Time
10 hours 28 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson discusses application security and focuses on client side vs server side: - Client side code: processed and executed by the client's web browser - Server side: processed and executed by the web server - Javascript: provides functionality Participants also receive a short summary of previous lessons.

Video Transcription

00:04
all right, The next concern that we talk about when we look at, um, application security, we've in the past been talking about server side processing. You know, we talked about ways to protect our database through
00:18
tools like input validation and checking for data links and code injection and so on.
00:26
But we also have to think about client side processing. And for instance, when our client systems connect to the Internet, what sort of risk is presented to our client systems? We talked about that a little bit with cross site scripting and see surf attacks. One other thing that I'll mention or a couple of other things I mentioned is
00:45
there are certain types of scripts that are designed to run on client systems, Java script, java code
00:52
active X controls. And, uh, these are very, very powerful scripting language. I mean, job is the language. Many operating systems were written in Java script and Active X really provide that functionality that you see, that,
01:08
uh, most websites we're gonna use because they make the website stand out. They give that extra functionality.
01:15
You know, for instance, if I go to MSNBC and I type in my zip code. Now, every time I go to MSNBC's website down in the bottom right hand corner, I get the weather report with a little sunshine or will cloud the lightning bolt, whatever that might be
01:34
in its job, a script that allows this additional functionality.
01:38
Now that's good, you know. And if you've ever looked at a website that was purely developed with HTML, usually those are pretty boring. There's not a lot of excitement that comes with HTML. I mean, you pretty much get black font on a white background. Or if you want to get really fancy, you could make the background yellow in the flop font blue.
01:57
But not a whole lot of action with plain HTML. Now
02:02
I'm aware you can use style sheets and there's some other things you could do. But what really gives your Web page the capability for user's to interact with it really makes it stand apart. Are these tools like Java script and Activex control? Just about any website you go to, you're going to see they utilize those
02:20
any time I would allow code to run on my system
02:24
across the Web, I want to know two things I want to know who the code comes from, and I want to know that it hasn't been modified. So if you've been through the cryptography domain, we talked about digitally signing, uh, digital signatures. I'm not gonna have unsigned Java script or an unsigned Activex control downloaded to this system.
02:44
And as a matter of fact, Web browsers, for the most part, will block
02:47
this type of code, you know, by default now users can always trump. That can always change the configuration settings, but there's no good reason to so Java Java script. Activex. Those controls should be digitally signed Now, in addition to that, with Java again being so very powerful,
03:07
Java Code or Java applets are generally forced to run in a secure space called the sandbox.
03:14
And really, all that means is that it's isolated from the rest of the operating system. Like when I go and download a Java apple, it usually it's forced to run within the context of my Web browser, and that's treated as a sandbox. As in you. Go sit in the sandbox and don't play with anybody else. You know you're in time out, so to speak,
03:32
So sand boxing is a way of protecting applications
03:37
now. Certainly applications conjunction, sandbox, that being a security concern. But it is still part of a layered defense.
03:46
All right, So as we go back and review this chapter, we've talked about some information on protecting our individual hosts, running any virus software, any spyware intrusion, detection systems or prevention systems.
04:00
And we said that, really, the lines are blurred. Most of these products performed several of these functions,
04:06
but we want to make sure that our individual clients systems are protected on the network from things my users might bring bring in or from network traffic. That's malicious. We want any virus software and host based I. D. S. We then talk about application security
04:26
and being concerned about the applications that we developed. I think I mentioned the term fuzzing
04:30
in an earlier module. We want to test and make sure it really is kind of pin testing an application for things like buffer overflows and how easy injection would be into a particular application. But we've got to be very, very wary of code injection with their databases. Earlier I'd mentioned inference and aggregation.
04:50
Um
04:51
uh, you know, we think about the security mechanisms in place to mitigate those risks? Uh, client side processing, particularly from Web pages. You know, we think about clicking on links and being redirected, perhaps to road websites and being a victim to a cross site scripting attack,
05:12
possibly being the victim of a sea surf, which is a cross site request. Forgery.
05:16
Basically, just making requests based on stealing your session cookie and presenting is being an authenticated user. So there lots of concerns that we have to think about for safe browsing of the Web and application designed database design? Absolutely.
05:35
This is a chapter that tends to get a lot of play on the exam. Lot of questions about cross site scripting see surf attacks include validation code injection.
05:45
So please do go back and review this material. I think you'll find it very helpful for the exam.
05:49
All right, I'd like to thank you for viewing Cyber Aires. Come Pia, Advanced Security Practitioner Class. I hope that it was valuable to you, and I certainly wish you the best of luck on your cast exam. Study hard. This is a very obtainable exam, but it's a tough one.

CompTIA CASP

In our online CompTIA CASP training, you will learn how to integrate advanced authentication, how to manage risk in the enterprise, how to conduct vulnerability assessments and how to analyze network security concepts and components.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor