Chat with us, powered by LiveChat Use the pdf document as reference to answer the questions in the word document.? Please paraphrase all answers, do not copy and paste from the ref - Writeedu

Use the pdf document as reference to answer the questions in the word document.? Please paraphrase all answers, do not copy and paste from the ref

Use the pdf document as reference to answer the questions in the word document. 

Please paraphrase all answers, do not copy and paste from the reference document or any other reference document you use. 

Question 1: [NOTE: Answer each part of the question in paragraph format]

a. What is Transparent Data Encryption? Why is it transparent? What types of encryption does it support? Explain how TDE protects against attacks by privileged OS users? (4 points)

b. Identify and explain 4 primary defenses against SQL injection attacks. (4 points)

c. What specific encryption techniques does Amazon RDS use for protecting databases at rest? What encryption techniques and protocols does Amazon RDS use to protect data in flight? (2 points)

Question 2: [NOTE: Answer each part of the question in paragraph format]

a. Explain how a reflected XSS attack is different from a persistent XSS attack. Provide examples of attack scenarios for each. (2 points)

b. As per the OpenCanvas Learning YouTube video, there are 6 components which come together to make a web browser work. Pick 4 out of the 6 components and explain what each of those components does to get the browser to function. (4 points)

c. Describe the main difference between session cookies and persistent cookies. Describe 3 steps that we used to exploit information contained in cookies to launch a privilege escalation attack (based on one of the lab exercises). (4 points)

Question 3: [NOTE: Answer each part of the question in paragraph format. It is okay if your answers to this question spill into the next page due to the table that I have included as a part of the question stem for part d.]

a. Explain what server hardening means in your own words. Which specific web application security risk in the OWASP Top 10 list from 2017 is hardening supposed to best protect against? (2 points)

b. Explain how a replay attack works using your own words. (2 points)

c. Explain what a web application firewall is and how it is different from a traditional network firewall. Which layer in the 7-layer OSI architecture does each operate at? (2 points)

d. Complete the following table of cloud service models by specifying whether the customer (C) or the service provider (SP) is responsible for hardware, operating system, applications, and data. From a customer perspective, which of the 3 cloud service models is most secure (theoretically)? (4 points)

Cloud Service Model


Operating System






Question 4: [NOTE: Answer each part of the question in paragraph format. It is okay if your answers to this question spill into the next page due to the screen capture that I have included as a part of the question stem for part c.]

a. Describe two main differences between Java and JavaScript. (2 points)

b. Explain what an XML external entity is in your own words. Provide an example of XML code that uses an external entity. Explain how an XML external entities injection attack can be used to display the contents of the /etc/passwd file. (4 points)

c. Describe what flaw debt is in your own words. Provide 3 main takeaways from the chart provided below. (4 points)

Page 2 of 6


Database Security – Issues and Best Practices

Outline • Intro to Database Security

•Need for Database Security

•Database Security Fundamentals

•Database Security Issues • OWASP Top 10 – A1:2017– Injection

• OWASP Top 10 – A3:2017– Sensitive Data Exposure

•Attacks against Database Security Mechanisms

•Database Security Best Practices


Intro to Database Security


Intro to Database Security • How does a web application work?




Involves databases

Intro to Database Security (contd.) •Database • A database is “an organized collection of structured information, or

data, typically stored electronically in a computer system” • It includes: the data, the DBMS, & applications that use them

•Database Management Systems (DBMS): • DBMS serve “as an interface between the database and its end

users or programs, allowing users to retrieve, update, and manage how the information is organized and optimized”


Source: What is a Database – Oracle –

Intro to Database Security (contd.) •Database Management Systems (DBMS) (continued): • DBMS also facilitate “oversight and control of databases, enabling a

variety of administrative operations such as performance monitoring, tuning, and backup and recovery” • Types: • Relational, Object-Oriented, Distributed, Data Warehouses, Open Source,

Cloud, Autonomous, etc.

• Examples: • Oracle, SQL Server, MySQL, Microsoft Access, MariaDB, PostgreSQL, etc.


Source: What is a Database – Oracle –

Intro to Database Security (contd.) •Database Tutorial for Beginners – Lucidchart


Source: Lucidchart – Database Tutorial for Beginners –

Intro to Database Security (contd.) •Database security refers to “the range of tools, controls, and

measures designed to establish and preserve database confidentiality, integrity, and availability” (IBM, 2019) •Database security involves protection of • The data in the database • The database management system (DBMS) itself • Any associated applications (including web applications) • The physical and/or virtual database server farms and their

underlying hardware • The computing and/or network infrastructure used to access

the database (IBM, 2019)


Intro to Database Security (contd.) •Database security involves securing data • At rest • Using techniques such as encryption • Example: Amazon RDS uses 256-bit Advanced Encryption Standard (AES) for

securing database instances, automated backups, and snapshots at rest • In flight • Using protocols such as Transport Layer Security (TLS) • Example: Amazon RDS uses TLS from the web application to encrypt a

connection to a database instance running MySQL, MariaDB, SQL Server, Oracle, or PostgreSQL to protect data in flight


