Security Matt Liotta Agenda What does security mean

Agenda • • What does security mean anyway Different levels of security Application security

What Does Security Mean • • When an application is secure what does it

Security Levels • Security exists at many levels • Some are more obvious than

Application Security • An application is made up of more than one tier •

Presentation Tier Security • Easiest tier to secure • Generally a simple matter of

Data Tier Security • Generally straightforward to secure • Different points to secure –

Business Tier Security • Can be tough to secure because of all the exploitation

Security Best Practices • It takes a lot of work to secure your application

Network Security • • • Well understood and easy to implement Limit port access

OS Security • Pretty straightforward for web work • Turn off all services not

Slides: 13

Download presentation

Security Matt Liotta

Agenda • • What does security mean anyway Different levels of security Application security Security best practices Network security OS Security Q&A

What Does Security Mean • • When an application is secure what does it mean? No one can steal your data? No one can steal your code? No one can make your application do something it wasn’t designed to do? • No one can stop your application from working?

Security Levels • Security exists at many levels • Some are more obvious than others • The most secure systems can be compromised

Application Security • An application is made up of more than one tier • Each tier has different security requirements and implications • Some typical tiers are. . . – Presentation – Business – Data

Presentation Tier Security • Easiest tier to secure • Generally a simple matter of securing files • Two examples – OS/Web server – CFML • What was overlooked?

Data Tier Security • Generally straightforward to secure • Different points to secure – Accessing the database – Performing operations on the database – Changing the data • What about the schema? • What about encryption? • Anything else?

Business Tier Security • Can be tough to secure because of all the exploitation points • Things to consider – Scopes – Data validation – Workflow enforcement • What about RDS? • What about your Code? • Anything else?

Security Best Practices • It takes a lot of work to secure your application • Following some best practices can help secure your application without the added work • Some examples – – Limit data in cookies, URLs, and forms Always use cfqueryparam Catch all exceptions Beware of placebos • What else?

Network Security • • • Well understood and easy to implement Limit port access Make machines unaccessible Use a proxy Use a load balancer Use a VPN

Network Security (cont. )

OS Security • Pretty straightforward for web work • Turn off all services not used • Only give the application server permissions to what it needs