Major Web Application Threats for Data Privacy & Security - Detection, Analysis and Mitigation Strategies

Authors

  • Varun M Deshpande  PhD Student, Department of C.S.E., Jain University, Bangalore, India
  • Dr. Mydhili K. Nair  Professor, Department. of I.S.E., M S Ramaiah Institute of Technology, Bangalore, India
  • Dhrumil Shah  Application Security Specialist, Bangalore, India

Keywords:

Privacy, data security, digital identity, OWASP, web application threats

Abstract

In the context of information security, privacy and data security are inseparable, interdependent and complement each other. This is truer in social networking and e-commerce where user’s personal data including financial transaction data is at stake. Web application security threats have posed several challenges to ensuring data security of any web application hosted on cloud. These threats have been evolving in severity and the potential impact that it causes to service provider and the user’s personal data that it hosts. Current work is an effort to educate the readers about major vulnerabilities that exist among security threats listed as part of Open Web Application Security Project’s (OWASP) top ten web security threats. We provide detailed guidelines on how to detect, and analyse these vulnerabilities using tools such as Burp Suite. Recommendations and best practices for developing a secure development life cycle and following secure coding practices are discussed at length to empower developers to mitigate and avoid these vulnerabilities in their application at different stages of software development. This work is a timely and technically informative reminder for all the service providers to build trustable solutions for secure cloud based services and move towards trusted computing and to ensure user data’s privacy and security.

References

  1. OWASP Secure Coding Practices Quick Reference Guide Link:? https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf? (Last accessed on 4th Sep 2017)
  2. HTTP Strict Transport Security Cheat Sheet Link: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet (Last accessed on 4th Sep 2017)
  3. OWASP Top 10 2017 rc1 -? https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf? (Last accessed on 9th Sep 2017)
  4. OWASP Top 10 - 2013 https://www.owasp.org/images/f/f8/OWASP_Top_10_-_2013.pdf (Last accessed on 7th Sep 2017)
  5. OWASP Top 10 2010 - https://css.csail.mit.edu/6.858/2011/readings/owasp-top-10.pdf? (Last accessed on 7th Sep 2017)
  6. Varun M Deshpande, Dr. Mydhili K. Nair, Ayush Bihani, "Optimization of Security as an Enabler for Cloud Services and Applications", to be published by Springer in edited volume titled "Cloud Computing for Optimization: Foundations, Applications, Challenges", to be published in "Studies in Big Data" book series, Springer (2017)
  7. Ronald L. Krutz and Russel Dean Vines, "Cloud Security: A Comprehensive Guide to Secure Cloud Computing," Published by John Wiley & Sons, 2010
  8. Mark Rhodes-Ousley, "Information Security The Complete Reference, Second Edition", Published by Tata McGraw-Hill, 2013
  9. Siani Pearson, George Yee, Book - "Privacy and Security for Cloud Computing", Computer Communications and Networks, 2013, ISBN: 978-1-4471-4188-4
  10. Saltzer, J. H., and Schroeder, M. D., "The Protection of Information in Computer Systems," Fourth ACM Symposium on Operating Systems Principles, October 1974.
  11. Varun M Deshpande, Dr Mydhili K. Nair, "Need for User Centric & Unified Privacy and Data Policies for Social Networking. Case Study: Google, Facebook, Amazon & Flipkart", to be published in International Journal of Latest Engineering Research and Applications (IJLERA) ISSN: 2455-7137, Volume - 02, Issue - 08, August - 2017, PP - 83-93
  12. OWASP Top Ten Project https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (Last accessed on 7th Sep, 2017)
  13. Burp Suite - https://portswigger.net/burp (Last accessed on 8th Sep, 2017)
  14. Microsoft Secure Development Life Cycle https://www.microsoft.com/en-us/sdl/? (Last accessed on 8th Sep, 2017)
  15. "Cyber security spending to reach $90 billion in 2017, Gartner says" news report https://businessinsights.bitdefender.com/cyber-security-spending-2017(Last accessed on 8th Sep, 2017)
  16. Heart Bleed Bug http://heartbleed.com/ (Last accessed on 9th Sep 2017)
  17. SSL 3.0 Protocol Vulnerability and POODLE Attack https://www.us-cert.gov/ncas/alerts/TA14-290A(Last accessed on 9th Sep 2017)
  18. WannaCry ransomware attack https://en.wikipedia.org/wiki/WannaCry_ransomware_attack(Last accessed on 9th Sep 2017)
  19. Petya (malware) https://en.wikipedia.org/wiki/Petya_(malware) (Last accessed on 9th Sep 2017)
  20. Locky (malware) https://en.wikipedia.org/wiki/Locky (Last accessed on 9th Sep 2017)
  21. "Equifax data breach: Find out if you were one of 143 million hacked" news article https://www.cnet.com/how-to/equifax-breach-find-out-if-you-were-one-of-143-million-hacked/ (Last accessed on 9th Sep 2017)

International Journal of Scientific Research in Science and Technology

Downloads

Published

2017-10-31

Issue

Volume 3, Issue 7, September-October-2017

Section

Research Articles

License

Copyright (c) IJSRST

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

[1]
Varun M Deshpande, Dr. Mydhili K. Nair, Dhrumil Shah, " Major Web Application Threats for Data Privacy & Security - Detection, Analysis and Mitigation Strategies, International Journal of Scientific Research in Science and Technology(IJSRST), Online ISSN : 2395-602X, Print ISSN : 2395-6011, Volume 3, Issue 7, pp.182-198, September-October-2017.