Web Applications Vulnerabilities

[Writer Name]

[Supervisor Name]

[Subject]

[Date]

Web Applications Vulnerabilities

To achieve some measure of protection against threats that exploit legitimate uses of Internet traffic to breach internal networks, organizations install firewalls as a perimeter defense tactic. Firewall deployment is part of the canon of network security; however, firewalls cause many organizations to fall victim to a false sense of security, leading many to give short shrift to glaring security deficiencies that may exist within the network (Russ 2008). Consequently, internal network users are often subject to a lower authentication threshold when attempting to gain access to the organization’s applications and data. Since no firewall is completely secure, in the event of a breach, the hacker can typically traipse through the network with relative ease if there are no significant authentication obstacles in place.

To shore up the security deficiencies, organizations can deploy applications that incorporate secure identity authentication standards. Encrypting network traffic to protect sensitive data and messages is another viable option. In response to the increasing sophistication of cyber attacks that emanate from the Internet, many organizations are adopting a more integrated approach to network security. This approach involves eschewing the deployment of several independent applications to address specific threats in favor of a single software or hardware-based Unified Threat Management (UTM) appliance designed to tackle threats in a coordinated fashion. Amongst their many features, UTM appliances can provide intrusion detection, stop unauthorized materials, viruses and spam from entering the network, thwart surreptitious spyware and malware installations, block suspicious network traffic, and offer some protection from phishing scams. In addition to protection from stand-alone threats, the UTM’ s integrated security approach provides a more effective way to detect and respond to coordinated cyber attacks in which hackers use many different intrusion techniques against a network simultaneously (O’Reilly 2008).

The rapid proliferation of the Internet, and by extension its core networking protocol (IP), has led to a parallel explosion in the use of IP-enabled wireless devices. Securely integrating such devices into corporate networks has proven challenging, as wireless-enabled networks pose “additional risks that do not exist in wired networks”. These risks primarily involve greater ease of access to the network by intruders. “Wireless technology is…a common source of access for hackers”. Securing wireless access typically involves the use of intrusion detection applications to identify rogue devices attempting to breach the network, Wi-Fi signal encryption technologies, and device and user authentication services; however, such techniques can only go so far in securing the internal network. As more organizations allow its employees to use relatively cheap and insecure technologies to access the internal network remotely, the risk of an attack is increased, especially as cellular phones and PDAs become more tightly integrated with the Internet. “Firms clearly need some way to save users from their own stupidity”. As such, in addition to the technological safeguards, organizations must also enact policies for employees regarding the proper use of wireless devices, ensure that the policies are strictly followed, and that the appropriate punishment is meted out for violations (Itznhak 2007).

VoIP telephony, the technology that allows the transmission of voice communications over the Internet, is growing rapidly, replacing the traditional PBX POTS-based telephone systems that companies have used for decades. The shunting voice communications through the Internet opens up yet another avenue for hackers to breach an organization’ s internal networks. As yet, reported incidents of VoIP attacks have been limited; however, they are expected to grow concomitantly with the brisk pace of VoIP deployments in the future (Green 2005).

Identified attacks thus far are essentially variations of those commonly inflicted on data networks, including telephony spam, denial-of-service attacks, and phishing scams. One survey reveals that many organizations are ill-prepared to address VoIP security matters and effectively thwart VoIP cyber attacks. This is partly due to the fact that it is difficult to apply some security measures, such as layered encryption and authentication, to VoIP networks. That said, there are still many common techniques that can mitigate the most pressing risks, such as deploying anti-virus, anti-spam and firewall utilities on the VoIP server, segregating voice network traffic on a separate virtual LAN, and removing default web server applications that are often installed on IP handsets (Russ 2008).

“Web site hacks are on the rise and pose a greater threat than…broad-based network attacks” (O’Reilly 2008). Two common examples of such attacks are SQL injection and cross-site scripting, both of which exploit security vulnerabilities to compromise web applications and gain access to sensitive data sets. Though such deficiencies can be detected and rectified in most cases, the fact remains that the web application software design and development approach used by many organizations is not inherently security- oriented, which leaves them doomed to repeat earlier failures, thereby perpetuating a vicious cycle.

Case in point, AJAX, one of the core development techniques underlying the latest generation of interactive Web 2.0 applications has been proven deficient from a security standpoint. AJAX leaves web sites open to new threats, such as JavaScript and mashup hacking. The solution to securing web applications from unintended vulnerabilities is to adopt security-oriented programming and design practices. For organizations that rely heavily on inherently insecure applications that have already been deployed, the installation of application-level firewalls and the use of authentication tokens that verify user identities may be viable options(Itznhak 2007).

The Internet is a bane to organizational information technology security. However, the organizations themselves must shoulder some of the blame, as their rush to exploit the Internet productively has led to the deliberate implementation of insecure technologies. The latest advancements in wireless networking, VoIP telephony and web-based applications are rife with security holes that have yet to be fully addressed, leaving many organizations vulnerable to attack.

By clicking on the link we are directed to the encrypted page that can only be read by news aggregators. How web 2.0 is changing businesses Web 2.0 is changing the way businesses communicate and work together internally and externally. Think about the blogs you read about product reviews, or blogs about corporations and so on, this is a clear example that web 2.0 is changing the way we do business and the way business itself communicates. Companies are even having their own blogs among employees and among customers. With the applications in Web 2.0 companies have the tool to give their employees freedom of speech and customer participation in a part of the decision making process(Green 2005).

