SlideShare a Scribd company logo

Owasp top ten 2017

Download as PPTX, PDF
A
AnukaJinadasa

The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security. One of OWASP’s core principles is that all of their materials be freely available and easily accessible on their website, making it possible for anyone to improve their own web application security. The materials they offer include documentation, tools, videos, and forums. Perhaps their best-known project is the OWASP Top 10.

Technology
1 of 32
DYNAMIC WEB APPLICATIONS OCCASIONALLY NEED TO RUN COMMANDS ON THE UNDERLYING DATABASE OR OPERATING SYSTEM TO UPDATE DATA, EXECUTE A SCRIPT OR START OTHER APPS. IF UNVALIDATED INPUTS ARE ADDED TO A COMMAND STRING, ATTACKERS CAN LAUNCH COMMANDS AT WILL TO TAKE CONTROL OF A SERVER, DEVICE OR DATA. IF A WEBSITE, APP, OR DEVICE INCORPORATES USER INPUT WITHIN A COMMAND, AN ATTACKER CAN INSERT A “PAYLOAD” COMMAND DIRECTLY INTO SAID INPUT. IF THAT INPUT IS NOT VERIFIED, AN ATTACKER THEN “INJECTS” AND RUNS THEIR OWN COMMANDS. ONCE ATTACKERS CAN MAKE COMMANDS, THEY CAN CONTROL YOUR WEBSITE, APPS AND DATA.
• USER-SUPPLIED DATA IS NOT VALIDATED, FILTERED, OR SANITIZED BY THE APPLICATION • DYNAMIC QUERIES OR NON-PARAMETERIZED CALLS WITHOUT CONTEXT AWARE ESCAPING ARE USED DIRECTLY IN THE INTERPRETER. • HOSTILE DATA IS USED WITHIN OBJECT-RELATIONAL MAPPING (ORM) SEARCH PARAMETERS TO EXTRACT ADDITIONAL, SENSITIVE RECORDS. • HOSTILE DATA IS DIRECTLY USED OR CONCATENATED, SUCH THAT THE SQL OR COMMAND CONTAINS BOTH STRUCTURE AND HOSTILE DATA IN DYNAMIC QUERIES, COMMANDS, OR STORED PROCEDURES.
• USE A SAFE API, WHICH AVOIDS THE USE OF THE INTERPRETER ENTIRELY OR PROVIDES A PARAMETERIZED INTERFACE OR MIGRATE TO USE OBJECT RELATIONAL MAPPING TOOLS (ORMS). • USE POSITIVE OR “WHITELIST” SERVER-SIDE INPUT VALIDATION • USE LIMIT AND OTHER SQL CONTROLS WITHIN QUERIES TO PREVENT MASS DISCLOSURE OF RECORDS IN CASE OF SQL INJECTION. • ENSURE THAT THE WEB APPLICATION RUNS WITH ONLY THE PRIVILEGES IT ABSOLUTELY NEEDS TO PERFORM ITS FUNCTION.
INCORRECT IMPLEMENTATION OF AUTHENTICATION AND SESSION MANAGEMENT FUNCTIONS IN APPLICATIONS ALLOWS ATTACKERS TO COMPROMISE DATA SUCH AS PASSWORDS, KEYS AND SESSION TOKENS OR TO EXPLOIT OTHER IMPLEMENTATION FLAWS TO MASQUERADE IDENTITIES TEMPORARILY OR PERMANENTLY. ATTACKERS HAVE ACCESS TO MILLIONS OF VALID USERNAME AND PASSWORD COMBINATIONS WHICH CAN BE USED IN CREDENTIAL STUFFING, DEFAULT ADMINISTRATIVE ACCOUNT LISTS, AUTOMATED BRUTE FORCE AND DICTIONARY ATTACK TOOLS. UNEXPIRED SESSION TOKENS DUE TO POOR SESSION MANAGEMENT IS THE MAIN VULNERABILITY BEHIND SESSION MANAGEMENT ATTACKS. IN THE SIMPLEST ATTACKS, PASSWORDS CAN BE GUESSED OR STOLEN IF LEFT UNPROTECTED. AS COMPLEXITIES ARE ADDED, ATTACKERS CAN FIND OTHER AREAS WHERE USER CREDENTIALS OR SESSIONS HAVE INADEQUATE PROTECTIONS AND THEN HIJACK A USER’S ACCESS, AND EVENTUALLY THEIR DATA.
• PERMITS AUTOMATED ATTACKS SUCH AS CREDENTIAL STUFFING, WHERE THE ATTACKER HAS A LIST OF VALID USERNAMES AND PASSWORDS. • PERMITS BRUTE FORCE OR OTHER AUTOMATED ATTACKS. • PERMITS DEFAULT, WEAK, OR WELL-KNOWN PASSWORDS, SUCH AS”PASSWORD1″ OR “ADMIN/ADMIN“. • USES WEAK OR INEFFECTIVE CREDENTIAL RECOVERY AND FORGOT-PASSWORD PROCESSES, SUCH AS “KNOWLEDGE- BASED ANSWERS”, WHICH CANNOT BE MADE SAFE. • USES PLAIN TEXT, ENCRYPTED, OR WEAKLY HASHED PASSWORDS. • HAS MISSING OR INEFFECTIVE MULTI-FACTOR AUTHENTICATION. • EXPOSES SESSION IDS IN THE URL (E.G., URL REWRITING). • DOES NOT ROTATE SESSION IDS AFTER SUCCESSFUL LOGIN. • DOES NOT PROPERLY INVALIDATE SESSION IDS. USER SESSIONS OR AUTHENTICATION TOKENS (PARTICULARLY SINGLE SIGN-ON (SSO) TOKENS) AREN’T PROPERLY INVALIDATED DURING LOGOUT OR A PERIOD OF INACTIVITY.
