Web Application Security Awareness Seminar

This past Wednesday, September 6, 2017, I attended the Web Application Security Awareness Seminar conducted by the JISSA Organization at the TIP. One of the speakers was Justin David Pineda, a Senior Application Security Specialist working for The Coca-Cola Company and a lecturer at Asia Pacific College. He discussed the website security and how to detect common web attacks. I’ve learned a lot of things regarding security awareness from Mr. Pineda. He talked about how 7 out of 10 people are aware of risks of unknown links in email but still click the link anyway. There is no fail-proof system in implementing a website or a mobile application. If an attack or security breach happened, we also could not blame the developers of the website or mobile application. It is also discussed how security is a collaborative effort which includes the developers, users, and the testers. I also learned that in a web application architecture, you could launch an attack to any part of the architecture. In preventing a security breach, the users can look at the different signs to see if the website is secured.

Attendance sheet for the seminar

Defects can be checked and should be monitored by the users. One example of a website defect is if the website doesn't have an SSL. SSL stands for Secure Sockets Layer, and it is the standard security technology for establishing an encrypted link between a web server and a browser. A website not having an SSL means sensitive data is not encrypted and is sent in clear text. This means hackers can sniff through the network monitoring and access the sensitive data. The speaker recommended that the user require and force TLS and disable access to port 80. Another example of website defect is if the site has no privacy policy page. Websites especially those that collect personal information should have a privacy policy page that can be viewed by the user. Error messages for login pages should also be generic as these messages can provide clues about the web application.

In developing websites and mobile application, the speaker mentioned that the developers observe and practice to ensure the security of the website. He talked about the F-U-S model, which means Functionality, Usability, and Security. The application should not only be functional and user-friendly, but it also should be secured to avoid malicious attacks.

The speaker also discussed the pen testers or white hat. He explained the proper pen testing process and it requires a lot of retesting.  Another example of a defect is a Parameter Tampering where a user/hacker tamper with a parameter to bypass client-side application logic and validation. Another one is the cross- site scripting where the hacker tricks the browser to execute the hacker's code. The tester can go to a website to check if the application is vulnerable to these type of attacks.

I’ve learned a lot from the seminar. I’ve learned that security is a collaborative effort and that users, developers, and testers should work together to avoid security breach. Users should also report the defects that they found in order for the developers to patch these security holes and avoid attacks. The developers should also have good coding habits to prevent the hackers from exploiting the source code of the website or mobile app. Pen testers should also be part of the organization to test the security of the website. The developers should check the infrastructure of the website and make sure that all parts of the infrastructure are properly secured. The IT infrastructure and network should be regularly monitored to prevent breaches. Security policy is significant.

Educating the users regarding cyber security is highly important. It can be done through training or "tip of the day" messages. Prevention is better than cure so we should all work together to avoid security breaches. With the right level of preparation, we can minimize the damage of the hackers who try to infiltrate our systems and control possible losses.