Need for Database Security


Need for Database Security •As per Oracle (2022): • Data breaches are “happening everywhere these days, and hackers

are getting more inventive. It’s more important than ever to ensure that data is secure but also easily accessible to users”

•As per IBM (2019): • The consequences of data breaches include the following: • Compromised intellectual property • Damaged brand reputation • Loss of business continuity • Fines or penalties for non-compliance • Expenses related to repairing breaches


Need for Database Security (contd.) •As per the IBM (2021) Cost of a Data Breach Report: • The average total cost of a data breach in 2021 was $4.24M • The highest country average cost of a data breach was $9.05M for

U.S. • The highest industry average cost of a data breach was $9.23M

(healthcare) • The cost per lost or stolen record was $161 • The time to identify and contain a data breach was 287 days


Need for Database Security (contd.) •As per IBM (2021), the four cost components are:


Need for Database Security (contd.) • Data breaches typically involve unauthorized access of company

databases (Privacy Rights Clearinghouse, 2020)


Database Security Fundamentals


Database Security Fundamentals •Oracle Database Security – Oracle France

Source: Oracle France – Database Security –


Database Security Fundamentals (contd.)

•As per Oracle (2021), effective database security involves using the following powerful preventive and detective security controls: • Transparent Data Encryption (TDE) • Encryption key management • Privileged user and multifactor access control • Data classification and discovery • Database activity monitoring and blocking • Consolidated auditing and reporting • Data masking


Database Security Fundamentals (contd.)

•Transparent Data Encryption (TDE) • Helps prevent attacks that attempt to bypass the database and read

sensitive information from data files at the operating system level, from database backups, or from database exports by encrypting data in the database layer


Database Security Fundamentals (contd.)

•Transparent Data Encryption (TDE) (continued)

• It is transparent because the encryption and decryption processes do not require any application changes, and the application users do not have to directly deal with encrypted data • It supports tablespace encryption and column encryption


Database Security Fundamentals (contd.)

•Encryption Key Management • TDE uses a two-tier key management architecture • Consists of data encryption keys and a master encryption key • Enables rotation of master keys without having to re-encrypt all of the

sensitive data • Oracle Database 18c introduced support for Bring Your Own Key (BYOK)

• Data encryption keys • Are managed automatically by the database

• The master encryption key • Is used to encrypt the data encryption keys • Is stored and managed outside of the database within an Oracle Wallet or in

an Oracle Key Vault


Database Security Fundamentals (contd.)

•Privileged User and Multifactor Access Control – Oracle Database Vault

Source: Oracle – Database Vault –


Database Security Fundamentals (contd.)

•Data Classification and Discovery • Oracle Label Security enforces data access requirements and

records data classification levels at the database row level • Automated discovery of sensitive columns and parent-child

relationships • The discovery process uses built-in extensible patterns such as

credit card numbers and national identifiers to check metadata and column data to identify sensitive columns • The discovery results are stored as an application data model, which

is reusable across multiple databases


Database Security Fundamentals (contd.)

•Database Activity Monitoring and Blocking • Oracle Database Firewall provides a first line of defense for



Database Security Fundamentals (contd.)

•Consolidated Auditing and Reporting • Oracle Audit Vault consolidates audit data from databases,

operating systems, and directories


Database Security Fundamentals (contd.)

•Data Masking • Oracle Data Masking provides a flexible option to discover, mask

and subset sensitive data, enabling the data to be safely shared across non-production environments • Non-production environments such as test and development

systems are the potential targets for a cyber attack as they generally contain copies of production data • Compliance costs are lowered as masked non-production databases

are out of the scope for the audit teams • Sensitive data such as credit card numbers, national identifiers, and

other personally identifiable information (PII) can be masked using predefined masking formats


Database Security Issues


Database Security Issues •Specific database security issues include: • Cloud database configuration errors • SQL injection • Weak authentication • Privilege abuse / excessive privileges • Inadequate logging / weak auditing / • Unpatched services • Insecure system architecture • Inadequate backups

Source: – The Chartered Institute for IT –



Database Security Issues (contd.)

•OWASP Top 10 – A1:2017–Injection

Source: OWASP Top 10 2017 A1-Injection –


Database Security Issues (contd.)•Common database security vulnerabilities:

Source: OWASP Top 10 2017 A1-Injection –


Database Security Issues (contd.)

•OWASP Top 10: SQL Injection – Security Innovation

Source: Security Innovation – OWASP Top 10: SQL Injection –


Database Security Issues (contd.)

