alpha five web security
TRANSCRIPT
-
7/28/2019 Alpha Five Web Security
1/16
Security Issues WithWeb Based Systems
-
7/28/2019 Alpha Five Web Security
2/16
Security Issues Web Based Systems
Security can not be considered an add-onor afterthought
Security must be integrated into the
design
Security should use an algorithm based ona denied unless specifically allowed
concept
-
7/28/2019 Alpha Five Web Security
3/16
Security Issues Web Based Systems
Depending on security being appliedoutside of the application is insufficient
Any browser based system with a URL is
public
Data in a URL is not secured
Hidden data may still be exposed with alimited search
-
7/28/2019 Alpha Five Web Security
4/16
Security Issues Web Based Systems
Security should be applied to anythingwith value
Security should be viewed from a thiefs
perspective
Security is limited to the weakest link
No security system is impregnable
Copyrights and other legal restrictions are
weak restrictions
-
7/28/2019 Alpha Five Web Security
5/16
Security Issues Web Based Systems
Security must be considered in all areas ofa data stream
SSL and Web Security
Physical security of hardware must beconsidered
-
7/28/2019 Alpha Five Web Security
6/16
Security Issues Web Based Systems
SQL Injection
What is it?
Malicious method to replace values sent to a SQL
statement with values that cause another action.
Why does it Happen?
A value sent to a SQL statement is not tested forproper type or format
No test is applied to verify the proper result from anaction
-
7/28/2019 Alpha Five Web Security
7/16
Security Issues Web Based Systems
SQL Injection
Example
A user name is sent to a page as userName=joe
The page has a statement likestatement = SELECT * FROM users WHERE userName = +userName+;
An injection might send a value like
userName = a OR t=t
This gives a statement of
statement = SELECT * FROM users WHERE userName = a OR t=t;
Instead of a specific record, it gives all records
A test for the number of records returned would cause theinjection to fail
-
7/28/2019 Alpha Five Web Security
8/16
Security Issues Web Based Systems
SQL Injection
Example
An injection might send a value like
userName = a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't
This gives a statement ofstatement = SELECT * FROM users WHERE userName = a';DROP TABLE users; SELECT *
FROM data WHERE 't' = 't ;
Instead of a specific record, it drops the user tableentirely and shows all values from the data table
A test for the proper format of userName wouldhave prevented the injection.
-
7/28/2019 Alpha Five Web Security
9/16
Security Issues Web Based Systems
SQL Injection Prevention
Use arguments to pass values
UPDATE dbo.Insurance SET Zipcode = :new.Zipcode, Phone = :new.Phone WHERE IdInsurance =:old.IdInsurance
:new.Zipcode, :new.Phone and :old.IdInsurance are Alphaarguments
The method to set arguments will test for proper value typeand format
The actual SQL statement is fixed to use only the specifiedarguments
Test the value type and format of any value sent to astatement
If the value should just be a text string, reject any textcontaining any specific unexpected characters
Test for the proper return values and actions
-
7/28/2019 Alpha Five Web Security
10/16
Alpha FiveWeb Security System
-
7/28/2019 Alpha Five Web Security
11/16
Alpha Five Web Security System
Alpha Five Web Security is an accesscontrol system
Deny Unless authorized at the file (page) level
Checks every file request
It is not a data filtering system, although it can
be used to create filters based on user roles
Security can be applied to a singlefile in the web project, any folder, orby file extension
How Does it Work?
-
7/28/2019 Alpha Five Web Security
12/16
Alpha Five Web Security System
Security can be applied tocomponent elements and actions
Security is integrated into theserver technology
The Alpha Five Web Security is
highly configurable
How Does it Work?
-
7/28/2019 Alpha Five Web Security
13/16
Alpha Five Web Security System
Security data is saved in isolateddata tables
Tables are published to the same folder as theweb pages
The tables are not placed in the same locationas other data tables
The server prevents direct access to the tables The data in the tables on the server is not the
same as the data shown in the desktop Usersand Groups dialog
How Does it Work?
-
7/28/2019 Alpha Five Web Security
14/16
Alpha Five Web Security System
Security data can be linked to otheruser tables
The ulink field
The security session variable
All login processes and
authorization processes areintegrated into the system code andnever exposed to the user
How Does it Work?
-
7/28/2019 Alpha Five Web Security
15/16
Alpha Five Web Security System
Configuring the Web Security
Entering initial values for users and groups
Setting permissions Publishing the web security
Maintaining web security data
From the desktop
From the web
Web security xbasic functions
Building a Web Security System
-
7/28/2019 Alpha Five Web Security
16/16
Alpha FiveWeb Security System