Everything can be done in the cloud like, writing the code, debugging it, testing it, deploying it and also running the code. Semantic web can understand what you are looking for and help you out to find that information. For example Google search, you sometimes have to type many different queries in order to find what you are looking for, on the semantic web the computer understand what you are looking for and gives you exactly the information and even some additional topics. Ultimately, Web 3.0 is going to be like a personal assistance, because it is going to learn everything about you and it will help you with any question by finding all the information on the Internet for you(Russ 2008).

The next generation of web, Web 3.0 is going to be even more user friendly allowing the computer to understand data instead of matching keywords on a engine search. Just imagine instead of trying to guess what to type to have the information you want, the computer can actually understand what you want and help you out to find the specific information you where looking for. For most, we would have more time to concentrate in other more important things instead of having to use that time doing things a computer can do for us.

To understand this point, suppose we want to model all the dates when a customer accessed an account. The single-valued attribute access-date can store a single access date only .We cannot represent multiple access dates by multiple relationship instances between the same customer and account, since the relationship instances would not be uniquely identifiable using only the participating entities(O’Reilly 2008).

Examples of job entities could include manager, teller, auditor, and so on. Job entities may have the attributes title and level. The relationship set works-on among employee, branch, and job is an example of a ternary relationship. A ternary relationship among Jones, Perryridge, and manager indicates that Jones acts as a manager at the Perryridge branch. Jones could also act as auditor at the Downtown branch, which would be represented by another relationship(Itznhak 2007).

Example operations include modifying or updating data, searching for and retrieving specific data, and deleting data. At this stage of conceptual design, the designer can review the schema to ensure it meets functional requirements. The process of moving from an abstract data model to the implementation of the database proceeds in two final design phases. In the logical- design phase, the designer maps the high-level conceptual schema onto the implementation data model of the database system that will be used. The designer uses the resulting system specific database schema in the subsequent physical-design phase, in which the physical features of the database are specified. These features include the form of file organization and the internal storage structures. Database Design for Banking Enterprise We now look at the database-design requirements of a banking enterprise in more detail, and develop a more realistic, but also more complicated, design than what we have seen in our earlier examples(Green 2005).

SQL Server 2005 separates out some of these components into a module called the SQLOS, which we’ll describe shortly. In fact, the SQL Server storage engine team at Microsoft actually encompasses three areas: access methods, transaction management, and the SQLOS. The SQLOS Whether the components of the SQLOS layer are actually part of the storage engine depends on whom you ask. In addition, trying to figure out exactly which components are in the SQLOS layer can be rather like herding cats. I have seen several technical presentations on the topic at conferences and have exchanged e-mail and even spoken face to face with members of the product team, but the answers vary. The manager who said he was responsible for the SQLOS layer defined the SQLOS as everything he was responsible for, which is a rather circular definition(Russ 2008).

It provides memory management, scheduling, IO management, a framework for locking and transaction management, deadlock detection, and general utilities for dumping, exception handling, and so on. Another member of the product team described the SQLOS to me as a set of data structures and APIs that could potentially be needed by operations running at any layer of the engine. For example, consider various operations that require use of memory. SQL Server doesn’t just need memory when it reads in data pages through the storage engine; it also needs memory to hold query plans developed in the query processor layer. The SQLOS layer in several parts, but this is just a way of showing that many SQL Server components use SQLOS functionality. The SQLOS, then, is a collection of structures and processes that handles many of the tasks you might think of as being operating system tasks(O’Reilly 2008).

The addition of asynchronous queuing to SQL Server 2005 brings the capability of handling asynchronous queuing to end-user database applications as well. Asynchronous queuing is an important factor for scalability because it allows a program to respond to more requests than the platform may be able to physically handle. For instance, in the case of a web server if ten thousand users simultaneously requested resources from the server, without asynchronous queuing the web server would be overwhelmed as it attempted to launch threads to handle all of the incoming requests. Asynchronous queuing enables all of the requests to be captured in a queue so that instead of being overwhelmed, the web server can process entries from the queue at its maximum levels of efficiency. In the case of the web server, asynchronous queuing enables the server to effectively handle a far greater number of user connections than would otherwise be possible. The SQL Server Service Broker enables you to build this same type of scalability into your database applications(Itznhak 2007).

 

 

Works Cited

Green, S. B. (2005, May 2). Blogs will change your Business. Retrieved Oct 26, 2008, from BusinessWeek: http://www.businessweek.com/magazine/content/05_18/b3931001_mz001.htm

Itznhak, B. (2007, 09 10). Tackling the security issues of web 2.0. Retrieved 10 29, 2008, from SC Magazine US: http://www.scmagazineus.com/Tackling-the-security-issues-of-Web-20/article/35609/

O’Reilly. (2008). What is Web 2.0. Retrieved 10 26, 2008, from O’Reilly Media: http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html?page=3

Russ. (2008, Aug 30). How do corporations use social networking. Retrieved 10 29, 2008, from RF Web Studio: http://rfwebstudio.com/social-media/how-do-corporations-use-social-networking/

This entry was posted in Assignment and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>