• WHERE POSSIBLE, IMPLEMENT MULTI-FACTOR AUTHENTICATION TO PREVENT AUTOMATED, CREDENTIAL STUFFING, BRUTE FORCE, AND STOLEN CREDENTIAL RE-USE ATTACKS. • DO NOT SHIP OR DEPLOY WITH ANY DEFAULT CREDENTIALS, PARTICULARLY FOR ADMIN USERS. • IMPLEMENT WEAK-PASSWORD CHECKS, SUCH AS TESTING NEW OR CHANGED PASSWORDS AGAINST A LIST OF THE TOP 10000 WORST PASSWORDS. • ALIGN PASSWORD LENGTH, COMPLEXITY AND ROTATION POLICIES WITH NIST 800-63 B’S GUIDELINES IN SECTION 5.1.1 FOR MEMORIZED SECRETS OR OTHER MODERN, EVIDENCE-BASED PASSWORD POLICIES. • ENSURE REGISTRATION, CREDENTIAL RECOVERY, AND API PATHWAYS ARE HARDENED AGAINST ACCOUNT ENUMERATION ATTACKS BY USING THE SAME MESSAGES FOR ALL OUTCOMES. • LIMIT OR INCREASINGLY DELAY FAILED LOGIN ATTEMPTS. LOG ALL FAILURES AND ALERT ADMINISTRATORS WHEN CREDENTIAL STUFFING, BRUTE FORCE, OR OTHER ATTACKS ARE DETECTED. • USE A SERVER-SIDE, SECURE, BUILT-IN SESSION MANAGER THAT GENERATES A NEW RANDOM SESSION ID WITH HIGH ENTROPY AFTER LOGIN. SESSION IDS SHOULD NOT BE IN THE URL. IDS SHOULD ALSO BE SECURELY STORED AND INVALIDATED AFTER LOGOUT, IDLE, AND ABSOLUTE TIMEOUTS.
SENSITIVE DATA, SUCH AS CREDIT CARD NUMBERS, HEALTH DATA, OR PASSWORDS, SHOULD HAVE EXTRA PROTECTION GIVEN THE POTENTIAL OF DAMAGE IF IT FALLS INTO THE WRONG HANDS. THERE ARE EVEN REGULATIONS AND STANDARDS DESIGNED TO PROTECT SENSITIVE DATA. BUT, IF SENSITIVE DATA IS STORED, TRANSMITTED, OR PROTECTED BY INADEQUATE METHODS, IT CAN BE EXPOSED TO ATTACKERS. IF DATA IS STORED OR TRANSFERRED AS PLAIN TEXT, IF OLDER/WEAKER ENCRYPTION IS USED, OR IF DATA IS DECRYPTED CARELESSLY, ATTACKERS CAN GAIN ACCESS AND EXPLOIT THE DATA. ONCE AN ATTACKER HAS PASSWORDS AND CREDIT CARD NUMBERS, THEY CAN DO REAL DAMAGE .
• THE MOST COMMON FLAW IS SIMPLY NOT ENCRYPTING SENSITIVE DATA. • DEFAULT CRYPTO KEYS IN USE, WEAK CRYPTO KEYS GENERATED, RE-USED, AND PROPER KEY MANAGEMENT AND ROTATION MISSING • NOT ENCRYPTING SENSITIVE DATA IS THE MAIN REASON WHY THESE ATTACKS ARE STILL SO WIDESPREAD. EVEN ENCRYPTED DATA CAN BE BROKEN DUE TO WEAK: • KEY GENERATION PROCESS; • KEY MANAGEMENT PROCESS; • ALGORITHM USAGE; • PROTOCOL USAGE; • CIPHER USAGE; • PASSWORD HASHING STORAGE TECHNIQUES.
• CLASSIFY DATA PROCESSED, STORED, OR TRANSMITTED BY AN APPLICATION. • IDENTIFY WHICH DATA IS SENSITIVE ACCORDING TO PRIVACY LAWS, REGULATORY REQUIREMENTS, OR BUSINESS NEEDS. • APPLY CONTROLS AS PER THE CLASSIFICATION. • DON’T STORE SENSITIVE DATA UNNECESSARILY. • DISCARD IT AS SOON AS POSSIBLE OR USE PCI DSS COMPLIANT TOKENIZATION OR EVEN TRUNCATION. DATA THAT IS NOT RETAINED CANNOT BE STOLEN. • MAKE SURE TO ENCRYPT ALL SENSITIVE DATA AT REST. • ENSURE UP-TO-DATE AND STRONG STANDARD ALGORITHMS, PROTOCOLS, AND KEYS ARE IN PLACE; USE PROPER KEY MANAGEMENT. • ENCRYPT ALL DATA IN TRANSIT WITH SECURE PROTOCOLS SUCH AS TLS WITH PERFECT FORWARD SECRECY (PFS) CIPHERS, CIPHER PRIORITIZATION BY THE SERVER, AND SECURE PARAMETERS. • ENFORCE ENCRYPTION USING DIRECTIVES LIKE HTTP STRICT TRANSPORT SECURITY (HSTS).
XML EXTERNAL ENTITY INJECTION IS ALSO KNOWN AS XXE IS AN ATTACK BASED ON SERVER-SIDE REQUEST FORGERY (SSRF). XXE ATTACK MANIPULATES A RARELY USED FEATURE OF XML PARSERS TO DO DENIAL OF SERVICE ATTACKS, GAIN ACCESS TO LOCAL AND REMOTE CONTENT AND SERVICES AND REMOTE CODE EXECUTION. THERE ARE TWO TYPES OF XXE ATTACKS AS IN-BAND AND OUT-OF-BAND. AN ATTACKER SENDS MALICIOUS DATA LOOKUP VALUES ASKING THE SITE, DEVICE, OR APP TO REQUEST AND DISPLAY DATA FROM A LOCAL FILE. IF A DEVELOPER USES A COMMON OR DEFAULT FILENAME IN A COMMON LOCATION, AN ATTACKER’S JOB IS EASY.
