With IoT being the buzz and all operating systems being integrated with central network and intruder in that can create major devastations than an IT system. For example, if someone can intrude into an electric utility network and operate on "SCADA" and entire network going down can be a bizarre or just assume the control system configured for addressing backup mechanism being turn down can result in blackouts. Preventing Such havocs is what security framework should look into.

1. SECURITY GUIDELINES
ARE WE RIGHTLY SAFEGUARDING OUR CUSTOMER ENVIRONMENTS ?
Karthik Sagar P
Technology Evangelist
Karthiksagar.p@outlook.com

2. “Every program has at least two purposes: the one for which it was written, and another for
which it wasn't.”
-Alan J. Perlis

3. SAMPLE
Let see an example

4. EVAL ()
• eval() like functions takes string argument and
• evaluate those as source code
• var x = req.body.x;
• var y = req.body.y;
• var sum = eval(a + "+" +
b);what if attacker fills 'x' with:
some.super.class.wipe.the.database('now’);
LOL :)

5. WHY APPLICATION VULNERABILITIES
OCCUR

6. SECURITY GAP
Security Professionals Don’t
Know The Applications
Application Developers and QA
Professionals Don’t Know Security
The Web Application
Security Gap
“As a Network Security
Professional, I don’t know how
my companies web applications
are supposed to work so I deploy
a protective solution…but don’t
know if it’s protecting what it’s
supposed to.”
“As an Application Developer, I can build
great features and functions while
meeting deadlines, but I don’t know how
to develop my web application with
security as a feature.”

7. VULNERABILITIES
Platform
Administration
Application
Known Vulnerabilities
Extension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Application Mapping
Cookie Manipulation
Custom Application Scripting
Parameter Manipulation
Reverse Directory Transversal
Brute Force
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow scripting
Application vulnerabilities occur in multiple areas.

8. HOW TO SECURE APPLICATIONS

9. WHAT I SAY !
The best way to secure anything is to learn how someone can break it

10. HOW?
• Incorporating security into lifecycle
• Integrate security into application requirements
• Including information security professionals in software
architecture/design review
• Security APIs & libraries (e.g. ESAPI, Validator, etc.) when
possible
• Threat modeling
• Web application vulnerability assessment tools (VAPT)

11. SECURE YOUR DB

12. DB SECURITY
• User Access Management –Authentication
• User Rights Management – Authorization
• Auditing
• Environmental and Process Control
• Encryption
• Network Encryption
• Network Filter
• Binding IP Addresses
• Running in VPNs
• Dedicated OS User Account.
• File System Permissions
• Query Injection
• Physical Access Controls
Environment & Processes
SSL Encryption for DB
communication

13. ENVIRONMENT &
PROCESSES
•Network Filter Binding IP
Addresses
Running in
VPNs
Dedicated OS
User Account.
File System
Permissions
Query Injection
Physical Access
Controls

14. MY ARCHITECTURE
SSL
Web
Application
Mobile
Application
Firewall
Port No’s:
83 & 2011
Public IP
App
Server
Port :83
Port :88
Public IP – Static
IP
Web
Server
Port :2011
Public IP – Static
IP
Port :2016
Static IP 1
Static IP 3
DB Server
DB
Node
Web Server
Port:271
8
SSL
Bind IP :Static IP
1
Traffic Log
Customer Environment

15. EDUCATE
Developers
• Software
security best
practices
Security
Professionals
• Software
development
• Software coding
best practices
Testers
• Methods for
identifying
vulnerabilitie
s
Executives, System
Owners, etc
Understanding the
risk and why they
should be concerned
Who is your Security
Owner ?

16. CREATING THE RISK ASSESSMENT

17. RESIDUAL RISK TABLES

18. PRACTISE
• Update your DB and application versions
• Always ensure to move your traffic through firewall
• Identify security owner for your applications
• Test for what it has not been developed for
• Create rules in the firewall
• Educate your network administrator
• Prepare Risk Assessment blog

19. QUESTION AND ANSWERS ?

20. THANK YOU

21. REFERENCES
• https://www.slideshare.net/LiranTal1/nodejs-security-done-right-tips-and-tricks-they-wont-teach-
you-in-
school?utm_source=slideshow&utm_medium=ssemail&utm_campaign=download_notification
• https://docs.mongodb.com/manual/security/

22. BACKUP SLIDES

23. Platform
Known
Vulnerabilities
PLATFORM
• Known vulnerabilities can be exploited
immediately with a minimum amount of
skill or experience – “script kiddies”
• Most easily defendable of all web
vulnerabilities
• MUST have streamlined patching
procedures

24. Administration
Extension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
• Less easily corrected than known issues
• Require increased awareness
• More than just configuration, must be aware
of security flaws in actual content
• Remnant files can reveal applications and
versions in use
• Backup files can reveal source code and
database connection strings
ADMINISTRATION

25. • Common coding techniques do not necessarily include
security
• Input is assumed to be valid, but not tested
• Unexamined input from a browser can inject scripts into page
for replay against later visitors
• Unhandled error messages reveal application and database
structures
• Unchecked database calls can be ‘piggybacked’ with a
hacker’s own database call, giving direct access to business
data through a web browser
Application
Application Mapping
Cookie Manipulation
Custom Application Scripting
Parameter Manipulation
Reverse Directory Transversal
Brute Force
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow
SQL Injection
Cross-site scripting
APPLICATION