Secure Protocols and Applications Course

Securing web applications involves not only IT administrators but also software developers. In this episode, Mike provides a distinction between input validation and input sanitization.

The OWASP to 10 is a list of the most common web application attacks. Using the OWASP Zed Attack Proxy (ZAP) provides a method for testing a web application for common vulnerabilities.

Connecting to any Internet resource commonly uses DNS to resolve host names to IP addresses. In this episode, the viewer is presented with a DNS scenario and must determine which type of attack has occurred.

This episode shows how specialized Web application vulnerability scanning tools can be used to identity security flaws in a Web application.

The OWASP Top 10 identifies common Web application attacks. This episode also discusses secure coding practices that should be applied to each system (or software) development life cycle (SDLC) phase.

Web apps that do not properly validate or sanitize user-supplied input could be susceptible to Cross-Site Scripting (XSS) attacks.

Hijacked authenticated user sessions can result in Cross-Site Request Forgery (CSRF) attacks. This episode explains how these attacks occur and how they can be mitigated.

This episode covers how to harden Web and e-mail servers using load balancers, proxy servers and NAT. POP, IMAP, SMTP and S/MIME are also covered.

FTP continues to be used for file transfers over the Internet, but it is inherently insecure. This episode also discusses how to harden the use of FTP by instead using secure variations such as SSH File Transfer Protocol (SFTP) and File Transfer Protocol, Secure (FTPS).

DNS is a crucial network service used by everybody to resolve names to IP addresses and as a result, it is a target for attackers. This episode also discusses other protocols such has Simple Network Management Protocol (SNMP) and Secure Shell (SSH).

Security by design is an approach to software and hardware development that aims to construct systems free of vulnerabilities by implementing best practices and safeguards. However, it is relatively new as a notion, and prior to it, the aim of software developers was more oriented in functionality than security. The same principle can be seen in protocols such as HTTP, FTP, or POP. Because they apply no data encryption, these protocols are often referred to as clear-text protocols. Anyone who is intercepting the traffic between two entities that communicate using clear-text protocols can see the data flowing through the network in plain text. These protocols gave rise to attacks such as Man-in-the-middle (a malicious actor impersonating legitimate users) and sensitive data exposure. To cover the security holes of clear-text protocols, versions that applied encryption to data were developed.