Part1: Class Content Overview

What is this class?

This class is all about making. It is practitioner oriented. There will be a fair amount of coding involved. It will make you stretch. It is "hard."

That said...

1. Anyone can do it! (even if you have little or no programming experience)
2. You will feel great when you create something new and expand your comfort zone.
3. I'll do my best to help keep you out of the panic zone.

Img credit: https://www.developgoodhabits.com/comfort-zone/

Comfort Zone

Stretch Zone

Panic Zone

Learning

Risk

Challenge

Growth

"Hard"

"Easy"

Boring

Anxiety Free

"Impossible"

Fear

Stress

Overwhelming

Model originally described by psychologists Robert M. Yerkes and John Dillingham Dodson in 1908

This class

Ok, So what will we cover?

1. Web Services, REST, and SOA
2. Client-side Application Development
3. Server-side Development: Creating RESTful APIs
4. Application Penetration Testing and Test-Driven Development
5. Software Engineering: Architecture and design
6. Server hardening and deployment

Languages and Platforms

Part2: Web Apps and Attack Vectors

(nearly) All companies have a web app

You probably use them, daily.

Web Page ≠ Web Service ≠ Web App

Terminology

web page: an HTML (HyperText Markup Language) document that contains certain content (images, videos, text, etc)

web app: a web application is a piece of software that presents its user interface in a web browser. A web app typically includes at least one web service and generates many web pages in response to different user actions. The key difference between an app and a service is that an app is user facing, while a service is system-facing.

web service: a piece of software that serves up data through a web interface. Typically web services are object-oriented, provide access to a database, and encode data in XML or JSON. 

WEb APP Reference Architecture

user

Web Application server

frontend

What the user sees
HTML, CSS, JS

perform action

see result

backend

data request

response

File system

database

Processes requests, performs application logic, and provides data to the frontend

Expanded App Architecture

As a user, you expect web apps to be:

fast, responsive, always available, and secure

Despite your expectations:

96% of web apps have vulnerabilities*

 * Cenzic Application Vulnerability Trends report, 2014

Percentage of tested apps with vulnerabilities

Median number of vulnerabilities per app

13

14

2012

2013

2012

2013

*...at the application Level!

<-- How they breakdown

 Edgescan, vulnerability statistics report, 2019 pg. 8.

Another Study of 43 major Apps in 2018 

https://www.ptsecurity.com/ww-en/analytics/web-application-vulnerabilities-statistics-2019/

% of websites falling within the vulnerability category

average number of vulnerabilities per application

vulnerabilities by severity

Clearly, this is problematic

Basic Web App attack Principle

...make the web application do something it was never intended to do.

aka...user input is evil.

EX: XSS

Allows attackers to inject malicious scripts into web pages and have it executed in another user’s browser. Usually to capture some user information.

EX: XSS Defense

Filter and validate all user input before accepting it.

Encode and escape special characters as HTML.

Never trust user input or display raw submissions.

Problematic Characters

We will REturn to XSS and some of these other attack types

Part3: HTTP Review and INTRO TO RESTFUL APIS

WE Are Doing it Live

HAnds-ON Exercise

Visit: https://mlhale.github.io/CYBR8470/modules/restful-api/

Take screenshots of successful GET and POST requests captured in POSTMAN
Submit screenshots to Canvas as Lab 1.