Used by Cyberattackers against the Web Application and Web Application Server
59(6)
The Techniques Used by the Cyberhacker
60(3)
Techniques Used by the Cyberattacker
63(2)
Network Security and Its Relevance for Web Apps
65(1)
Data Confidentiality
65(1)
Common Technical Layouts for Modern Web App Infrastructure
66(16)
Encrypting Data in Flight
69(1)
TLS
69(3)
Certificate
72(1)
Setting Up the Session
73(1)
Finishing the Handshake
74(1)
Site Validity
75(1)
Proving Your Web App Is What It Says It Is
75(2)
Testing Your Web App's Confidentiality and Trust
77(1)
What Kind of Trust?
77(2)
Spoofing and Related Concerns
79(3)
Conclusion
82(1)
Resources
82(1)
References
82(1)
2 Cryptography
83(68)
An Introduction to Cryptography
84(1)
Message Scrambling and Descrambling
85(1)
Encryption and Decryption
86(1)
Ciphertexts
86(1)
Symmetric Key Systems and Asymmetric Key Systems
87(1)
The Caesar Methodology
87(1)
Types of Cryptographic Attacks
88(1)
Polyalphabetic Encryption
88(1)
Block Ciphers
89(1)
Initialization Vectors
90(1)
Cipher Block Chaining
90(1)
Disadvantages of Symmetric Key Cryptography
91(1)
The Key Distribution Center
92(1)
Mathematical Algorithms with Symmetric Cryptography
93(1)
The Hashing Function
94(1)
Asymmetric Key Cryptography
95(1)
Public Keys and Public Private Keys
95(1)
The Differences Between Asymmetric and Symmetric Cryptography
96(1)
The Disadvantages of Asymmetric Cryptography
97(1)
The Mathematical Algorithms of Asymmetric Cryptography
98(1)
The Public Key Infrastructure
99(1)
The Digital Certificates
100(1)
How the Public Key Infrastructure Works
101(1)
Public Key Infrastructure Policies and Rules
101(1)
The LDAP Protocol
102(1)
The Public Cryptography Standards
103(1)
Parameters of Public Keys and Private Keys
104(1)
How Many Servers?
105(1)
Security Policies
105(1)
Securing the Public Keys and the Private Keys
106(1)
Message Digests and Hashes
106(1)
Security Vulnerabilities of Hashes
106(1)
A Technical Review of Cryptography
107(6)
The Digital Encryption Standard
107(2)
The Internal Structure of the DES
109(1)
The Initial and Final Permutations
109(1)
The f-Function
109(1)
The Key Schedule
110(1)
The Decryption Process of the DES Algorithm
111(1)
The Reversed Key Schedule
111(1)
The Decryption in the Feistel Network
111(2)
The Security of the DES
113(8)
The Advanced Encryption Standard
113(1)
The Mathematics behind the DES Algorithm
114(3)
The Internal Structure of the AES Algorithm
117(3)
Decryption of the AES Algorithm
120(1)
Asymmetric and Public Key Cryptography
121(4)
The Mathematics behind Asymmetric Cryptography
124(1)
The RSA Algorithm
125(4)
The Use of Fast Exponentiation in the RSA Algorithm
127(1)
The Use of Fast Encryption with Shorter Public Key Exponentiation
128(1)
The Chinese Remainder Theorem (CRT)
128(1)
How to Find Large Prime Integers for the RSA Algorithm
129(2)
The Use of Padding in the RSA Algorithm
131(1)
Specific Cyberattacks on the RSA Algorithm
132(1)
The Digital Signature Algorithm
133(3)
Digital Signature Computation and Verification Process for the DSA
134(1)
The Prime Number Generation Process in the DSA
135(1)
Security Issues with the DSA
135(1)
The Elliptic Curve Digital Signature Algorithm
136(2)
The Generation of the Public Key and the Private Key Using the ECDSA Algorithm
136(1)
The Signature and the Verification Process of the ECDSA Algorithm
137(1)
The Use of Hash Functions
138(1)
The Security Requirements of Hash Functions
139(3)
A Technical Overview of Hash Function Algorithms
142(2)
Block Cipher-Based Hash Functions
143(1)
Technical Details of the Secure Hash Algorithm SHA-1
144(2)
Key Distribution Centers
146(2)
The Public Key Infrastructure and Certificate Authority
148(1)
Resources
149(2)
3 Penetration Testing
151(24)
Introduction
151(1)
Peeling the Onion
152(1)
True Stories
152(7)
External Testing: Auxiliary System Vulnerabilities
152(1)
Internal Testing
153(1)
Report Narrative
154(1)
Report Narrative
154(1)
Web Application Testing
155(3)
SSID Testing
158(1)
Types of Penetration Tests
159(1)
Definitions of Low, Medium, High, and Critical Findings in Penetration Testing
160(1)
Compliances and Frameworks: Pen Testing Required
161(1)
OWASP and OWASP Top Ten
162(2)
OWASP Top Ten with Commentary
162(2)
Tools of the Trade
164(3)
Pen Test Methodology
167(5)
Penetration Test Checklist for External IPs and Web Applications
167(5)
Chapter Takeaways
172(2)
Resources
174(1)
4 Threat Hunting
175(16)
Not-So-Tall Tales
176(5)
Nation-State Bad Actors: China and Iran
181(1)
Threat Hunting Methods
182(1)
MITRE ATT&CK
183(1)
Technology Tools
183(2)
The SIEM
183(1)
EDR
184(1)
EDR + SIEM
185(1)
IDS
185(1)
When 1 + 1 + 1 = 1: The Visibility Window
185(1)
Threat Hunting Process or Model
186(2)
On Becoming a Threat Hunter
188(1)
Threat Hunting Conclusions
189(1)
Resources
189(2)
5 Conclusions
191(8)
Index 199
Ravi Das is a Business Development Specialist for The AST Cybersecurity Group, Inc., a leading Cybersecurity content firm located in the Greater Chicago area. Ravi holds a Master of Science of Degree in Agribusiness Economics (Thesis in International Trade), and Master of Business Administration in Management Information Systems. He has authored five books, with two forthcoming ones on artificial intelligence in cybersecurity, and cybersecurity risk and its impact on cybersecurity insurance policies.



Greg Johnson is the CEO of the penetration test company, Webcheck Security. Greg started Webcheck Security after serving on several executive teams and a long sales and management career with technology companies such as WordPerfect/Novell, SecurityMetrics, A-LIGN, and Secuvant Security. A Brigham Young University graduate, Greg began his career in the days of 64k, 5.25" floppy drives and Mac 128ks. As the industry evolved, Greg moved into the cyber arena and provided his clients with solutions surrounding compliance, digital forensics, data breach and response, and in 2016 earned the PCI Professional (PCIP) designation. In several business development roles, Greg consulted, guided and educated clients in compliance guidelines and certifications for standards including PCI, HIPAA, ISO 27001, NIST, SOC 1 and SOC 2, GDPR/CCPA, and FedRAMP. When he is not providing cyber solutions for his clients, he can be found spending time with his wife Kelly, playing with his grandchildren, or rehearsing or performing with the world-renowned Tabernacle Choir on Temple Square.