logo logo


Front-end security architecture: protection of user data and privacy

НазваFront-end security architecture: protection of user data and privacy
Назва англійськоюFront-end security architecture: protection of user data and privacy
АвториAleksei Chechet, Maksim Chernykh, Iaroslav Panasiuk, Ilnur Abdullin
ПринадлежністьNew Edge DWC-LLC, Dubai, United Arab Emirates; Boom Pay, Inc, Austin, United States of America; Agoda Services Co., Ltd., Bangkok, Thailand; National Information Technology Center, Bishkek, Kyrgyz Republic
Бібліографічний описFront-end security architecture: protection of user data and privacy / Aleksei Chechet, Maksim Chernykh, Iaroslav Panasiuk, Ilnur Abdullin // Scientific Journal of TNTU. — Tern.: TNTU, 2024. — Vol 115. — No 3. — P. 5–16.
Bibliographic description:Chechet A., Chernykh M., Panasiuk I., Abdullin I. (2024) Front-end security architecture: protection of user data and privacy. Scientific Journal of TNTU (Tern.), vol 115, no 3, pp. 5–16.
DOI: https://doi.org/10.33108/visnyk_tntu2024.03.005
УДК

004.056.5:004.056.8:004.056.75

Ключові слова

data encryption, vulnerabilities, cross-site scripting, technology development, implementation, architecture, governance as code.

Investigation of this topic is relevant in light of the significant increase in the frequency and scale of cyber-attacks that affect various industries and organisations. The purpose of this study is to analyse existing data protection methods at the Front-end, which are able to effectively protect the confidentiality of user data in the face of modern cyber threats. Among the methods used, the analytical method, synthesis, classification, statistical and other methods should be noted. The study identified serious risks associated with storing confidential data on the client side. In particular, the use of cookies and local storage turned out to be vulnerable points that pose potential threats to data security. An analysis of existing web applications revealed the presence of cross-site scripting (XSS) vulnerabilities, which became a route for the introduction of malicious scripts. It was revealed that the generation and use of unique cross-site request forgery (CSRF) tokens for each request play a key role in preventing cross-site request forgery. The implementation of Governance as Code (GaC) technology has demonstrated potential for automating compliance with established architectural and security standards, thereby reinforcing front-end defenses against cyber threats. The findings emphasise the importance of educating end users on the basic principles of network security. The study highlights the importance of developers’ active involvement in Front-end security. Thus, a comprehensive overview of the Front-end security architecture with a focus on protecting user data and ensuring privacy is provided. The practical significance of the study lies in the provision of specific recommendations and practical solutions to improve Front-end security in web applications and represents a valuable set of tools and approaches that can be applied by developers and engineers to strengthen the security of web applications. The addition of Governance as Code technology introduces an innovative layer of automated security enforcement that is particularly suited to addressing emerging cybersecurity challenges in real-time.