• THE APPLICATION ACCEPTS XML DIRECTLY OR XML UPLOADS, ESPECIALLY FROM UNTRUSTED SOURCES, OR INSERTS UNTRUSTED DATA INTO XML DOCUMENTS, WHICH IS THEN PARSED BY AN XML PROCESSOR. • ANY OF THE XML PROCESSORS IN THE APPLICATION OR SOAP BASED WEB SERVICES HAS DOCUMENT TYPE DEFINITIONS (DTDS) ENABLED. • IF YOUR APPLICATION USES SAML FOR IDENTITY PROCESSING WITHIN FEDERATED SECURITY OR SINGLE SIGN ON (SSO) PURPOSES. SAML USES XML FOR IDENTITY ASSERTIONS, AND MAY BE VULNERABLE. • IF THE APPLICATION USES SOAP PRIOR TO VERSION 1.2, IT IS LIKELY SUSCEPTIBLE TO XXE ATTACKS IF XML ENTITIES ARE BEING PASSED TO THE SOAP FRAMEWORK.
• WHENEVER POSSIBLE, USE LESS COMPLEX DATA FORMATS SUCH AS JSON, AND AVOID SERIALIZATION OF SENSITIVE DATA. • PATCH OR UPGRADE ALL XML PROCESSORS AND LIBRARIES IN USE BY THE APPLICATION OR ON THE UNDERLYING OPERATING SYSTEM. • USE DEPENDENCY CHECKERS (UPDATE SOAP TO SOAP 1.2 OR HIGHER). • DISABLE XML EXTERNAL ENTITY AND DTD PROCESSING IN ALL XML PARSERS IN THE APPLICATION, AS PER THE OWASP CHEAT SHEET ‘XXE PREVENTION’. • IMPLEMENT POSITIVE (“WHITELISTING”) SERVER-SIDE INPUT VALIDATION, FILTERING, OR SANITIZATION TO PREVENT HOSTILE DATA WITHIN XML DOCUMENTS, HEADERS, OR NODES. • VERIFY THAT XML OR XSL FILE UPLOAD FUNCTIONALITY VALIDATES INCOMING XML USING XSD VALIDATION OR SIMILAR. • SAST TOOLS CAN HELP DETECT XXE IN SOURCE CODE – ALTHOUGH MANUAL CODE REVIEW IS THE BEST ALTERNATIVE IN LARGE, COMPLEX APPLICATIONS WITH MANY INTEGRATIONS.
ACCESS CONTROL IS THERE TO RESTRICT ACCESS ON DATA AND FUNCTIONS FOR UNWANTED PARTIES. IF ACCESS CONTROL IS NOT IMPLEMENTED PROPERLY IT WILL LEAD TO BROKEN ACCESS CONTROL WHICH ALLOWS ATTACKERS TO EXPLOIT VULNERABILITY TO ACCESS UNAUTHORIZED CRITICAL DATA AND FUNCTIONS. SOMETIMES, GAINING UNAUTHORIZED ACCESS IS AS SIMPLE AS MANUALLY ENTERING AN UNLINKED URL IN A BROWSER, SUCH AS, HTTP://EXAMPLE.COM/ADMIN..
• BYPASSING ACCESS CONTROL CHECKS BY MODIFYING THE URL, INTERNAL APPLICATION STATE, OR THE HTML PAGE, OR SIMPLY USING A CUSTOM API ATTACK TOOL • ALLOWING THE PRIMARY KEY TO BE CHANGED TO ANOTHER'S USERS RECORD, PERMITTING VIEWING OR EDITING SOMEONE ELSE'S ACCOUNT. • ELEVATION OF PRIVILEGE. ACTING AS A USER WITHOUT BEING LOGGED IN, OR ACTING AS AN ADMIN WHEN LOGGED IN AS A USER. • METADATA MANIPULATION, SUCH AS REPLAYING OR TAMPERING WITH A JSON WEB TOKEN (JWT) ACCESS CONTROL TOKEN OR A COOKIE OR HIDDEN FIELD MANIPULATED TO ELEVATE PRIVILEGES, OR ABUSING JWT INVALIDATION • CORS MISCONFIGURATION ALLOWS UNAUTHORIZED API ACCESS. • FORCE BROWSING TO AUTHENTICATED PAGES AS AN UNAUTHENTICATED USER OR TO PRIVILEGED PAGES AS A STANDARD USER. ACCESSING API WITH MISSING ACCESS CONTROLS FOR POST, PUT AND DELETE.
• WITH THE EXCEPTION OF PUBLIC RESOURCES, DENY BY DEFAULT. • IMPLEMENT ACCESS CONTROL MECHANISMS ONCE AND RE-USE THEM THROUGHOUT THE APPLICATION, INCLUDING MINIMIZING CORS USAGE. • MODEL ACCESS CONTROLS SHOULD ENFORCE RECORD OWNERSHIP, RATHER THAN ACCEPTING THAT THE USER CAN CREATE, READ, UPDATE, OR DELETE ANY RECORD. • UNIQUE APPLICATION BUSINESS LIMIT REQUIREMENTS SHOULD BE ENFORCED BY DOMAIN MODELS. • DISABLE WEB SERVER DIRECTORY LISTING AND ENSURE FILE METADATA (E.G. .GIT) AND BACKUP FILES ARE NOT PRESENT WITHIN WEB ROOTS. • LOG ACCESS CONTROL FAILURES, ALERT ADMINS WHEN APPROPRIATE (E.G. REPEATED FAILURES). • RATE LIMIT API AND CONTROLLER ACCESS TO MINIMIZE THE HARM FROM AUTOMATED ATTACK TOOLING. • JWT TOKENS SHOULD BE INVALIDATED ON THE SERVER AFTER LOGOUT.
