At application, the Uservoice web application, and the

At National Pens, there are many types of applications that
the company uses to conduct their business, but the top three that they use
will be describe here and they are; the I3 Voice Internet phone application,
the Uservoice web application, and the ATG.

The I3 voice internet phone is their phone system that they
use is separate from the I3 internet. The I3 Voice provides and application on
the desktop of the workstation a line is tied to. This application provides a
database of all calls to customers, storing the customers phone number as well
as archives every call. This allows management to be able to listen to live
calls, recorded call, and save or delete calls stored in the database. One of
the biggest risks that can be faced with this application is a DDoS attack, the
second risk an attack on the TFTP which is the backbone to the voice
communication. The DDoS (denial-of-service) attack can cripple the ability for
the company to make or receive any calls during the length of the attack, this
is caused an attacker flooding the bandwidth or target system. Some of the best
practices for fighting such attacks are to recognize the signs of a DDoS
attack, contact your ISP provider, and ensure all your firmware and software
are up to date (Ferrillo, 2016). For the TFTP
attacks it does not matter if it is the hardware or software that effects the
TCP/IP stack. So, to help prevent this it is good to check which TCPs are open
and closing the unnecessary ones, connecting IDS and IPS systems to your
server, and other commercial tools and services that might help in the
prevention of attacks (Gangte, 2014).

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

The Uservoice web application is used for customer feedback
directed back to the company. This application collects feedback from
customers, partners, or internal teams (Uservoice, n.d.). Since this is a web
based application it has a risk for buffer overflow and cross-site scripting
attacks. For the buffer overflow, it is good to ensure that no input can be put
in that causes a change in the HTML code by filtering out apostrophes and
question marks and unneeded other notations. A way to prevent it is to not put untrusted
data inside an HTML element (Microsoft, 2016).

The ATG is a database that stores customer information, as
well as product information. The data base holds customer name, address, phone
number, as well as purchase history. The risks of attacks are SQL Injections
and brute-force attacks. Way to prevent SQL injections is to use data
sanitation and validation precautions (Chapple, 2017). Brute-force attacks
can be prevented by ensure the complexity of the passwords associated with the
usernames (Hoffman, 2013).

Oracle ATG – This
is the database that holds all the customer, company, and product
information.  The number one risk and
threat for this application could be a SQL injection.  A SQL injection is a code injection that is
used to attack database applications. 
Malicious SQL statements being inserted into an entry field for
execution do this.  To mitigate this
threat, you would configure the personalization module to use LDAP repository,
and secure the LDAP repositories.  To
configure personalization module, you will use the password hasher property of
the /atg/userprofileing/propertymanager component, that points to password
hasher component that will deal with password encryption (Oracle, n.d.).

The repository is an implementation of the repository API
that lets you store and access profile data in an LDAP directory.  This property needs to be established with a
password hash to encrypt the database to mitigate unauthorized access and
attacks. 

I3 Business – This
is the Internet phone application for management that allows managers to
record, delete, archive, and listen to telephone sales calls.  A common threat to an I3 application is a
TFTP attack, and a SIP attack.  A simple
mitigation technique for this is to have a have UDP port 69 exposed to the
Internet.  This should be firewalled and
only allow trusted sources. 

SIP uses clear text messages.  Since it uses clear text, if an attacker can
capture the messages, they can read sensitive data such as public and private
information.  A way to mitigate this is
to use a program that monitors logs for failed login attempts and adds iptables
rules based on various rules.  This will
automatically ban IPs for amounts of time after a specific number of failed
attempts happen.  The only downfall to
this is that hackers can spoof UDP source addresses and ban various addresses.

Software Assurance Guidelines are as
follows:

Software Assurance in Acquisition
and Outsourcing

·      
Software assurance in acquisition and contact
language

·      
Software supply chain risk management and
due-diligence

Software Assurance in Development

·      
Integrate security into the SDLC

·      
Practices for mitigation of weaknesses

·      
Software security risk training

·      
Analysis and requirement reports for secure
software

·      
Secure coding report for software construction

Software Assurance Life Cycle
Support

·      
Training and certification of staff

·      
Secure distribution, deployment and operations
of software

·      
Code transparency

·      
Assurance case management

(Jarzombek, 2012) 

x

Hi!
I'm Rita!

Would you like to get a custom essay? How about receiving a customized one?

Check it out