ISSN:2522-4433
Перелік літератури
  1. Tsulukidze M., Nyman-Metcalf K., Tsap V., Pappel I., Draheim D. Aspects of personal data protection from state and citizen perspectives – Case of Georgia. In: I.O. Pappas, P. Mikalef, Y.K. Dwivedi, L. Jaccheri, J. Krogstie, M. Mäntymäki (Eds.), Proceedings of the 18th IFIP WG 6.11 Conference on e-Business “Digital Transformation for a Sustainable Society in the 21st Century”.2019. pp. 476-488. Cham: Springer. https://doi.org/10.1007/978-3-030-29374-1_39.
  2. Napetvaridze V., Chochia A. Cybersecurity in the making – Policy and law: A case study of Georgia. International and Comparative Law Review, 2019, 19 (2), рр. 155–180. https://doi.org/10.2478/iclr-2019-0019.
  3. Sivasangari A., Kishor Sonti V. J. K., Poonguzhali S., Deepa D., Anandhi T. Security framework for enhancing security and privacy in healthcare data using blockchain technology. In: A. Khanna, D. Gupta, S. Bhattacharyya, A.E. Hassanien, S. Anand, A. Jaiswal (Eds.), Proceedings of ICICC 2021 “International Conference on Innovative Computing and Communications”, 2021, pp. 143–158. Singapore: Springer. https://doi.org/10.1007/978-981-16-2594-7_12.
  4. Feldman D., Haber E. Measuring and protecting privacy in the always-on era. Berkeley Technology Law Journal, 2020, 35 (1), рр. 197–250. https://btlj.org/data/articles2020/35_1/05_Haber_FinalFormat_WEB.pdf.
  5. Amo D., Alier M., García-Peñalvo F. J., Fonseca D., Casañ M. J. Protected users: A moodle plugin to improve confidentiality and privacy support through user aliases. Sustainability, 2020, 12 (6), р. 2548. https://doi.org/10.3390/su12062548.
  6. Kaur J., Garg U., Bathla G. Detection of cross-site scripting (XSS) attacks using machine
    learning techniques: A review. Artificial Intelligence Review, 2023, 56 (11), рр. 12725–12769. https://doi.org/10.1007/s10462-023-10433-3.
  7. Likaj X., Khodayari S., Pellegrino G. Where we stand (or fall): An analysis of CSRF defenses in web frameworks. In: RAID ‘21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses, 2021, pp. 370–385). New York: Association for Computing Machinery. https://doi.org/10.1145/3471621.3471846.
  8. Dalimunthe S., Reza J., Marzuki A. Model for storing tokens in local storage (cookies) using JSON Web Token (JWT) with HMAC (Hash-based Message Authentication Code) in e-learning systems. Journal of Applied Engineering and Technological Science, 2022, 3 (2), pp. 149–155. https://doi.org/10.37385/ jaets.v3i2.662.
  9. Cheah S., Selvarajah V. 2021. A Review of common web application breaching techniques (SQLi, XSS, CSRF). In: Proceedings of the 3rd International Conference on Integrated Intelligent Computing Communication & Security (ICIIC 2021), pp. 540–547. Dordrecht: Atlantis Press. https://doi.org/10.2991/ahis.k.210913.068.
  10. Walton S., Wheeler P. R., Zhang Y. I., Zhao X. R. An integrative review and analysis of cybersecurity research: Current state and future directions. Journal of Information Systems, 2020, 35 (1), рр. 155–186. https://doi.org/10.2308/isys-19-033.
  11. Kaur J., Lamba S., Saini P. Advanced encryption standard: Attacks and current research trends. In: 2021 International Conference on Advance Computing and Innovative Technologies in Engineering (ICACITE), 2021, pp. 112–116). Greater Noida: Institute of Electrical and Electronics Engineers. https://doi.org/10. 1109/ICACITE51222.2021.9404716.
  12. Raman R. S., Evdokimov L., Wurstrow E., Halderman J. A., Ensafi R. Investigating large scale HTTPS interception in Kazakhstan. In: IMC ‘20: Proceedings of the ACM Internet Measurement Conference, 2020, pp. 125–132). New York: Association for Computing Machinery. https://doi.org/10.1145/3419394.3423665.
  13. Li S., Xu C., Zhang Y., Du Y., Chen K. Blockchain-based transparent integrity auditing and encrypted deduplication for cloud storage. IEEE Transactions on Services Computing, 2022, 16 (1), рр. 134–146. https://doi.org/10.1109/TSC.2022.3144430.
  14. Omotunde H., Ahmed M. A comprehensive review of security measures in database systems: Assessing authentication, access control, and beyond. Mesopotamian Journal of Cyber Security, 2023, рр. 115–133. https://doi.org/10.58496/mjcsc/2023/016.
  15. Song L., García-Valls M. Improving security of web servers in critical IoT systems through self-monitoring of vulnerabilities. Sensors, 2022, 22 (13), 5004. https://doi.org/10.3390/s22135004.
  16. Hutt S., Baker R. S., Ashenafi M. M., Andres‐Bray J. M., Brooks C. Controlled outputs, full data: A privacy‐protecting infrastructure for MOOC data. British Journal of Educational Technology, 2022, 53 (4), рр. 756–775. https://doi.org/10.1111/bjet.13231.
  17. Al Hawamleh, A.M., Alorfi, Sulaiman M, A., Al-Gasawneh, J.A., Al-Rawashdeh, G. Cyber security and ethical hacking: The importance of protecting user data. Solid State Technology, 2020, 63, рр. 7894–7899. https://solidstatetechnology.us/index.php/JSST/article/view/7202.
  18. Arora C. Digital health fiduciaries: Protecting user privacy when sharing health data. Ethics and Information Technology, 2019, 21 (3), рр. 181–196. https://doi.org/10.1007/s10676-019-09499-x.
  19. Saravanan N., Umamakeswari A. Lattice based access control for protecting user data in cloud environments with hybrid security. Computers & Security, 2021, 100, 102074. https://doi.org/10.1016/j.cose.2020.102074.
  20. Method and system for verifying the architecture of a software/hardware solution. 2022. https://patentscope.wipo.int/search/en/detail.jsf?docId=WO2022250564.
  21. Hiremath P. N., Armentrout J., Vu S., Nguyen T. N., Minh Q. T., Phung P. H. MyWebGuard: Toward a User-Oriented Tool for Security and Privacy Protection on the Web. In: T.K. Dang, J. Küng, M. Takizawa, S. Ha Bui (Eds.), Proceedings of the 6th International Conference “Future Data and Security Engineering”, 2019, pp. 506–525). Cham: Springer. https://doi.org/10.1007/978-3-030-35653-8_33.

