Securing a Web Application with Security Manager

Run with least privilege or Principle of Least Authority
Provide access to only the necessary resources,permissions which the application is required to work properly.
we need to clearly know the required resources, type of action will be performed by our application.
Define the minimum access permission for each resource that the application required to run.
Security Manager

Overview of Threat Modeling

Threat modeling is the process to visualize the strength and weekness of complete architecture. It should cover the data flow for all the entry and exit points of the system . The component , external system should be linked for each entry and exit points. Generally the Data flow diagram (DFD) is used to draw the Data flow.
The attacker will learn the system behavior from the entry point, exit points in the system. Hence we need to apply the proper security control in the entry points, exit points.

Secure Coding Guidelines for Content Security Policy

The CSP is the key concept for protecting the Cross-site scripting (XSS) from the browser side. Since XSS is the top most vulenerable injection attack. The content means the web page resource as javascript, images etc.. For browser side security we need to understand the same-origin policy, cross- origin policy (COP).In Firefox the Script Security Manager(nsScriptSecurityManager.cpp) will do the Security Checks for each statement execution if no violation then statement will be executed else it will be report in console

Why we need Content Security Policy:

How browser communicating with server using the Transport Layer Security (TLS) Handshake

How browser communicating with server using the Transport Layer Security (TLS) Handshake

1. Client Hello
The client will send the list of cipher suites supported by the browser .
The list of ciphers can be modified by the user
The Equivalent of ciphers in Firefox and RFC5246 as below
1. security.ssl3.rsa_aes_128_sha = TLS_RSA_WITH_AES_128_CBC_SHA
2. security.ssl3.rsa_aes_256_sha= TLS_RSA_WITH_AES_256_CBC_SHA

Web Applications Security Essentials

Web Applications Security Essentials

Security principles
1. Don’t trust input,Infrastructure
2. Defense in depth
3. Run with least privilege
4. Keep security simple (verifiable, economy of mechanism)
5. Separation of privilege , compartment
6. Secure the weakest link
7. Fail securely
8. Open design (Avoid security by obscurity )
9. Psychological acceptability

Poodle Fix for Tomcat

Poodle means Padding Oracle On Downgraded Legacy Encryption

The issue exists in SSL protocol Hence we using the latest protocol TLS will be secure.
Fix for POODLE is to disable SSL protocol & include the TLS protocol

The Java SunJSSE supported protocol as SSLv3,TLSv1,TLSv1.1,TLSv1.2.

Fix for POODLE vulnerability

Add this attribute in the connector tag in server.xml :

Remeve this attribute

Cryptography : How RSA Key exchange works in realtime using Keytool, OpenSSL

Generate Key Pair

RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman

keytool -genkey -alias gdalias   -keystore www_gnudeveloper_com.jks  -keyalg RSA   -keysize 512 
-storepass gnudevpwd   

Converting Keystore format

We need to convert to view the java key store file to PEM (Privacy Enhanced Email)file so that we can easily view private key, public key etc..