[...]... SourceSafe 446 StarTeam 447 Creating a Security Plan 448 Security Planning at the Network Level 449 Security Planning at the Application Level 450 Security Planning at the Desktop Level 450 Web Application Security Process 451 Summary 453 Solutions... Fast Track 390 Frequently Asked Questions 392 Chapter 11 Developing Security- Enabled Applications 393 Introduction 394 The Benefits of Using Security- Enabled Applications 394 Types of Security Used in Applications 395 Digital Signatures 396 Pretty Good Privacy ... Lowering JavaScript Security Risks 88 VBScript 88 VBScript Security Overview 89 363 _Web_ App_TOC.qxd 12/19/06 11:11 AM Page xv Contents VBScript Security Problems 89 VBScript Security Precautions 90 Java Applets 91 Granting Additional Access to Applets 92 Security Problems... and intelligent solution to an ever-growing problem in Web application development Security professionals may be brought on as fulltime employees, but oftentimes they are contracted to perform security audits, return results to the appropriate personnel, and make suggestions for improving the current security situation In larger organizations, a security expert is more likely to be hired as a full-time... employee, remaining on staff within the IT department A security professional is familiar with the methods used by hackers to attack both networks and Web applications A security professional should offer the ability to detect where an attack may occur, and be able to assist in the development of a security plan Whether that means introducing security- focused code reviews to the development process,... 457 363 _Web_ App_01.qxd 12/15/06 10:31 AM Page 1 Chapter 1 Hacking Methodology Solutions in this chapter: ■ A Brief History of Hacking ■ What Motivates a Hacker? ■ Understanding Current Attack Types ■ Recognizing Web Application Security Threats ■ Preventing Break-Ins by Thinking like a Hacker Summary Solutions Fast Track Frequently Asked Questions 1 363 _Web_ App_01.qxd 2 12/15/06 10:31... Languages: Visual Basic for Applications (VBA) 73 Security Problems with VBA 74 The Melissa Virus 79 Protecting against VBA Viruses 80 JavaScript 83 JavaScript Security Overview 84 Security Problems 84 Exploiting Plug-In Commands 86 Web- Based E-Mail Attacks... 229 Overview of the Java Security Architecture 232 The Java Security Model 233 The Sandbox 236 Security and Java Applets 238 How Java Handles Security 241 Class Loaders 242 The Applet Class Loader 243 Adding Security to a Custom Class Loader... within applications, the result will ultimately be better security Of course, along with this proactive decision comes a security risk How can you be sure that the tools you put in this employee’s hands will be used properly, and that the results of his or her investigations will be handled properly? Associated Risks with Hiring a Security Professional The benefits associated with bringing a security. .. assist you in hack proofing your Web applications.This book will give you a basic outline for approaches to secure site management, writing more secure code, implementing security plans, and helping you learn to think “like a hacker” to better protect your assets, which may include site availability, data privacy, data integrity, and site content www.syngress.com 363 _Web_ App_01.qxd 12/15/06 10:31 AM . information. Visit us at 363 _Web_ App_FM.qxd 12/19/06 10:46 AM Page i 363 _Web_ App_FM.qxd 12/19/06 10:46 AM Page ii Michael Cross Web Application Security Developer’s Guide to 363 _Web_ App_FM.qxd 12/19/06. and security devices. Jeff Forristal is the Lead Security Developer for Neohapsis, a Chicago-based security solution/consulting firm. Apart from assisting in network security assessments and application. BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Developer’s Guide to Web Application Security Copyright © 2007 by Syngress Publishing, Inc.All rights reserved. Except as permitted