 

References:
  1. Tsulukidze M., Nyman-Metcalf K., Tsap V., Pappel I., Draheim D. Aspects of personal data protection from state and citizen perspectives – Case of Georgia. In: I.O. Pappas, P. Mikalef, Y.K. Dwivedi, L. Jaccheri, J. Krogstie, M. Mäntymäki (Eds.), Proceedings of the 18th IFIP WG 6.11 Conference on e-Business “Digital Transformation for a Sustainable Society in the 21st Century”.2019. pp. 476-488. Cham: Springer. https://doi.org/10.1007/978-3-030-29374-1_39.
  2. Napetvaridze V., Chochia A. Cybersecurity in the making – Policy and law: A case study of Georgia. International and Comparative Law Review, 2019, 19 (2), рр. 155–180. https://doi.org/10.2478/iclr-2019-0019.
  3. Sivasangari A., Kishor Sonti V. J. K., Poonguzhali S., Deepa D., Anandhi T. Security framework for enhancing security and privacy in healthcare data using blockchain technology. In: A. Khanna, D. Gupta, S. Bhattacharyya, A.E. Hassanien, S. Anand, A. Jaiswal (Eds.), Proceedings of ICICC 2021 “International Conference on Innovative Computing and Communications”, 2021, pp. 143–158. Singapore: Springer. https://doi.org/10.1007/978-981-16-2594-7_12.
  4. Feldman D., Haber E. Measuring and protecting privacy in the always-on era. Berkeley Technology Law Journal, 2020, 35 (1), рр. 197–250. https://btlj.org/data/articles2020/35_1/05_Haber_FinalFormat_WEB.pdf.
  5. Amo D., Alier M., García-Peñalvo F. J., Fonseca D., Casañ M. J. Protected users: A moodle plugin to improve confidentiality and privacy support through user aliases. Sustainability, 2020, 12 (6), р. 2548. https://doi.org/10.3390/su12062548.
  6. Kaur J., Garg U., Bathla G. Detection of cross-site scripting (XSS) attacks using machine
    learning techniques: A review. Artificial Intelligence Review, 2023, 56 (11), рр. 12725–12769. https://doi.org/10.1007/s10462-023-10433-3.
  7. Likaj X., Khodayari S., Pellegrino G. Where we stand (or fall): An analysis of CSRF defenses in web frameworks. In: RAID ‘21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses, 2021, pp. 370–385). New York: Association for Computing Machinery. https://doi.org/10.1145/3471621.3471846.
  8. Dalimunthe S., Reza J., Marzuki A. Model for storing tokens in local storage (cookies) using JSON Web Token (JWT) with HMAC (Hash-based Message Authentication Code) in e-learning systems. Journal of Applied Engineering and Technological Science, 2022, 3 (2), pp. 149–155. https://doi.org/10.37385/ jaets.v3i2.662.
  9. Cheah S., Selvarajah V. 2021. A Review of common web application breaching techniques (SQLi, XSS, CSRF). In: Proceedings of the 3rd International Conference on Integrated Intelligent Computing Communication & Security (ICIIC 2021), pp. 540–547. Dordrecht: Atlantis Press. https://doi.org/10.2991/ahis.k.210913.068.
  10. Walton S., Wheeler P. R., Zhang Y. I., Zhao X. R. An integrative review and analysis of cybersecurity research: Current state and future directions. Journal of Information Systems, 2020, 35 (1), рр. 155–186. https://doi.org/10.2308/isys-19-033.
