Security+: Application Security Controls and Techniques (SY0-401) [DECOMMISSIONED ARTICLE]

NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.

---

Introduction

CompTIA Security+ is a highly recognized certification process for information technology professionals that want to delve into the field of IT security and risk management. And the demand only gets higher as time passes, because everything done and happening in this world is becoming digitized and driven by machines. This means that more and more people are engaging in mobile data usage and transfer, making the said people sensitive and vulnerable to both physical and cyber attacks. Remember, the ability to access technology is only still possible through some sort of physical device – meaning hardware is just as important as software in things to take account for when discussing information security.

Of course, this does not discount the fact that most cyber threats can be sent from millions of miles east of the computer or system being compromised. Because of the fast-paced development in technology and computer science, hackers are born and bred in any part of the world, working to send security threats to big corporations, public officials, and private accounts. With all this said, CompTIA Security+ allows individuals and groups alike to maybe learn or capacitate through finding the right people who can keep their mobile data safe and guarded.

It must already be a given that you are interested in the CompTIA Security+ exam and want to learn just about everything regarding it in preparation. You are in luck, because below are the details of the application security controls you will need to learn in order to ace that certification exam.

It must be said prior to this discussion that applications and software programs have ruled the execution of life tasks and other recreational endeavors. With that, individuals using applications on a daily basis – meaning, everyone – have to take into account how to secure their data being sent to said applications. From personal details to credit card information – to sometimes more sensitive and private organization data – anything can be transported through applications and people have to be more careful when it comes to guaranteeing safety in this regard.

Application Baseline Configuration and Hardening

One of the ways to secure application usage is application baseline configuration and hardening. In order to harden and strengthen app security, one must first determine and understand the baseline – including the various components of the said application. IT security must look at the browser being used, the operating system the program is running on, and if there are service and security packs attached to it. Of course, the application also constantly updates so one has to also keep track of that. All in all, one has to stay on top of the different facets of the application – including knowing the basic why the application is being used – in order to foresee and forecast potential incidents that may occur.

After setting the baseline, the security staff then has to take measures to secure and harden applications – sensitive and open-line. One has to make sure that the latest security patches are being used, and that changes due to application update are monitored and assessed with regard to the information security. The idea is that privilege access settings are laid in order to tighten security and ensure safety for other components that have not yet been compromised.

Another method of securing applications is the multi-tiered approach and application patching. Most applications are up for updates because of a host of different reasons, including upgrades in the operating system, and as a response to user concern. Updates then may mean bugs, which of course, software authors tend to eradicate through more updates.

This does not discount the potential security vulnerabilities of the application, which security staff may not readily recognize because of automated update functions in different operating systems. Indeed, most applications have updater tools entrenched in their coding. For said applications, updates tend to be individual – workstation by workstation; and clearly, this is not the most beneficial for large organizations of a thousand or more. Central application patching comes into play when security staff decide that in order to maximize the benefits of updated systems, and ensure safety through individual accountability, that a central server (a Patch Manager) will update and download the given changes in the system, and disseminate to users on the other end. This decreases internet bandwidth, and points transparency in terms of how systems are accessed and used.

It must be said that keeping all systems up to date is tiring and not at all a walk in the park; it takes a lot of management and monitoring on the hands of the IT security staff. That being said, patching works wonders in terms of easing the workload for the people who keep the organization’s data safe.

Server Side and Client Side Validation

Lastly, there is the need to understand the difference between server side and client side validation, and understand how this knowledge helps secure applications further. Sometimes, malicious users may opt to take advantage of weak points in the organization’s coding and send information that will compromise the security of the information system. In order to avoid this, one must employ both the server side and client side validations. The former works as the system validates queries from users through checks done in the server. This means that the server is in charge of running the system, but also the checks for malware and other potential threats.

On the other hand, client or user side validation is when a user uses an application that makes intelligent decisions to filter queries from the participants. Of course, this runs the risk of potentially filtering legitimate input from genuine users. But this is to be taken alongside this form of validation, providing additional speed and efficiency to the process. It is important to have both systems in place because server- and client-side validations only help each other further strengthen the security barrier of one’s information system.

Input Validation

As for security coding concepts, a person interested to be certified under the Security+ program should be aware of the following: input validation, error and exception handling. Input validation is a vital part in ensuring a web application’s security fashion; more often than not, application codes are terrible in making sure that malicious content does not penetrate the system. This often leads to various vulnerabilities, such as XSS (or cross site scripting) and other file system attacks. To avoid these incidents, one must employ data validation testing in all entry points of the web application; remember, the more complex the system, the more vulnerable it is to malicious entry. Input and data validation testing may be split into the following categories: XSS testing and HTTP verb tampering and parameter pollution testing, which includes SQL, LDAP, XML, and SSI injection testing.

Error and Exception Handling

Error and exception handling is an integral part in hardening security controls in any web application. As inferred from the name, error and exception handling refers to the anticipation, identification, and resolution of errors and exceptions in programming and communications. To be more specific, errors refer to bugs in a program that cause it to operate incorrectly, and to produce undesirable outputs in the system. Exceptions, on the other hand, are more complex in nature, requiring special processing, and changing the flow of regular execution.

