| Plaintext (Insecure) | Secure Versions | Purpose or Use |
|---|---|---|
| HTTP | HTTPS | Web traffic |
| HTTP | TLS1.2 or 1.3 | Web traffic |
| LDAP | LDAPS | Directory services |
| SNMP v1/v2 | SNMP v3 | Hardware management |
| FTP | SFTP/FTPS | File transfer |
| Telnet | SSH | Remote management |
• HTTP → HTTPS: TLS encryption mandatory; TLS 1.2 or higher only (1.0/1.1 deprecated, vulnerable to BEAST/POODLE)
• Downgrade Attacks: Attacker forces weaker protocol/cipher (SSL 3.0); mitigate via TLS_FALLBACK_SCSV or strict version enforcement
• LDAP → LDAPS: Port 636 (SSL/TLS) vs 389 (cleartext); binds encrypted, protects directory credentials
• SNMP: v1/v2c (community strings "public"/"private", cleartext); v3 (auth + encryption, usernames, required)
• File Transfer:
– FTP (Port 21, cleartext credentials/data)
– FTPS (FTP over SSL/TLS, explicit/implicit)
– SFTP (SSH File Transfer, Port 22, encrypted)
– SCP (Secure Copy, SSH-based, simpler than SFTP)
• Email Protocols:
– SMTP (25/587 submission), SMTPS (465, deprecated) → prefer STARTTLS (upgrades plain to encrypted)
– POP3S (995), IMAPS (993); never use unencrypted POP3/IMAP (110/143)
• Code Signing: Digital certificate signs binaries/scripts; verifies publisher integrity, prevents tampering (Windows SmartScreen, macOS Gatekeeper)
• Peer Review: Manual inspection before merge; catches logic flaws, backdoors
• SAST (Static): Source code analysis (white box); finds injection flaws, hardcoded secrets pre-deployment
• DAST (Dynamic): Runtime testing (black box); simulates attacks against running app
• Input Validation: Whitelist expected formats/lengths; reject/escape malicious input (prevents injection attacks)
• Client vs Server Validation: Client-side (UX only, bypassable via proxy); Server-side (authoritative, mandatory for security)
• Safe Error Handling: Generic messages to user ("Error occurred"), detailed logs to SIEM; prevent info leakage (stack traces, db schema exposure)
• Sandboxing: Isolated execution environment (browser tab, mobile app container); limits privilege escalation; AppContainer (Windows), chroot (Linux)
• SPF: Sender Policy Framework; DNS TXT record listing authorized mail servers (prevents spoofed sender domains)
• DKIM: DomainKeys Identified Mail; cryptographic signature on headers/body; validates message integrity
• DMARC: Domain-based Message Authentication; policy framework (p=none/quarantine/reject) + reporting; requires SPF or DKIM alignment
• Email Gateway: Perimeter filter (spam, malware, DLP); TLS inspection optional
• DLP: Data Loss Prevention; inspects content for PII/IP exfiltration via email body/attachments
• DNS Filtering: Block malicious domains at resolver level (sinkholing, category filtering)
• DNSSEC: DNS Security Extensions; cryptographic validation of DNS responses (prevents cache poisoning/spoofing); signs zones, not queries
Quick Checks: FTPS ≠ SFTP (SSL vs SSH); TLS 1.3 faster than 1.2 (0-RTT); DMARC requires SPF or DKIM alignment; SAST finds code bugs, DAST finds runtime vulns; Client validation is for convenience only—*always validate server-side.