SECURITY MISCONFIGURATION IS THE MOST COMMON VULNERABILITY ON THE LIST, AND IS OFTEN THE RESULT OF USING DEFAULT CONFIGURATIONS OR DISPLAYING EXCESSIVELY VERBOSE ERRORS. FOR INSTANCE, AN APPLICATION COULD SHOW A USER OVERLY-DESCRIPTIVE ERRORS WHICH MAY REVEAL VULNERABILITIES IN THE APPLICATION. THIS CAN BE MITIGATED BY REMOVING ANY UNUSED FEATURES IN THE CODE AND ENSURING THAT ERROR MESSAGES ARE MORE GENERAL. PEOPLE GET BUSY, THINGS GET MISSED, PRIORITIZATION DECISIONS ARE MADE. AND VULNERABILITIES ARE LEFT UNCHECKED.
• UNNECESSARY FEATURES ARE ENABLED OR INSTALLED (E.G. UNNECESSARY PORTS, SERVICES, PAGES, ACCOUNTS, OR PRIVILEGES) • ERROR HANDLING REVEALS STACK TRACES OR OTHER OVERLY INFORMATIVE ERROR MESSAGES TO USERS. • THE SERVER DOES NOT SEND SECURITY HEADERS OR DIRECTIVES OR THEY ARE NOT SET TO SECURE VALUES. • DEFAULT ACCOUNTS AND THEIR PASSWORDS STILL ENABLED AND UNCHANGED. • FOR UPGRADED SYSTEMS, LATEST SECURITY FEATURES ARE DISABLED OR NOT CONFIGURED SECURELY.
• A MINIMAL PLATFORM WITHOUT ANY UNNECESSARY FEATURES, COMPONENTS, DOCUMENTATION, AND SAMPLES. • REMOVE OR DO NOT INSTALL UNUSED FEATURES AND FRAMEWORKS. • AN AUTOMATED PROCESS TO VERIFY THE EFFECTIVENESS OF THE CONFIGURATIONS AND SETTINGS IN ALL ENVIRONMENTS. . • AN AUTOMATED PROCESS TO VERIFY THE EFFECTIVENESS OF THE CONFIGURATIONS AND SETTINGS IN ALL ENVIRONMENTS.
CROSS-SITE SCRIPTING VULNERABILITIES OCCUR WHEN WEB APPLICATIONS ALLOW USERS TO ADD CUSTOM CODE INTO A URL PATH OR ONTO A WEBSITE THAT WILL BE SEEN BY OTHER USERS. THIS VULNERABILITY CAN BE EXPLOITED TO RUN MALICIOUS JAVASCRIPT CODE ON A VICTIM’S BROWSER. WHEN A WEB PAGE OR APP UTILIZES USER-ENTERED CONTENT AS PART OF A RESULTING PAGE WITHOUT CHECKING FOR BAD STUFF, A MALICIOUS USER COULD ENTER CONTENT THAT INCLUDES HTML ENTITIES.
THERE ARE THREE FORMS OF XSS , • REFLECTED XSS: AN XSS ALLOWS AN ATTACKER TO INJECT A SCRIPT INTO THE CONTENT OF A WEBSITE OR APP. WHEN A USER VISITS THE INFECTED PAGE, THE SCRIPT WILL EXECUTE IN THE VICTIM’S BROWSER. THIS ALLOWS ATTACKERS TO STEAL PRIVATE INFORMATION LIKE COOKIES, ACCOUNT INFORMATION, OR TO PERFORM CUSTOM OPERATIONS WHILE IMPERSONATING THE VICTIM’S IDENTITY. • STORES XSS: THE MOST DANGEROUS TYPE OF XSS INJECTION, REQUIRES SERVER SIDE INTERPRETATION OF THE QUERY .IT OCCURS WHEN THE DATA PROVIDED BY THE ATTACKER IS SAVED BY THE SERVER. • DOM XSS: APPEARS IN THE DOM (DOCUMENT OBJECT MODEL) INSTEAD OF PART OF THE HTML. DOM BASED CROSS-SITE SCRIPTING, THE HTML SOURCE CODE AND RESPONSE OF THE ATTACK WILL BE EXACTLY THE SAME, THEREFOR THE PAYLOAD CANNOT BE FOUND IN THE RESPONSE. IT CAN ONLY BE OBSERVED ON RUNTIME OR BY INVESTIGATING THE DOM OF THE PAGE.
• TAKING THE DATA AN APPLICATION HAS RECEIVED AND ENSURING IT’S SECURE BEFORE RENDERING IT FOR THE END USER. • BY ESCAPING USER INPUT, KEY CHARACTERS IN THE DATA RECEIVED BY A WEB PAGE WILL BE PREVENTED FROM BEING INTERPRETED IN ANY MALICIOUS WAY • ENSURING AN APPLICATION IS RENDERING THE CORRECT DATA AND PREVENTING MALICIOUS DATA FROM DOING HARM TO THE SITE, DATABASE, AND USERS. • WHILE WHITELISTING AND INPUT VALIDATION ARE MORE COMMONLY ASSOCIATED WITH SQL INJECTION, THEY CAN ALSO BE USED AS AN ADDITIONAL METHOD OF PREVENTION FOR XSS • SANITIZING DATA IS A STRONG DEFENSE, BUT SHOULD NOT BE USED ALONE TO BATTLE XSS ATTACKS.
DESERIALIZED DATA CAN BE MODIFIED TO INCLUDE MALICIOUS CODE, WHICH IS LIKELY TO CAUSE ISSUES IF THE APPLICATION DOES NOT VERIFY THE DATA’S SOURCE OR CONTENTS BEFORE DESERIALIZATION. ATTACKERS CAN BUILD ILLEGITIMATE OBJECTS THAT EXECUTE COMMANDS WITHIN AN INFECTED APPLICATION . BEFORE DATA IS STORED OR TRANSMITTED, THE BITS ARE OFTEN SERIALIZED SO THAT THEY CAN BE LATER RESTORED TO THE DATA’S ORIGINAL STRUCTURE. REASSEMBLING A SERIES OF BITS BACK INTO A FILE OR OBJECT IS CALLED DESERIALIZATION.
