John Rouda July 25, 2006
Table of Contents
Abstract Acknowledgement Background Introduction Design Vulnerabilities Development Vulnerabilities Deployment Vulnerabilities Conclusion Appendix A (OSI Model) Appendix B (SQL Injection) Appendix C (Top 10 Security Flaws) References Page 1 Page 1 Page 1 Page 2 Page 2 Page 4 Page 5 Page 5 Page 6 Page 7 Page 8 Page 9
Application Layer Security 1
Abstract The purpose of this paper is to identify common application layer security holes, describe common fixes of these problems and discuss the importance of application layer security in development of software. This paper will also discuss common practices for securing applications. The three main aspects of information security include: confidentiality, integrity and availability. These aspects of data security are at risk by three main categories of vulnerabilities that will be discussed in this paper. They are design vulnerabilities, development vulnerabilities, and deployment vulnerabilities. In beginning my research on this topic I anticipated learning about encryption on and authentication on software applications, but as the paper indicates those are only a small part of security. Acknowledgments I would like to thank and acknowledge Ms. Edie Dille from York Technical College for the use of her presentation on the OSI Model, Dr. Garrison from Winthrop University for the opportunity to research software security and Ms. Valerie Chantry from MassMutual for access to Symantec security documents and presentations. Background The OSI (Open Systems Interconnect) model is a reference model for how data should be transmitted between any two devices in a network. It was developed to guide implementers in standardizing their products so that communications can occur between different bands of equipment, different protocols, different media types, and different operating systems. The OSI model simplifies the networking process for teaching and learning by breaking down the steps in sending and receiving messages into a seven step process. These steps are called layers in the OSI model. These layers, starting from the top to the bottom are as follows: Applications, Presentation, Session, Transport, Network, Data-link, and Physical. The Application Layer allows applications to use network services. Some of the protocols and programs that operate in the Application Layer include: FTP, Telnet, Remote Desktop, Web Browsers, HTTP, Email Clients and more. The Presentation Layer is responsible for data formatting, converting from one format to another, data encryption and decryption, and data compression and decompression. The Session Layer is responsible for monitoring and controlling synchronization of data between application layer protocols, not applications like word processing or spreadsheets but FTP, Telnet, and SMTP (e-mail). It is also responsible for establishing, maintaining and terminating sessions between applications. The Transport Layer is responsible for Reliable end-to-end data transport and delivery of data,
Application Layer Security 2
setting up, maintaining, and ending connections for the network layer. It is also responsible for error detection and correction (dropped or duplicate packets). The Network Layer is responsible for best path determination and logical addressing (IP address/IPX Address/AppleTalk Address). Routers operate at the Network Layer. The Data-link Layer is responsible for physical addressing (MAC Address) and microsegmentation for local area networks. Switches and bridges operate at the Data-link Layer. The Physical Layer is responsible for voltage, frequency (timing of voltage changes), data rates, transmission distances, and physical topology. Hubs, repeaters and cables operate at the Physical Layer. The process of the data traveling down the OSI model on one node through the physical media and back up the OSI model is called encapsulation. This...