Tuturials

Chapter 6: Operating System and Application Security

Operating System and Application Security. This is where we shift from “how networks work” and “how crypto protects data” to how the actual computers and apps you use every day stay (or fail to stay) secure. In January 2026, with AI PCs everywhere, remote work still huge in places like Airoli/Navi Mumbai, and India’s DPDP Act pushing hard on data protection, OS hardening and secure coding aren’t optional—they’re survival.

We’ll go deep, with real examples from Windows 11 (now on 25H2/26H1 builds), Linux (Ubuntu/RHEL), macOS (Sequoia 15.x / Tahoe previews), and everyday Indian scenarios (banking apps, freelancing tools, UPI integrations). Think of this as your “lock your house + teach family not to open random doors” lesson.

1. Windows, Linux, macOS Security Features & Hardening

Each OS has built-in defenses, but hardening means turning on the strong ones, disabling weak defaults, and following best practices (CIS Benchmarks are gold standard in 2026).

  • Windows 11 (2026 – 24H2/25H2/26H1 era) Features:

    • Windows Hello (biometrics + PIN > passwords).
    • BitLocker (full disk encryption, auto-enabled on modern hardware).
    • Defender Antivirus + Microsoft Defender for Endpoint (cloud-backed, AI behavioral detection).
    • Controlled Folder Access (ransomware protection).
    • Virtualization-Based Security (VBS) + HVCI (Hypervisor-protected Code Integrity) – memory isolation.
    • Secure Boot + TPM 2.0 (mandatory, hardened in Jan 2026 patches with phased cert updates).
    • App & Browser Control (Smart App Control blocks unsigned/old apps).

    Hardening tips (CIS + Microsoft 2026):

    • Enable Exploit Protection (mitigations like DEP, ASLR).
    • Disable legacy protocols (SMBv1, NetBIOS).
    • Use Windows Hello for Business + MFA everywhere.
    • Patch fast (Jan 2026 KB5074109 fixed NPU battery drain + security).
    • Least privilege: Standard user accounts, not admin daily.

    Example: Your office laptop in Airoli—enable BitLocker + Defender real-time + Smart App Control. If ransomware hits (common in India), Controlled Folder Access blocks encryption of docs.

  • Linux (Ubuntu 24.04/26.04, RHEL 9/10 – 2026) Features:

    • SELinux (Red Hat default, enforcing mode) or AppArmor (Ubuntu).
    • Firewalld / ufw (firewalls).
    • sudo with timeouts + logging.
    • Kernel hardening (grsecurity patches optional, but sysctl tweaks common).
    • systemd security (PrivateTmp, ProtectSystem).

    Hardening (CIS Benchmarks 2026 – Level 1/2):

    • Enforce SELinux/AppArmor in enforcing.
    • Disable root login over SSH (use key auth + sudo).
    • Update kernel regularly (live patching on RHEL).
    • Use fail2ban or crowdsec for brute-force protection.
    • Minimal install (no unnecessary packages).

    Example: Server running UPI backend—apply CIS Level 1: disable unused services (telnet, FTP), enforce strong passwords, audit logs to SIEM. Stops lateral movement if initial access happens.

  • macOS (Sequoia 15.x / Tahoe previews – 2026) Features:

    • Gatekeeper + Notarization (only signed/notarized apps run).
    • XProtect + MRT (Malware Removal Tool, auto-updates).
    • FileVault (full disk encryption).
    • System Integrity Protection (SIP) (protects system files).
    • Transparency Consent & Control (TCC) (app permissions for camera/mic/files).
    • Rapid Security Responses (quick patches without reboot).

    Hardening (CIS Benchmarks for Sequoia/Sonoma):

    • Enable FileVault + strong password.
    • Lock down Firewall + stealth mode.
    • Disable Guest account, auto-login.
    • Use Managed mode if enterprise (Jamf/MDM).
    • Keep on latest (Sequoia 15.7+ patches WebKit exploits).

    Example: Freelancer MacBook—enable Gatekeeper + FileVault. If phishing downloads fake “invoice” app, notarization blocks it.

2. Access Control Models (DAC, MAC, RBAC, ABAC)

Who can do what? Models define rules.

