Testing and securing web applications:
Gespeichert in:
Bibliographische Detailangaben
Beteiligte Personen: Das, Ravindra (VerfasserIn), Johnson, Greg (VerfasserIn)
Format: Elektronisch E-Book
Sprache:Englisch
Veröffentlicht: Boca Raton ; London ; New York CRC Press 2020
Ausgabe:First edition
Schlagwörter:
Links:https://ebookcentral.proquest.com/lib/munchentech/detail.action?docID=6264923
Beschreibung:Cover -- Half Title -- Title Page -- Copyright Page -- Dedication -- Contents -- Acknowledgments -- About the Authors -- 1. Network Security -- Introduction -- A Chronological History of the Internet -- The Evolution of Web Applications -- The Fundamentals of Network Security - The OSI Model -- The OSI Model -- What Is the Significance of the OSI Model to Network Security? -- The Classification of Threats to the OSI Model -- The Most Probable Attacks -- Assessing a Threat to a Web Application -- Network Security Terminology -- The Types of Network Security Topologies Best Suited for Web Applications -- The Types of Attack That Can Take Place against Web Applications -- How to Protect Web Applications from DDoS Attacks -- Defending against Buffer Overflow Attacks -- Defending against IP Spoofing Attacks -- Defending against Session Hijacking -- Defending Virus and Trojan Horse Attacks -- Viruses -- How a Virus Spreads Itself -- The Different Types of Viruses -- Defending Web Applications at a Deeper Level -- The Firewall -- Types of Firewalls -- Blacklisting and Whitelisting -- How to Properly Implement a Firewall to Safeguard the Web Application -- The Use of Intrusion Detection Systems -- Understanding What a Network Intrusion Detection System Is -- Preemptive Blocking -- Anomaly Detection -- Important NIDS Processes and Subcomponents -- The Use of VPNs to Protect a Web Application Server -- The Basics of VPN Technology -- The Virtual Private Network Protocols that are Used to Secure a Web Application Server -- How PPTP Sessions are Authenticated -- How Layer 2 Tunneling Protocol (L2TP) Sessions are Authenticated -- How Password Authentication Protocol (PAP) Sessions are Authenticated -- How Shiva Password Authentication Protocol (SPAP)Sessions are Authenticated -- How Kerberos Protocol Sessions are Authenticated
How IPSec Protocol Sessions are Authenticated -- How SSL Protocol Sessions are Authenticated -- How to Assess the Current State of Security of a Web Application Server -- Important Risk Assessment Methodologies and How They Relate to Web Application Security -- Single Loss Expectancy (SLE) -- The Annualized Loss Expectancy (ALE) -- The Residual Risk -- How to Evaluate the Security Risk that is Posed to the Web Application and its Server -- How to Conduct the Initial Security Assessment on the Web Application -- Techniques Used by Cyberattackers against the Web Application and Web Application Server -- The Techniques Used by the Cyberhacker -- Techniques Used by the Cyberattacker -- Network Security and Its Relevance for Web Apps -- Data Confidentiality -- Common Technical Layouts for Modern Web App Infrastructure -- Encrypting Data in Flight -- TLS -- Certificate -- Setting Up the Session -- Finishing the Handshake -- Site Validity -- Proving Your Web App Is What It Says It Is -- Testing Your Web App's Confidentiality and Trust -- What Kind of Trust? -- Spoofing and Related Concerns -- Conclusion -- Resources -- References -- 2. Cryptography -- An Introduction to Cryptography -- Message Scrambling and Descrambling -- Encryption and Decryption -- Ciphertexts -- Symmetric Key Systems and Asymmetric Key Systems -- The Caesar Methodology -- Types of Cryptographic Attacks -- Polyalphabetic Encryption -- Block Ciphers -- Initialization Vectors -- Cipher Block Chaining -- Disadvantages of Symmetric Key Cryptography -- The Key Distribution Center -- Mathematical Algorithms with Symmetric Cryptography -- The Hashing Function -- Asymmetric Key Cryptography -- Public Keys and Public Private Keys -- The Differences Between Asymmetric and Symmetric Cryptography -- The Disadvantages of Asymmetric Cryptography
The Mathematical Algorithms of Asymmetric Cryptography -- The Public Key Infrastructure -- The Digital Certificates -- How the Public Key Infrastructure Works -- Public Key Infrastructure Policies and Rules -- The LDAP Protocol -- The Public Cryptography Standards -- Parameters of Public Keys and Private Keys -- How Many Servers? -- Security Policies -- Securing the Public Keys and the Private Keys -- Message Digests and Hashes -- Security Vulnerabilities of Hashes -- A Technical Review of Cryptography -- The Digital Encryption Standard -- The Internal Structure of the DES -- The Initial and Final Permutations -- The f-Function -- The Key Schedule -- The Decryption Process of the DES Algorithm -- The Reversed Key Schedule -- The Decryption in the Feistel Network -- The Security of the DES -- The Advanced Encryption Standard -- The Mathematics behind the DES Algorithm -- The Internal Structure of the AES Algorithm -- Decryption of the AES Algorithm -- Asymmetric and Public Key Cryptography -- The Mathematics behind Asymmetric Cryptography -- The RSA Algorithm -- The Use of Fast Exponentiation in the RSA Algorithm -- The Use of Fast Encryption with Shorter Public Key Exponentiation -- The Chinese Remainder Theorem (CRT) -- How to Find Large Prime Integers for the RSA Algorithm -- The Use of Padding in the RSA Algorithm -- Specific Cyberattacks on the RSA Algorithm -- The Digital Signature Algorithm -- Digital Signature Computation and Verification Process for the DSA -- The Prime Number Generation Process in the DSA -- Security Issues with the DSA -- The Elliptic Curve Digital Signature Algorithm -- The Generation of the Public Key and the Private Key Using the ECDSA Algorithm -- The Signature and the Verification Process of the ECDSA Algorithm -- The Use of Hash Functions -- The Security Requirements of Hash Functions
A Technical Overview of Hash Function Algorithms -- Block Cipher-Based Hash Functions -- Technical Details of the Secure Hash Algorithm SHA-1 -- Key Distribution Centers -- The Public Key Infrastructure and Certificate Authority -- Resources -- 3. Penetration Testing -- Introduction -- Peeling the Onion -- True Stories -- External Testing: Auxiliary System Vulnerabilities -- Internal Testing -- Report Narrative -- Report Narrative -- Web Application Testing -- SSID Testing -- Types of Penetration Tests -- Definitions of Low, Medium, High, and Critical Findings in Penetration Testing -- Compliances and Frameworks: Pen Testing Required -- OWASP and OWASP Top Ten -- OWASP Top Ten with Commentary -- Tools of the Trade -- Pen Test Methodology -- Penetration Test Checklist for External IPs and Web Applications -- Chapter Takeaways -- Resources -- 4. Threat Hunting -- Not-So-Tall Tales -- Nation-State Bad Actors: China and Iran -- Threat Hunting Methods -- MITRE ATT&amp -- CK -- Technology Tools -- The SIEM -- EDR -- EDR + SIEM -- IDS -- When 1 + 1 + 1 = 1: The Visibility Window -- Threat Hunting Process or Model -- On Becoming a Threat Hunter -- Threat Hunting Conclusions -- Resources -- 5. Conclusions -- Index
Umfang:1 Online-Ressource (224 Seiten)
ISBN:9781000166071
9781003081210