- Run with least privilege or Principle of Least Authority
Provide access to only the necessary resources,permissions which the application is required to work properly.
we need to clearly know the required resources, type of action will be performed by our application.
Define the minimum access permission for each resource that the application required to run.
- Security Manager
Threat modeling is the process to visualize the strength and weekness of complete architecture. It should cover the data flow for all the entry and exit points of the system . The component , external system should be linked for each entry and exit points. Generally the Data flow diagram (DFD) is used to draw the Data flow.
The attacker will learn the system behavior from the entry point, exit points in the system. Hence we need to apply the proper security control in the entry points, exit points.
Why we need Content Security Policy:
How browser communicating with server using the Transport Layer Security (TLS) Handshake
- 1. Client Hello
The client will send the list of cipher suites supported by the browser .
The list of ciphers can be modified by the user
The Equivalent of ciphers in Firefox and RFC5246 as below
1. security.ssl3.rsa_aes_128_sha = TLS_RSA_WITH_AES_128_CBC_SHA
2. security.ssl3.rsa_aes_256_sha= TLS_RSA_WITH_AES_256_CBC_SHA
Web Applications Security Essentials
- Security principles
1. Don’t trust input,Infrastructure
2. Defense in depth
3. Run with least privilege
4. Keep security simple (verifiable, economy of mechanism)
5. Separation of privilege , compartment
6. Secure the weakest link
7. Fail securely
8. Open design (Avoid security by obscurity )
9. Psychological acceptability
The issue exists in SSL protocol Hence we using the latest protocol TLS will be secure.
Fix for POODLE is to disable SSL protocol & include the TLS protocol
The Java SunJSSE supported protocol as SSLv3,TLSv1,TLSv1.1,TLSv1.2.
Fix for POODLE vulnerability
Add this attribute in the connector tag in server.xml :
Remeve this attribute
Generate Key Pair
RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman
keytool -genkey -alias gdalias -keystore www_gnudeveloper_com.jks -keyalg RSA -keysize 512 -storepass gnudevpwd
Converting Keystore format
We need to convert to view the java key store file to PEM (Privacy Enhanced Email)file so that we can easily view private key, public key etc..