• IT IS HARD TO DETECT ATTACKS CAUSED BY INSECURE DESERIALIZATION SINCE THE PROCESS OF DESERIALIZATION USES COMMON CODE LIBRARIES FOUND IN WEB DEVELOPMENT. • HOWEVER, SOME WAYS TO HELP IDENTIFY INSECURE DESERIALIZATION INCLUDE • CHECK DESERIALIZATIONS TO SEE IF THE DATA IS CORRECTLY HANDLED AS USER INPUT INSTEAD OF TRUSTED INTERNAL DATA. • CHECK DESERIALIZATIONS TO ENSURE THE DATA IS WHAT IT IS SUPPOSED TO BE BEFORE BEING USED. • RUN SECURITY SCANS REGULARLY. • USE A MONITORING TOOL SUCH AS DETECTIFY OR THREAT STACK TO MONITOR DESERIALIZATIONS AND SET NOTIFICATIONS FOR COMMON VULNERABLE COMPONENTS.
• WAYS TO AVOID INSECURE DESERIALIZATION INCLUDE: • MONITORING THE DESERIALIZATION PROCESS. • ENCRYPTING SERIALIZATION PROCESSES. • NOT ACCEPTING SERIALIZED OBJECTS FROM UNKNOWN OR UNTRUSTED SOURCES. • RUNNING THE DESERIALIZATION CODE WITH LIMITED ACCESS PERMISSIONS. • USING A FIREWALL WHICH CAN HELP DETECT INSECURE DESERIALIZATION.
MANY MODERN WEB DEVELOPERS USE COMPONENTS SUCH AS LIBRARIES AND FRAMEWORKS IN THEIR WEB APPLICATIONS. THESE COMPONENTS ARE PIECES OF SOFTWARE THAT HELP DEVELOPERS AVOID REDUNDANT WORK AND PROVIDE NEEDED FUNCTIONALITY; COMMON EXAMPLE INCLUDE FRONT-END FRAMEWORKS LIKE REACT AND SMALLER LIBRARIES THAT USED TO ADD SHARE ICONS OR A/B TESTING. SOME ATTACKERS LOOK FOR VULNERABILITIES IN THESE COMPONENTS WHICH THEY CAN THEN USE TO ORCHESTRATE ATTACKS.
• IF SOFTWARE IS VULNERABLE, UNSUPPORTED, OR OUT OF DATE. THIS INCLUDES THE OS, WEB/APPLICATION SERVER, DATABASE MANAGEMENT SYSTEM (DBMS), APPLICATIONS, AND ALL COMPONENTS, RUNTIME ENVIRONMENTS, AND LIBRARIES. • IF YOU DO NOT SCAN FOR VULNERABILITIES REGULARLY AND SUBSCRIBE TO SECURITY BULLETINS RELATED TO THE COMPONENTS YOU USE. • IF SOFTWARE DEVELOPERS DO NOT TEST THE COMPATIBILITY OF UPDATED, UPGRADED, OR PATCHED LIBRARIES • IF YOU DO NOT FIX OR UPGRADE THE UNDERLYING PLATFORM, FRAMEWORKS, AND DEPENDENCIES IN A RISK-BASED, TIMELY FASHION.
• REMOVE UNUSED DEPENDENCIES, UNNECESSARY FEATURES, COMPONENTS, FILES, AND DOCUMENTATION. • CONTINUOUSLY INVENTORY THE VERSIONS OF BOTH CLIENT-SIDE AND SERVER-SIDE COMPONENTS (E.G. FRAMEWORKS, LIBRARIES). • ONLY OBTAIN COMPONENTS FROM OFFICIAL SOURCES OVER SECURE LINKS. • MONITOR FOR LIBRARIES AND COMPONENTS THAT ARE UNMAINTAINED OR DO NOT CREATE SECURITY PATCHES FOR OLDER VERSIONS.
MANY WEB APPLICATIONS ARE NOT TAKING ENOUGH STEPS TO DETECT DATA BREACHES. THE AVERAGE DISCOVERY TIME FOR A BREACH IS AROUND 200 DAYS AFTER IT HAS HAPPENED. THIS GIVES ATTACKERS A LOT OF TIME TO CAUSE DAMAGE BEFORE THERE IS ANY RESPONSE. OWASP RECOMMENDS THAT WEB DEVELOPERS SHOULD IMPLEMENT LOGGING AND MONITORING AS WELL AS INCIDENT RESPONSE PLANS TO ENSURE THAT THEY ARE MADE AWARE OF ATTACKS ON THEIR APPLICATIONS.
• AUDITABLE EVENTS, SUCH AS LOGINS, FAILED LOGINS, AND HIGH-VALUE TRANSACTIONS ARE NOT LOGGED. • LOGS ARE ONLY STORED LOCALLY. • THE APPLICATION IS UNABLE TO DETECT, ESCALATE, OR ALERT FOR ACTIVE ATTACKS IN REAL TIME OR NEAR REAL TIME. • WARNINGS AND ERRORS GENERATE NO, INADEQUATE, OR UNCLEAR LOG MESSAGES
• ENSURE THAT LOGS ARE GENERATED IN A FORMAT THAT CAN BE EASILY CONSUMED BY A CENTRALIZED LOG MANAGEMENT SOLUTIONS. • ESTABLISH EFFECTIVE MONITORING AND ALERTING SUCH THAT SUSPICIOUS ACTIVITIES ARE DETECTED AND RESPONDED TO IN A TIMELY FASHION. • ENSURE ALL LOGIN, ACCESS CONTROL FAILURES, AND SERVER-SIDE INPUT VALIDATION FAILURES CAN BE LOGGED WITH SUFFICIENT USER CONTEXT TO IDENTIFY SUSPICIOUS OR MALICIOUS ACCOUNTS
Owasp top ten 2017

