Application security: controls and techniques
Application today is not only used by the engineers and computer applicants. Computer is now almost at every home and everyone is busy in it. Getting stuck at something, finding no way out of it, trying these and that for resolving the problem are the general instincts that any non computer applicant follows while going with the computer. Sometimes, when all the effort were seemed to be going in vein, then the user takes the help of internet to get the guide from there to resolve the problems. But, to prevent everything before any damage is faced, one can have some before knowledge. This pre-knowledge helps many a times to identify a problem and even resolve them by own.
It is assumed that there remains bug in each program, and the bug slows down the operation of the program. So, the bug is to be discovered and that should be made out of the programme. Removing it out of the program or debugging the program will make the program work faster and in a smooth way. So, to remove the bug tests of fuzzing is to be conducted. Otherwise the presence of the bug or the location of the bug will remain unidentified. The methodology generally used to test the bug in a program is usually called the 'Black Box Testing'. This type of fuzz testing gives a cost benefit to the program. Fuzz testing provides assurance that the process is an overall maintenance and it not only fixes bug but checks the entire system. This is a software testing technique that are either automated or semi-automated, and they provides he invalid data, syntax errors and the random data that can make the program crash. Thus fuzzing not only identifies bugs but also helps in making the entire program clean and reduces the risk of the software to crash or to mal-function. Some of the bugs do that fuzzing which makes one's data getting leaking bugs or auto syntax error crating bugs and many more like them.
Secure coding concepts
This is the process of writing programs to ensure that they are resistant to attacks of malicious programs. Malicious programs make the data to be lost or fragmented. Even the sudden and unusual crashing of a program is the effect of the malicious programs. Malicious programs are not separate programs, but they are inserted within a main program. This may be intentional or may be by just a mistake of the Programmer. The insecure programs can result the data to be theft or lost or even corrupted. Moreover, they enforce some typical results like denial of service or loss of service. They can even take the entire control of the program and make the program misbehave. The secrets of the program are exposed and an overall damage is made to the system by this mal-functioning programs. So the secure coding or secured writing of programs is necessary for a program to be secured and to make it a rightly functioning one.
Error and exception handling: However all the mal-functioning program lines are not malicious program. There are exceptions among them also. And those are to be pointed out and to be rectified, rather than putting them out of the program.
Input validation: The input into the program if validated at the time of putting them, from syntax errors or bugging errors, then the entire programs becomes secured and the malicious program lines exists there not. So, proper eye must be given to the validation of the input for reducing the loss of time and effort.
Cross-site scripting prevention
Cross site scripting, commonly known as XSS or CSS is a type of vulnerability to the computer security. These are typically found in most of the common web applications. XSS vulnerability may be arrogantly used by the hackers to inject data from one website as the scripting allows insertion of java script to the user. So, a website which is in CSS mode should not be kept open to users for editing as that would open the gate to hackers for inserting the malicious java scripts inside the web page. This insertion results in injecting out the data from the website or even the important files from the store can also be injected out by the hackers.
One can insert web vulnerability scanner in the web pages to restrict the mal functioning of the website or to restrict the hackers from inserting false Java script or other malicious programs. But the best way to restrict the occurrence of the CSS errors is to restrict multi user editing of such web pages
Cross-site Request Forgery (XSRF) prevention
It is a type of web attack that is caused when some malicious website or email or blog or some malicious instant messages causes the web browser to perform some unusual functions on a licensed trusted site. The impact of such forgery is however limited to the exposure of the vulnerable application. Yet, the effect can cause the rest of the applications to function wrongly, once they are operated by using the hacked or forged application. As an example, the forged applications are targeted to track down the fund transfer or password changes. By doing thus the hackers easily knows the passwords and the transaction details and thus the entire account or system is prone to risk then. By using Social networks or like that, where the HTML codes can be used, the Hackers can insert Java script codes or plain malicious HTML codes by using their social engineering concepts. Some malicious codes like the My Space worms or like them can exploit the entire system, if the user, who will be the victim, is the administrator of the website. So, to curb the Hackers many of the social networks stopped the facility to allow the users to paste the HTML codes.
