Chapter 1 - information Security overview P a g e | 17
This is why we should defreniciate between various vulnerabilities , attacks , techniques , technologies and tools used to secure each layer . Our focus in this subject is web application security so we will be concentrating on layers directly related to application namely application layer .
1.5 Application layer security :
Application layer as mentioned is the layer where all the logic of input , processing , manipulation , storage and output reside that makes this layer the place containing the customized component thus the components with less maturity which makes it the most tempting to malicious attacks .
1.6 Defense mechanisms
To be able to defend the application we need to specify the main mechanisms used to make this possible . This approach emphasizes heavily the application security noting that some other aspects needs to be considered if we target general defense mechanisms The actual focus is based on the ability to control the access , the attacker and to enable full monitoring capabilities over user input and application :
1.6.1 Access :
this part is about controlling the user privileges in term of access to data and functionality . This target is normally covered in web application by three main mechanisms : a . Session management
Session management is the method in which the server can handle subsequent requests coming from the same user , meaning that it is the way the server differentiates various requests coming from different clients . Http as a protocol does not provide this service as it is called stateless protocol . In general , all the application need to provide an approach to help dealing with requested sent by various user keeping track for each unique user . The common way to allow session management in an application is to create a session structure and generate the session token . The session structure is dedicated to track user interaction through the unique generated token . Tokens are long , randomly generated strings that are unique for the user . Tokens are transmitted using different methods the most common is HTTP cookies other methods like URL strings or hidden fields can be used too . Session for specific user is destroyed automatically after a period of time if no interaction between the client and the server is initiated , this period can be set by the application and it is usually about 20 minutes .