  11. Kaur J., Lamba S., Saini P. Advanced encryption standard: Attacks and current research trends. In: 2021 International Conference on Advance Computing and Innovative Technologies in Engineering (ICACITE), 2021, pp. 112–116). Greater Noida: Institute of Electrical and Electronics Engineers. https://doi.org/10. 1109/ICACITE51222.2021.9404716.
  12. Raman R. S., Evdokimov L., Wurstrow E., Halderman J. A., Ensafi R. Investigating large scale HTTPS interception in Kazakhstan. In: IMC ‘20: Proceedings of the ACM Internet Measurement Conference, 2020, pp. 125–132). New York: Association for Computing Machinery. https://doi.org/10.1145/3419394.3423665.
  13. Li S., Xu C., Zhang Y., Du Y., Chen K. Blockchain-based transparent integrity auditing and encrypted deduplication for cloud storage. IEEE Transactions on Services Computing, 2022, 16 (1), рр. 134–146. https://doi.org/10.1109/TSC.2022.3144430.
  14. Omotunde H., Ahmed M. A comprehensive review of security measures in database systems: Assessing authentication, access control, and beyond. Mesopotamian Journal of Cyber Security, 2023, рр. 115–133. https://doi.org/10.58496/mjcsc/2023/016.
  15. Song L., García-Valls M. Improving security of web servers in critical IoT systems through self-monitoring of vulnerabilities. Sensors, 2022, 22 (13), 5004. https://doi.org/10.3390/s22135004.
  16. Hutt S., Baker R. S., Ashenafi M. M., Andres‐Bray J. M., Brooks C. Controlled outputs, full data: A privacy‐protecting infrastructure for MOOC data. British Journal of Educational Technology, 2022, 53 (4), рр. 756–775. https://doi.org/10.1111/bjet.13231.
  17. Al Hawamleh, A.M., Alorfi, Sulaiman M, A., Al-Gasawneh, J.A., Al-Rawashdeh, G. Cyber security and ethical hacking: The importance of protecting user data. Solid State Technology, 2020, 63, рр. 7894–7899. https://solidstatetechnology.us/index.php/JSST/article/view/7202.
  18. Arora C. Digital health fiduciaries: Protecting user privacy when sharing health data. Ethics and Information Technology, 2019, 21 (3), рр. 181–196. https://doi.org/10.1007/s10676-019-09499-x.
  19. Saravanan N., Umamakeswari A. Lattice based access control for protecting user data in cloud environments with hybrid security. Computers & Security, 2021, 100, 102074. https://doi.org/10.1016/j.cose.2020.102074.
  20. Method and system for verifying the architecture of a software/hardware solution. 2022. https://patentscope.wipo.int/search/en/detail.jsf?docId=WO2022250564.
  21. Hiremath P. N., Armentrout J., Vu S., Nguyen T. N., Minh Q. T., Phung P. H. MyWebGuard: Toward a User-Oriented Tool for Security and Privacy Protection on the Web. In: T.K. Dang, J. Küng, M. Takizawa, S. Ha Bui (Eds.), Proceedings of the 6th International Conference “Future Data and Security Engineering”2019, pp. 506–525). Cham: Springer. https://doi.org/10.1007/978-3-030-35653-8_33.
Завантажити

Всі права захищено © 2019. Тернопільський національний технічний університет імені Івана Пулюя.