Application configuration baseline (proper settings)
Sometimes, some sites doesn't allow to make any downloads from them. One may think that there is problem with the website. But the real problem is not with the website but the problem is in the settings of the computer. A Step by step process to fix the settings is like this:
Firstly one is required to go to the system preferences and there one will have to go to the Java Settings. While the Java Control Panel is opened, there the small window will have five panes or tab on its top. The Tabs are sequentially from left to right: General, Update, Java, Security and Advanced. One then have to go to the Security Tab from there. There, one will find the scale of security level, where three marks of Very High, High and medium are given and below there an Edit Site List pane is there, which can be edited. One has to click to the small button where it is encrypted, Edit Site List. There one may put the site address, for which he or she was inserting setting. After the enter button is pressed there will be a small window pop up which will ask the permission to create an exception list. Once that is saved, and then the site will not be block any more from downloading objects from there.
Applications are usually prone to vulnerability since most of the surfaces of the applications are open to the vulnerable websites. The process to reduce the surface of vulnerability and securing the system by doing thus is known as hardening. However a system with more vulnerable surface fulfils more functions. Yet, once the surface is affected the entire system will be damages. So it is always better to harden the securing system. A system includes missing strings, unnecessary logins and unusual and useless Usernames. Removing them makes the surface less vulnerable. The process can be usually done by using regular patches and checking out the automatic updates of the programmes. . A patch is an update of security which is designed to fix the vulnerabilities of applications and their plug-ins. So patch management is the strategy to decide the exact requirement of the patch to be inserted for a particular application. Thus the programmes or applications also remains secured, yet they function at their best due to the patch inclusion in them.
Application patch management
Before going to the patch management, one must know what exactly patch is. A patch is an update of security which is designed to fix the vulnerabilities of applications and their plug in. So patch management is the strategy to decide the exact requirement of the patch to be inserted for a particular application. That is, it is the policy to decide which patch is suitable for which device and what is the suitable time and format of that.
Managing a patch not only makes the program or application secured from vulnerability, but the application is supported to work faster and accurately by the aid of the right patch for it. A system includes missing strings, unnecessary logins and unusual and useless Usernames. Removing them makes the surface less vulnerable. The process can be usually done by using regular patches and checking out the automatic updates of the programmes. Thus the programmes or applications also remains secured, yet they function at their best due to the patch inclusion in them.
NoSQL databases vs. SQL databases
Not Only SQL, popularly known as NoSQL database is a typical advice that provides a mechanism for storing of data that is modelled in non tabular forms also. The simplicity of design, and the scaling of the data vertically and horizontally, as required, makes the NoSQL database so strong. There are some operations that work very fast in the Not Only SQL database. They are relatively used more in handling big data, where partition tolerance is accepted at certain extend. However Not only SQL uses low-level Query languages in its operation and that is a reason, why it lacks standardized interfaces.
SQL or Structured Query Language is used to communicate with the database in a different way than the Not only SQL. It uses high languages and the language choosing is according to the American National Standards Institutions (ANSI) Codes. ANSI is a standard Language for relational Database managing system and thus it enables SQL to act better in Updating Database or retrieving data from a database much easily and effectively. Not only that, the SQL operation is also much easier than the Not only SQL, as the common commands like the 'Select' or 'create' or 'delete' or 'drop' are used and thus the programming and operation becomes much easier.
Server-side vs. Client-side validation
In the validation of the data process, the validation can be done from both ends. The Client end or User end validation is known as Client-side Validation, where as the Website end or administrator end validation is called the Server side validation.
Server Side Validation: In this side the input of any client is matched with the data of the server loaded in the form of PHP or ASP.net. After the validation is over, a result of the web pages, which are generated dynamically is provided to the client.
Client Side Validation: The client side validation may not require a round trip to the server, and thus the network traffic performs better there. The validation is usually done from the server side using script languages, popular of which is Java script or VB script or HTML5 attributes. One can easily understand these by a simple example. One gets an error message while he or she doesn't put any '@' sign while writing the mail id in any form. Here the data inserted by the client is instantly checked and the error message is the return of that check or validation.
These are some of the basic knowledge related to the application management that may help a user, when some common problems are there in the system, application or program. By going through these, a user is sure to restrict his or her system from regular problems.