OWASP Top 10
- Broken Access Control : Occurs when unauthorized access to resources is mistakenly allowed .
- Common causes include human error such as
- unprotected sensitive data,
- lack of system isolation,
- Misconfigured systems
- To avoid this risk, implement:
- Formal threat modeling
- Cover access control in use case testing
- Use secure configuration for deployment
- Design for error by anticipating mistake and reducing their impact.
- Cryptographic failures : Can compromise confidentiality and integrity of data.
- Common Causes :
- Misconfigured system
- Use of insecure protocol
- Leaking cryptographic secrets
- Using outdated or weak cryptographic algorithms.
- To prevent this:
- Implement Threat modeling
- Safeguard private keys
- Use encryption for data at rest and in transit
- Use only approved cryptographic libraries and configurations.
- Injection: is the misuse of external inputs that manipulates the application to behave insecurely.
- Causes :
- Insufficient human input validation
- Failure to identify potential injection sources
- To avoid:
- Perform threat modeling
- Treat all external applications/inputs data as harmful.
- Perform regular penitent including fuzzing techniques.
- Insecure Design: is the failure to incorporate Security in all stages of a project.
- Common Causes:
- Neglecting security considerations at various point of development process.
- Inadequate security awareness.
- Risk
- Inability to pass security standards and expensive rework
- To avoid this
- Implement formal threat modeling
- Develop a security mindset
- Continuously learning and apply security knowledge
- Security misconfiguration: occurs when security measures are rendered ineffective due to incorrect deployment.
- Common causes:
- Failing to use secure configuration
- Not reviewing configuration defaults
- Assuming hidden applications as secure.
- To mitigate this:
- Conduct authorized penetration test against production deployments
- Follow a consistent security review process
- Use only third party components that have independent security validations
- Vulnerable and outdated Components : can expose systems to risk.
- Common causes
- Assuming someone else is taking security actions
- Underestimating the risk of unpatched systems
- Lack of dependency and version management
- To avoid:
- Follow a continuous software update process
- Use well documented management processes
- Actively monitor for security vulnerabilities news bulletin
- Perform regular pen test
- Identification and Authentication failure: occurs when system mis identifies an actor and grants improper privileges.
- Common causes:
- Misconfiguration
- Insecure session management
- Using simple and spoofable authentication mechanisms
- To avoid :
- Perform proper threat modeling
- At least Two factor Authentication
- Use approved SSO integrations
- Software and data integrity Failure : occurs when unverified data and software are deemed trustworthy
- Common causes
- Trusting unverified data
- Failing to ensure limited access for personnel to change the data or code
- Related cryptographic failures
- To Prevent:
- Verify the Authenticity of all code and data
- Do not rely on implicit trust
- Use trusted public key infrastructure for data and code signing
- Security Logging and Monitoring Failures : can leave malicious attacks undetected
- Common causes:
- Misunderstanding of sufficient details required for forensic investigations
- Selective logging
- Insecure storage
- Transport of logs
- To avoid this:
- Log all accessed resources
- Map actions to data for better traceability
- Server side request forgery: manipulating remote resources to make requests on behalf of an attacker
- Common causes:
- Processing data from insecured resources
- Misconfigured middleware
- To avoid:
- Sanitize all data inputs
- Use Strong authentication and Authorization for all endpoints
- Scan middleware regularly for any mis configurations
No comments:
Post a Comment