•OWASP Top 10 – A3:2017–Sensitive Data Exposure

Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –



Database Security Issues (contd.) •Common database security vulnerabilities:

Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –



Database Security Attacks


Database Security Attacks •Most common database security attacks include:

Source: OWASP – Attacks –

Attack Type Description

SQL Injection An untrusted source uses an application’s user input features to enter data that is used to dynamically construct a SQL query to read sensitive database data

Denial of Service Storing too much information in a user session object, such as large quantities of data retrieved from the database, can cause DoS issues

Brute Force The attacker makes requests to a server using pre-configured values and then analyzes the response

Ransomware The attacker encrypts and locks the victim’s data and then demands a ransom to unlock and decrypt the data


Database Security Attacks (contd.) •As per IBM (2022), some of the most common database

security attacks include: Attack Type Description

Insider Threats Abuse of privileged access by a malicious insider, a negligent insider, or an infiltrator

Human Error Accidents, weak passwords, password sharing, and other unwise or uninformed user behaviors

SQL Injection Insertion of arbitrary SQL attack strings into database queries served by web applications

Buffer Overflow A process attempts to write more data to a fixed-length block of memory than it is allowed to hold


Database Security Attacks (contd.) •Common database security attacks (continued):

Source: IBM – Database Security: An Essential Guide –

Attack Type Description

DoS/DDoS The attacker floods the database server with so many requests that the server can no longer fulfil legitimate requests from actual users

Malware Software written specifically to exploit vulnerabilities or otherwise cause damage to the database

Attacks on Backups Organizations fail to protect backup data with the same stringent controls used to protect the database itself


Database Security Best Practices


Database Security Best Practices •OWASP recommends the following best practices: • Connect to the database securely • Prevent unencrypted traffic at the transport layer • Configure databases to always require authentication • Never store database credentials in the application source code

especially if they are unencrypted • Apply the principle of least privilege to the permissions assigned to

database user accounts • Harden the underlying operating system for the database server

Source: OWASP – Database Security Cheat Sheet –



Database Security Best Practices (contd.)

•Best practices to secure databases (as per IBM): • Consider physical security if the database is not in the cloud • Restrict number of users, their permissions, and network access to the

minimum levels necessary • Focus on end user account/device security • Use best-in-class encryption to protect the data while at rest and in transit • Keep the DBMS version up to date and apply patches as soon as they are

issued • Use best practices for application/web server security • Secure backups / log all operations / perform audits regularly

Source: IBM – Database Security: An Essential Guide –


Database Security Best Practices (contd.) •Use the following database security best practices: • Best practices to protect against SQL Injection:

• Primary defenses: • Use prepared statements with parameterized queries • Use stored procedures • Allow-list input validation • Escape all user supplied input

• Additional defenses: • Enforce least privilege • Perform allow-list input validation as a secondary defense

Source: OWASP – SQL Injection Prevention Cheat Sheet –



Recap • Database security issues continue to be among the OWASP Top 10 list

of web application security risks • This is due to weaknesses in database mechanisms such as dynamic

queries, input validation, key management, access control, configuration, logging, auditing, backups, etc. • Hackers are able to exploit the weaknesses using attacks such as SQL

injection, DoS, brute force, ransomware, etc. • Best practices to protect databases include understanding what types

of data needs to be protected, understanding regulatory compliance, discovering/classifying databases based on data sensitivity, using data masking, monitoring, auditing, encryption, access control, parameterized queries, stored procedures, allow-list input validation, hardening, etc.


Thank you!!!


Browser Security – Issues and Best Practices

Outline • Intro to Browser Security

•Need for Browser Security

•Browser Security Fundamentals

•Browser Security Issues • OWASP Top 10 – A7:2017– Cross-Site Scripting XSS

• OWASP Top 10 – A3:2017– Sensitive Data Exposure

•Attacks against Browser Security Mechanisms

•Browser Security Best Practices


Intro to Browser Security


Intro to Browser Security • How does a web application work?




Involves browsers

Intro to Browser Security (contd.)

•Browser • A browser is “an application that finds and displays web pages”. • It coordinates communication between your computer and the web

server where a particular website “lives” by: • Accepting a website address as a URL • Submitting a request to the server to retrieve the content for the page • Processing the code (HTML, CSS, JavaScript, etc.) from the server • Loading active content (Flash, ActiveX, etc.) needed by the page • Displaying the complete, formatted web page • Repeating the process for every single user interaction with the page


Source: Understanding Your Computer: Web Browsers – U.S. CERT –

Intro to Browser Security (contd.)

•Examples: • Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari,

Opera, etc. •Browser Market Share as of February 2022:


Source: Global Web Stats – W3Counter–

Intro to Browser Security (contd.) • Browser security refers to “how differences in design and

implementation of various security technologies in modern web browsers might affect their security” (X41 Browser Security White Paper, 2017, pg. 8) • Browser security involves the following: • Protection against common client-side attacks • Protection against phishing • Management of browser extensions • Use of adequate cryptography protocols


Source: X41 Browser Security White Paper –

Intro to Browser Security (contd.) • Bro

Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteEdu. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.

Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.

Do you need an answer to this or any other questions?

Do you need help with this question?

Get assignment help from Paper Writing Website and forget about your problems.

WriteEdu provides custom & cheap essay writing 100% original, plagiarism free essays, assignments & dissertations.

With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Chat with us today! We are always waiting to answer all your questions.

Click here to Place your Order Now