  • DAC (Discretionary Access Control) — Owner decides (e.g., Windows NTFS, Linux chmod). Flexible but risky (user can share too much). Example: You share Google Drive file → anyone with link reads (classic DAC).
  • MAC (Mandatory Access Control) — System enforces based on labels (e.g., SELinux contexts, Windows Integrity Levels). No user override. Example: SELinux on RHEL server—web app can’t read /etc/shadow even if file perms allow.
  • RBAC (Role-Based Access Control) — Access via roles (e.g., “Admin”, “User”). Common in enterprises. Example: In banking app— “Teller” role sees accounts but can’t transfer; “Manager” approves.
  • ABAC (Attribute-Based Access Control) — Dynamic, policy-based on attributes (user dept, time, location, device). Modern/cloud favorite. Example: Azure AD/Okta—allow access only if “department=Finance” + “location=India” + “time=9-6”.

2026 trend: Hybrid (RBAC + ABAC) in cloud (AWS IAM policies use attributes).

3. Privilege Escalation and Least Privilege Principle

  • Least Privilege — Give only needed access (zero trust in practice). Example: Don’t run browser/email as admin. Use standard user + elevate when needed (UAC on Windows, sudo on Linux).
  • Privilege Escalation — Gaining higher rights (vertical: user → admin; horizontal: one user → another). Types: Kernel exploits, misconfigs, weak sudo, DLL hijacking. 2026 common: Unpatched zero-days + living-off-the-land (using legit tools like PowerShell). Mitigation: Patch fast, restrict sudo, use AppArmor/SELinux, monitor (EDR like Defender/CrowdStrike).

Real Indian example: Ransomware hits via phishing → exploits weak service account (escalates to SYSTEM) → encrypts everything. Least privilege stops escalation.

4. Secure Software Development Basics (OWASP Top 10 – 2025 Edition)

OWASP Top 10:2025 (released late 2025) is the current bible—focuses on root causes, supply chain, error handling.

Key 2025 categories (top ones):

  • A01:2025 – Broken Access Control (#1) — Missing auth checks, IDOR (Insecure Direct Object Reference).
  • A02:2025 – Security Misconfiguration (#2, up big) — Default creds, exposed debug, open S3 buckets.
  • A03:2025 – Software Supply Chain Failures (new/expanded) — Compromised deps, build pipeline attacks.
  • Others: Cryptographic Failures (#4), Injection (#5), Insecure Design (#6), etc.

Secure SDLC basics: Threat modeling, secure coding, SAST/DAST scans, dependency checks (OWASP Dependency-Check).

Example (India fintech): UPI app—use input validation + prepared statements to stop injection; scan deps for Log4j-style vulns.

5. Common Vulnerabilities: Buffer Overflows, Injection Attacks, XSS, CSRF

  • Buffer Overflows — Writing beyond buffer → overwrite memory (code execution). Mitigated by ASLR, DEP, stack canaries. Example: Old C app reads user input without bounds → attacker overflows → shell.
  • Injection Attacks (SQL, OS command, etc.) — Untrusted input executed as code. Example: Login form: SELECT * FROM users WHERE id = ‘$input’ → attacker puts ‘ OR 1=1 — → logs in.
  • XSS (Cross-Site Scripting) — Inject script into web page (reflected/stored/DOM). Example: Comment field: <script>alert(‘hacked’)</script> → steals cookies if no sanitization.
  • CSRF (Cross-Site Request Forgery) — Trick logged-in user to perform action (e.g., transfer money). Example: Malicious site has <img src=”bank.com/transfer?to=hacker&amount=10000″> → uses your session.

2026 mitigations: Input validation/sanitization, prepared statements, CSP (Content Security Policy) for XSS, CSRF tokens/SameSite cookies.

That’s Chapter 6—your OS and apps are now fortified!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Best web teacher © 2025. All Rights Reserved bestwebteacher.com.

Home
About Us
Terms of Use
Disclaimer
Contact Us

WhatsApp

+91 9433 511 250

Email

info@bestwebteacher.com

Connect with us

Facebook-f Twitter Youtube Jki-instagram-1-light

Best web teacher © 2024 . All Rights Reserved