Recommended

Cloud security monitoring
Cloud security monitoringCloud security monitoring
Cloud security monitoring
Gabe Akisanmi
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Ory Segal
 
Java zone ASVS 2015
Java zone ASVS 2015Java zone ASVS 2015
Java zone ASVS 2015
Joachim Van der Auwera
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
Secure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior - Logging
Secure Code Warrior - Logging
Secure Code Warrior
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 

Recommended

Cloud security monitoring
Cloud security monitoringCloud security monitoring
Cloud security monitoring
Gabe Akisanmi
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Ory Segal
 
Java zone ASVS 2015
Java zone ASVS 2015Java zone ASVS 2015
Java zone ASVS 2015
Joachim Van der Auwera
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
Secure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior - Logging
Secure Code Warrior - Logging
Secure Code Warrior
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 
Datasheet over privileged_users
Datasheet over privileged_usersDatasheet over privileged_users
Datasheet over privileged_users
Cristian Garcia G.
 
Cm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingCm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and logging
dcervigni
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
Vishal Kumar
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
NetworkCollaborators
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics
NetworkCollaborators
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
Inspirisys Solutions Limited
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tips
tcellsn
 
6 Steps to Secure Network Devices
6 Steps to Secure Network Devices6 Steps to Secure Network Devices
6 Steps to Secure Network Devices
Lisa Kearney
 
Intrusion prevension
Intrusion prevensionIntrusion prevension
Intrusion prevension
ahmad abdelhafeez
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
Hai Nguyen
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci compliance
Ritwik Das
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slides
AlgoSec
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
Alert Logic
 
Developers’ mDay 2021: Goran Kunjadić, Cyber security, cryptography and DPO e...
Developers’ mDay 2021: Goran Kunjadić, Cyber security, cryptography and DPO e...Developers’ mDay 2021: Goran Kunjadić, Cyber security, cryptography and DPO e...
Developers’ mDay 2021: Goran Kunjadić, Cyber security, cryptography and DPO e...
mCloud
 
Security 101
Security 101Security 101
Security 101
George V. Reilly
 
PASTA: Risk-centric Threat Modeling
PASTA: Risk-centric Threat ModelingPASTA: Risk-centric Threat Modeling
PASTA: Risk-centric Threat Modeling
Craig Walker, CISSP
 
Virtual Web Application Firewall (vAWF) Data Sheet - Array Networks
Virtual Web Application Firewall (vAWF) Data Sheet - Array NetworksVirtual Web Application Firewall (vAWF) Data Sheet - Array Networks
Virtual Web Application Firewall (vAWF) Data Sheet - Array Networks
Array Networks
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
Dilip Sharma
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 

More Related Content

What's hot

7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
Inspirisys Solutions Limited
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
Hai Nguyen
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slides
AlgoSec
 

What's hot (20)

Datasheet over privileged_users
Datasheet over privileged_usersDatasheet over privileged_users
Datasheet over privileged_users
 
Cm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingCm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and logging
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tips
 
6 Steps to Secure Network Devices
6 Steps to Secure Network Devices6 Steps to Secure Network Devices
6 Steps to Secure Network Devices
 
Intrusion prevension
Intrusion prevensionIntrusion prevension
Intrusion prevension
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci compliance
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slides
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
 
Developers’ mDay 2021: Goran Kunjadić, Cyber security, cryptography and DPO e...
Developers’ mDay 2021: Goran Kunjadić, Cyber security, cryptography and DPO e...Developers’ mDay 2021: Goran Kunjadić, Cyber security, cryptography and DPO e...
Developers’ mDay 2021: Goran Kunjadić, Cyber security, cryptography and DPO e...
 
Security 101
Security 101Security 101
Security 101
 
PASTA: Risk-centric Threat Modeling
PASTA: Risk-centric Threat ModelingPASTA: Risk-centric Threat Modeling
PASTA: Risk-centric Threat Modeling
 
Virtual Web Application Firewall (vAWF) Data Sheet - Array Networks
Virtual Web Application Firewall (vAWF) Data Sheet - Array NetworksVirtual Web Application Firewall (vAWF) Data Sheet - Array Networks
Virtual Web Application Firewall (vAWF) Data Sheet - Array Networks
 

Similar to Owasp top ten 2017

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 

Similar to Owasp top ten 2017 (20)

OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Truetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTruetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web Vulnerability
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...
 
Access Controls
Access ControlsAccess Controls
Access Controls
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Security-Top-10-Penetration-Findings.pptx
Security-Top-10-Penetration-Findings.pptxSecurity-Top-10-Penetration-Findings.pptx
Security-Top-10-Penetration-Findings.pptx
 
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
RETOS ACTUALES E INNOVACIÓN SOBRE EL CONTROL DE ACCESOS PRIVILEGIADOS.
 
Panama Papers Leak and Precautions Law firms should take
Panama Papers Leak and Precautions Law firms should takePanama Papers Leak and Precautions Law firms should take
Panama Papers Leak and Precautions Law firms should take
 
Panama-Paper-Leak
Panama-Paper-LeakPanama-Paper-Leak
Panama-Paper-Leak
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
OWASP Top 10 Overview
OWASP Top 10 OverviewOWASP Top 10 Overview
OWASP Top 10 Overview
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 

Recently uploaded

The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
Hiroshi SHIBATA
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 

Recently uploaded (20)

Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 

Owasp top ten 2017

  • 1.
  • 2. DYNAMIC WEB APPLICATIONS OCCASIONALLY NEED TO RUN COMMANDS ON THE UNDERLYING DATABASE OR OPERATING SYSTEM TO UPDATE DATA, EXECUTE A SCRIPT OR START OTHER APPS. IF UNVALIDATED INPUTS ARE ADDED TO A COMMAND STRING, ATTACKERS CAN LAUNCH COMMANDS AT WILL TO TAKE CONTROL OF A SERVER, DEVICE OR DATA. IF A WEBSITE, APP, OR DEVICE INCORPORATES USER INPUT WITHIN A COMMAND, AN ATTACKER CAN INSERT A “PAYLOAD” COMMAND DIRECTLY INTO SAID INPUT. IF THAT INPUT IS NOT VERIFIED, AN ATTACKER THEN “INJECTS” AND RUNS THEIR OWN COMMANDS. ONCE ATTACKERS CAN MAKE COMMANDS, THEY CAN CONTROL YOUR WEBSITE, APPS AND DATA.
  • 3. • USER-SUPPLIED DATA IS NOT VALIDATED, FILTERED, OR SANITIZED BY THE APPLICATION • DYNAMIC QUERIES OR NON-PARAMETERIZED CALLS WITHOUT CONTEXT AWARE ESCAPING ARE USED DIRECTLY IN THE INTERPRETER. • HOSTILE DATA IS USED WITHIN OBJECT-RELATIONAL MAPPING (ORM) SEARCH PARAMETERS TO EXTRACT ADDITIONAL, SENSITIVE RECORDS. • HOSTILE DATA IS DIRECTLY USED OR CONCATENATED, SUCH THAT THE SQL OR COMMAND CONTAINS BOTH STRUCTURE AND HOSTILE DATA IN DYNAMIC QUERIES, COMMANDS, OR STORED PROCEDURES.
  • 4. • USE A SAFE API, WHICH AVOIDS THE USE OF THE INTERPRETER ENTIRELY OR PROVIDES A PARAMETERIZED INTERFACE OR MIGRATE TO USE OBJECT RELATIONAL MAPPING TOOLS (ORMS). • USE POSITIVE OR “WHITELIST” SERVER-SIDE INPUT VALIDATION • USE LIMIT AND OTHER SQL CONTROLS WITHIN QUERIES TO PREVENT MASS DISCLOSURE OF RECORDS IN CASE OF SQL INJECTION. • ENSURE THAT THE WEB APPLICATION RUNS WITH ONLY THE PRIVILEGES IT ABSOLUTELY NEEDS TO PERFORM ITS FUNCTION.
  • 5. INCORRECT IMPLEMENTATION OF AUTHENTICATION AND SESSION MANAGEMENT FUNCTIONS IN APPLICATIONS ALLOWS ATTACKERS TO COMPROMISE DATA SUCH AS PASSWORDS, KEYS AND SESSION TOKENS OR TO EXPLOIT OTHER IMPLEMENTATION FLAWS TO MASQUERADE IDENTITIES TEMPORARILY OR PERMANENTLY. ATTACKERS HAVE ACCESS TO MILLIONS OF VALID USERNAME AND PASSWORD COMBINATIONS WHICH CAN BE USED IN CREDENTIAL STUFFING, DEFAULT ADMINISTRATIVE ACCOUNT LISTS, AUTOMATED BRUTE FORCE AND DICTIONARY ATTACK TOOLS. UNEXPIRED SESSION TOKENS DUE TO POOR SESSION MANAGEMENT IS THE MAIN VULNERABILITY BEHIND SESSION MANAGEMENT ATTACKS. IN THE SIMPLEST ATTACKS, PASSWORDS CAN BE GUESSED OR STOLEN IF LEFT UNPROTECTED. AS COMPLEXITIES ARE ADDED, ATTACKERS CAN FIND OTHER AREAS WHERE USER CREDENTIALS OR SESSIONS HAVE INADEQUATE PROTECTIONS AND THEN HIJACK A USER’S ACCESS, AND EVENTUALLY THEIR DATA.
  • 6. • PERMITS AUTOMATED ATTACKS SUCH AS CREDENTIAL STUFFING, WHERE THE ATTACKER HAS A LIST OF VALID USERNAMES AND PASSWORDS. • PERMITS BRUTE FORCE OR OTHER AUTOMATED ATTACKS. • PERMITS DEFAULT, WEAK, OR WELL-KNOWN PASSWORDS, SUCH AS”PASSWORD1″ OR “ADMIN/ADMIN“. • USES WEAK OR INEFFECTIVE CREDENTIAL RECOVERY AND FORGOT-PASSWORD PROCESSES, SUCH AS “KNOWLEDGE- BASED ANSWERS”, WHICH CANNOT BE MADE SAFE. • USES PLAIN TEXT, ENCRYPTED, OR WEAKLY HASHED PASSWORDS. • HAS MISSING OR INEFFECTIVE MULTI-FACTOR AUTHENTICATION. • EXPOSES SESSION IDS IN THE URL (E.G., URL REWRITING). • DOES NOT ROTATE SESSION IDS AFTER SUCCESSFUL LOGIN. • DOES NOT PROPERLY INVALIDATE SESSION IDS. USER SESSIONS OR AUTHENTICATION TOKENS (PARTICULARLY SINGLE SIGN-ON (SSO) TOKENS) AREN’T PROPERLY INVALIDATED DURING LOGOUT OR A PERIOD OF INACTIVITY.
  • 7. • WHERE POSSIBLE, IMPLEMENT MULTI-FACTOR AUTHENTICATION TO PREVENT AUTOMATED, CREDENTIAL STUFFING, BRUTE FORCE, AND STOLEN CREDENTIAL RE-USE ATTACKS. • DO NOT SHIP OR DEPLOY WITH ANY DEFAULT CREDENTIALS, PARTICULARLY FOR ADMIN USERS. • IMPLEMENT WEAK-PASSWORD CHECKS, SUCH AS TESTING NEW OR CHANGED PASSWORDS AGAINST A LIST OF THE TOP 10000 WORST PASSWORDS. • ALIGN PASSWORD LENGTH, COMPLEXITY AND ROTATION POLICIES WITH NIST 800-63 B’S GUIDELINES IN SECTION 5.1.1 FOR MEMORIZED SECRETS OR OTHER MODERN, EVIDENCE-BASED PASSWORD POLICIES. • ENSURE REGISTRATION, CREDENTIAL RECOVERY, AND API PATHWAYS ARE HARDENED AGAINST ACCOUNT ENUMERATION ATTACKS BY USING THE SAME MESSAGES FOR ALL OUTCOMES. • LIMIT OR INCREASINGLY DELAY FAILED LOGIN ATTEMPTS. LOG ALL FAILURES AND ALERT ADMINISTRATORS WHEN CREDENTIAL STUFFING, BRUTE FORCE, OR OTHER ATTACKS ARE DETECTED. • USE A SERVER-SIDE, SECURE, BUILT-IN SESSION MANAGER THAT GENERATES A NEW RANDOM SESSION ID WITH HIGH ENTROPY AFTER LOGIN. SESSION IDS SHOULD NOT BE IN THE URL. IDS SHOULD ALSO BE SECURELY STORED AND INVALIDATED AFTER LOGOUT, IDLE, AND ABSOLUTE TIMEOUTS.
