Midterm Reflection

I've learned a lot of things in the midterm period. For the midterm period, Mr. Jerry Borromeo filled in for Ma'am Risty. Mr. Borromeo taught us a lot regarding different topics. Topics which will help me as an IS student.

I've learned how to install an FTP to a web server. We used Filezilla as our FTP client. I've also learned how to create a training plan for deployment. A peer advisor also taught us how to deploy mobile applications in our smart phones. He is one of the programmers who build for the Knowledge Channel and created a mobile learning app. I've also attended the Web Application Security Awareness Seminar conducted by the JISSA organization at the TIP. The speaker is Justin David Pineda, a senior application security specialist working for The Coca-Cola Company. The speaker talked about web security, how to protect a web server from attacks, and how to implement proper security on a website. I've also learned that defects can be checked and should be monitored by the users.

Personally, I've enjoyed the learnings I have acquired in this course throughout the midterm period. These learnings will definitely help me not only in our project in this course but also in the future where I will be professional in this field. I am very thankful for our instructor for teaching us valuable lessons and guiding us in our projects.

Web Application Security Awareness Seminar

This past Wednesday, September 6, 2017, I attended the Web Application Security Awareness Seminar conducted by the JISSA Organization at the TIP. One of the speakers was Justin David Pineda, a Senior Application Security Specialist working for The Coca-Cola Company and a lecturer at Asia Pacific College. He discussed the website security and how to detect common web attacks. I’ve learned a lot of things regarding security awareness from Mr. Pineda. He talked about how 7 out of 10 people are aware of risks of unknown links in email but still click the link anyway. There is no fail-proof system in implementing a website or a mobile application. If an attack or security breach happened, we also could not blame the developers of the website or mobile application. It is also discussed how security is a collaborative effort which includes the developers, users, and the testers. I also learned that in a web application architecture, you could launch an attack to any part of the architecture. In preventing a security breach, the users can look at the different signs to see if the website is secured.

Attendance sheet for the seminar

Defects can be checked and should be monitored by the users. One example of a website defect is if the website doesn't have an SSL. SSL stands for Secure Sockets Layer, and it is the standard security technology for establishing an encrypted link between a web server and a browser. A website not having an SSL means sensitive data is not encrypted and is sent in clear text. This means hackers can sniff through the network monitoring and access the sensitive data. The speaker recommended that the user require and force TLS and disable access to port 80. Another example of website defect is if the site has no privacy policy page. Websites especially those that collect personal information should have a privacy policy page that can be viewed by the user. Error messages for login pages should also be generic as these messages can provide clues about the web application.

In developing websites and mobile application, the speaker mentioned that the developers observe and practice to ensure the security of the website. He talked about the F-U-S model, which means Functionality, Usability, and Security. The application should not only be functional and user-friendly, but it also should be secured to avoid malicious attacks.

The speaker also discussed the pen testers or white hat. He explained the proper pen testing process and it requires a lot of retesting.  Another example of a defect is a Parameter Tampering where a user/hacker tamper with a parameter to bypass client-side application logic and validation. Another one is the cross- site scripting where the hacker tricks the browser to execute the hacker's code. The tester can go to a website to check if the application is vulnerable to these type of attacks.

I’ve learned a lot from the seminar. I’ve learned that security is a collaborative effort and that users, developers, and testers should work together to avoid security breach. Users should also report the defects that they found in order for the developers to patch these security holes and avoid attacks. The developers should also have good coding habits to prevent the hackers from exploiting the source code of the website or mobile app. Pen testers should also be part of the organization to test the security of the website. The developers should check the infrastructure of the website and make sure that all parts of the infrastructure are properly secured. The IT infrastructure and network should be regularly monitored to prevent breaches. Security policy is significant.

Educating the users regarding cyber security is highly important. It can be done through training or "tip of the day" messages. Prevention is better than cure so we should all work together to avoid security breaches. With the right level of preparation, we can minimize the damage of the hackers who try to infiltrate our systems and control possible losses.