Lesson 11: Application Security

Secure Protocols

Insecure vs Secure Protocols:

• Telnet → SSH: Secure remote shell access
• HTTP → HTTPS: Secure web browsing
• FTP → SFTP / FTPS: Secure file transfer

Insecure protocols transmit data in cleartext (unencrypted), always use encrypted alternatives

TLS (Transport Layer Security):

• Use only TLS 1.2 or TLS 1.3
• Disable: SSL 2.0/3.0, TLS 1.0/1.1
• TLS 1.3: Shortened cipher suites, more secure and efficient (e.g., TLS_AES_128_GCM_SHA256)
• Prevent downgrade attacks by enforcing minimum TLS versions

Other Secure Services:

• LDAP → Secure via LDAPS or StartTLS
• SNMPv3: Use only version 3 for encryption/authentication (v1/v2 insecure)

Email Security

Anti-Spoofing & Integrity:

• SPF (Sender Policy Framework): DNS TXT record defines authorized mail servers
• DKIM (DomainKeys Identified Mail): Digitally signs emails with sender's domain key
• DMARC (Domain-based Message Authentication, Reporting & Conformance): Combines SPF/DKIM, defines handling for failed email, adds reporting

Email Encryption:

S/MIME (Secure/Multipurpose Internet Mail Extensions):

• Uses PKI (Public Key Infrastructure)
• Provides confidentiality, integrity, and authenticity for email contents

Email Gateways:

Scan for: Spam, phishing, BEC (Business Email Compromise), malicious URLs, harmful attachments Apply URL sanitization, safe linking

Data Loss Prevention (DLP):

Scans emails/attachments for: PII, PHI, payment data Actions: Block, encrypt, or alert based on policy Enforce compliance: GDPR, HIPAA, PCI DSS, GLBA

Secure Coding

Key Techniques:

• Input Validation: Prevent injection (SQLi, XSS) - validate length, type, format
• Allow/Block Lists: Allow only safe data, block known bad input
• Code Signing: Verify code integrity and source
• Secure Cookies: Restrict cookies from scripts or cross-site access

Code Review Methods:

• Static Analysis: Analyze source code without executing
• Dynamic Analysis: Run code to observe behavior (evaluates software while running)
• Peer Review: Manual inspection by other developers

Note:

• Dynamic analysis assesses software during execution
• Static code review evaluates without executing
• Manual penetration testing probes running apps but is broader than runtime analysis
• Source code fingerprinting identifies components by analyzing code

Client-Side vs Server-Side Validation:

• Client-Side: ❌ Can be bypassed by attackers
• Server-Side: ✅ Enforced regardless of user interface manipulation

Application Protections

Memory Management:

Prevent buffer overflows via safe coding and validation

Error Handling:

• Avoid exposing sensitive info to users
• Log internally, don't display full error details

Cloud Application Security:

Follows Shared Responsibility Model:

• Provider secures infrastructure
• Customer secures application configuration and code

Software Sandboxing

Isolates applications/processes from:

• Operating system
• Other software
• Network

Prevents malware from spreading or accessing system-level resources Often used in malware detonation environments (Joe Sandbox)

DNS Security

DNSSEC (DNS Security Extensions):

• Prevents spoofing and cache poisoning
• Adds cryptographic validation to DNS responses using signed records

DNS Filtering:

Tools: OpenDNS, Quad9, Pi-hole

• Block access to known malicious or unwanted domains
• Prevent access to malware, ads, phishing sites
• Uses blocklists, content categories, real-time reputation analysis

Key Differences Summary

• SFTP vs FTPS: SFTP uses SSH, FTPS uses TLS
• TLS 1.2 vs 1.3: TLS 1.3 uses shorter, more efficient cipher suites
• SPF/DKIM/DMARC: SPF = who can send, DKIM = signed, DMARC = policy & reporting
• Client-Side vs Server-Side Validation: Server-side is secure, client-side can be bypassed
• HIDS vs Sandboxing: HIDS detects threats, sandbox isolates execution
• DNSSEC vs DNS Filtering: DNSSEC validates responses, filtering blocks access