Knowledge on application security techniques are also crucial in the Security+ exam, because these techniques will promote one’s understanding of both concept and practical application. Some of these techniques are the following: fuzzing, XSS and CSRF prevention, and SQL/NoSQL database differentiation and use.

Fuzzing

Fuzz testing or fuzzing is a software testing technique which consists in finding implementation bugs using malformed data that is automatically released into the system. By inputting massive amounts of random data into the system – in an attempt to crash the compromised system – the user can figure out where loopholes are in the coding and implementation of the application, or find out other types of errors. Then, using a fuzz tester, one can determine the potential causes of identified vulnerabilities in the system. This is an easy hack for securing an organization’s information system because of high benefit-to-cost ratio; additionally, this prevents the losses done by quickhand hacks in the system. Of course, this is unable to handle more complex, complicated ways of hacking into one’s operations and information system. Click this link (/application-and-file-fuzzing/) for more information regarding application fuzzing.

XSS and CSRF prevention

XSS and CSRF prevention is yet another security technique that protects against web attacks that compromise the security of individual users working with unreliable website content. Cross site scripting attacks are based on malicious scripts encrypted into websites that can be served to other users for a certain period of time. Said scripts then gain access to page content and misuse it; for example, malicious JavaScript hidden in comments on a webpage.

On the other hand, cross site request forgery – also known as one-click – is an easier technique to pull off; this is usually done through hackers maliciously lying to persons using personal information and geting access to sensitive content through the user giving access through an authentication cookie. An example is spam mail telling someone that they won the lottery, and will only be able to receive the price through clicking on a link. For cases of prevention of both XSS and CSRF, one can choose to employ an automated prevention response (albeit expensive) or use the free security functions coded into internet browsers and utilize safe mode.

SQL and NoSQL Databases

Lastly, an application security technique incredibly useful for knowledge and practical application is the SQL and NoSQL databases. Standing for Structured Query Language, an SQL database is considerably the most common type in information technology; it is essentially a standard way of gathering information and storing it in a singular place. Because of its standard simplicity in structure, it must be said that it is relatively easy to request and consequently retrieve information in this type of database. And in terms of storing data, spreadsheet-like sorts are the norm, in a structure called the Relational Database Management System. This makes looking for data that you need super fast and super efficient. With that said, not all data is as structured as SQL. And that is where new types of databases come in.

A tad bit complex, the NoSQL (or Not Only SQL information) database is gaining traction in terms of users being able to store both relational and non-relational, as well as non-associated data in this database. This is particularly useful for large organizations that handle large datasets at a time, because relationships among data are to be assessed and monitored as part of the organization’s job – and having a reliable space to store all this important information is crucial in keeping processes efficient and more importantly, safe.

Training is Crucial

InfoSec Institute is a constant information security training enterprise in the industry. Founded by an expert in information technology and security almost two decades ago, InfoSec Institute believes that hands-on training is most effective in teaching potentials how to properly secure information systems. Our standardized certifications such as the CCNA Quad Cert and our specialized courses like the highly technical Computer Forensics training seminar equip interested individuals with any knowledge and skill of information security they may need. Moreover, InfoSec Institute offers other security awareness and phishing training programs that further the learnings of our partners in the industry.

For the Security+ exam, InfoSec Institute offers a particular five-day Boot Camp that covers all bases of the certification exam from CompTIA. The Boot Camp is a great preparatory exercise for anyone considering taking the CompTIA Security+ certification exam because not only does the person learn about security theory, they also learn the practical application of said theory.

The main objective of the Security+ Boot Camp is to ensure that people with IT careers who enroll in the course are well-trained in preparation for the Security+ (SY0-401) exam. InfoSec Institute’s comprehensive prep module is CompTIA-authorized – meaning, CompTIA recognizes the value added from the course provided. Our programs have evolved from merely threat recognition to risk mitigation and containment – a serious development that understands the greater demand in the industry. Additionally, the modules have been retrofitted to accommodate the newly-introduced Performance Based Exam Objectives from CompTIA. The InfoSec Institute recognizes the grave importance of constantly developing course content and methods of certification so as to benefit the industry that it serves – the industry that advances in minutes, quick because of growing information and capacity.

And make no mistake that there are a host of different certification practice programs that can also get the job done in terms of information security. But what makes InfoSec Institute different is that we only use our CompTIA Authorized Quality Curriculum (CAQC) to build our course modules and practice tests, not to mention our roster of expert IT security instructors that are easily accessible in the program. The InfoSec Institute is an award-winning training facility that only continues to advance working material as the technologies continue to change. And lastly but just as special, we recognize the importance of the InfoSec Institute Personal Touch in our teaching and learning technique – because we know we work with a very diverse group of people – with different learning patterns and personalities – but all of whom just want to become experts in information security.

The InfoSec Institute prides itself with the number of successful students that have passed the CompTIA Security+ certification exam and use it to further their careers in the industry. For those who have undergone the Security+ Boot Camp, let it be known that 92% of classroom participants have passed the exam while a very impressive 94.7% of those who studied online classes have become certified. For us in InfoSec Institute, it is an incredible feeling to know that our partners in development – now IT security professionals – have learned and have applied their learnings in that the demands of the information security industry become futile in the overall worth of constantly innovating work and making sure we are on top of our game.

We’ll see you there, future information security expert!