  • 8. SENSITIVE DATA, SUCH AS CREDIT CARD NUMBERS, HEALTH DATA, OR PASSWORDS, SHOULD HAVE EXTRA PROTECTION GIVEN THE POTENTIAL OF DAMAGE IF IT FALLS INTO THE WRONG HANDS. THERE ARE EVEN REGULATIONS AND STANDARDS DESIGNED TO PROTECT SENSITIVE DATA. BUT, IF SENSITIVE DATA IS STORED, TRANSMITTED, OR PROTECTED BY INADEQUATE METHODS, IT CAN BE EXPOSED TO ATTACKERS. IF DATA IS STORED OR TRANSFERRED AS PLAIN TEXT, IF OLDER/WEAKER ENCRYPTION IS USED, OR IF DATA IS DECRYPTED CARELESSLY, ATTACKERS CAN GAIN ACCESS AND EXPLOIT THE DATA. ONCE AN ATTACKER HAS PASSWORDS AND CREDIT CARD NUMBERS, THEY CAN DO REAL DAMAGE .
  • 9. • THE MOST COMMON FLAW IS SIMPLY NOT ENCRYPTING SENSITIVE DATA. • DEFAULT CRYPTO KEYS IN USE, WEAK CRYPTO KEYS GENERATED, RE-USED, AND PROPER KEY MANAGEMENT AND ROTATION MISSING • NOT ENCRYPTING SENSITIVE DATA IS THE MAIN REASON WHY THESE ATTACKS ARE STILL SO WIDESPREAD. EVEN ENCRYPTED DATA CAN BE BROKEN DUE TO WEAK: • KEY GENERATION PROCESS; • KEY MANAGEMENT PROCESS; • ALGORITHM USAGE; • PROTOCOL USAGE; • CIPHER USAGE; • PASSWORD HASHING STORAGE TECHNIQUES.
  • 10. • CLASSIFY DATA PROCESSED, STORED, OR TRANSMITTED BY AN APPLICATION. • IDENTIFY WHICH DATA IS SENSITIVE ACCORDING TO PRIVACY LAWS, REGULATORY REQUIREMENTS, OR BUSINESS NEEDS. • APPLY CONTROLS AS PER THE CLASSIFICATION. • DON’T STORE SENSITIVE DATA UNNECESSARILY. • DISCARD IT AS SOON AS POSSIBLE OR USE PCI DSS COMPLIANT TOKENIZATION OR EVEN TRUNCATION. DATA THAT IS NOT RETAINED CANNOT BE STOLEN. • MAKE SURE TO ENCRYPT ALL SENSITIVE DATA AT REST. • ENSURE UP-TO-DATE AND STRONG STANDARD ALGORITHMS, PROTOCOLS, AND KEYS ARE IN PLACE; USE PROPER KEY MANAGEMENT. • ENCRYPT ALL DATA IN TRANSIT WITH SECURE PROTOCOLS SUCH AS TLS WITH PERFECT FORWARD SECRECY (PFS) CIPHERS, CIPHER PRIORITIZATION BY THE SERVER, AND SECURE PARAMETERS. • ENFORCE ENCRYPTION USING DIRECTIVES LIKE HTTP STRICT TRANSPORT SECURITY (HSTS).
  • 11. XML EXTERNAL ENTITY INJECTION IS ALSO KNOWN AS XXE IS AN ATTACK BASED ON SERVER-SIDE REQUEST FORGERY (SSRF). XXE ATTACK MANIPULATES A RARELY USED FEATURE OF XML PARSERS TO DO DENIAL OF SERVICE ATTACKS, GAIN ACCESS TO LOCAL AND REMOTE CONTENT AND SERVICES AND REMOTE CODE EXECUTION. THERE ARE TWO TYPES OF XXE ATTACKS AS IN-BAND AND OUT-OF-BAND. AN ATTACKER SENDS MALICIOUS DATA LOOKUP VALUES ASKING THE SITE, DEVICE, OR APP TO REQUEST AND DISPLAY DATA FROM A LOCAL FILE. IF A DEVELOPER USES A COMMON OR DEFAULT FILENAME IN A COMMON LOCATION, AN ATTACKER’S JOB IS EASY.
  • 12. • THE APPLICATION ACCEPTS XML DIRECTLY OR XML UPLOADS, ESPECIALLY FROM UNTRUSTED SOURCES, OR INSERTS UNTRUSTED DATA INTO XML DOCUMENTS, WHICH IS THEN PARSED BY AN XML PROCESSOR. • ANY OF THE XML PROCESSORS IN THE APPLICATION OR SOAP BASED WEB SERVICES HAS DOCUMENT TYPE DEFINITIONS (DTDS) ENABLED. • IF YOUR APPLICATION USES SAML FOR IDENTITY PROCESSING WITHIN FEDERATED SECURITY OR SINGLE SIGN ON (SSO) PURPOSES. SAML USES XML FOR IDENTITY ASSERTIONS, AND MAY BE VULNERABLE. • IF THE APPLICATION USES SOAP PRIOR TO VERSION 1.2, IT IS LIKELY SUSCEPTIBLE TO XXE ATTACKS IF XML ENTITIES ARE BEING PASSED TO THE SOAP FRAMEWORK.
  • 13. • WHENEVER POSSIBLE, USE LESS COMPLEX DATA FORMATS SUCH AS JSON, AND AVOID SERIALIZATION OF SENSITIVE DATA. • PATCH OR UPGRADE ALL XML PROCESSORS AND LIBRARIES IN USE BY THE APPLICATION OR ON THE UNDERLYING OPERATING SYSTEM. • USE DEPENDENCY CHECKERS (UPDATE SOAP TO SOAP 1.2 OR HIGHER). • DISABLE XML EXTERNAL ENTITY AND DTD PROCESSING IN ALL XML PARSERS IN THE APPLICATION, AS PER THE OWASP CHEAT SHEET ‘XXE PREVENTION’. • IMPLEMENT POSITIVE (“WHITELISTING”) SERVER-SIDE INPUT VALIDATION, FILTERING, OR SANITIZATION TO PREVENT HOSTILE DATA WITHIN XML DOCUMENTS, HEADERS, OR NODES. • VERIFY THAT XML OR XSL FILE UPLOAD FUNCTIONALITY VALIDATES INCOMING XML USING XSD VALIDATION OR SIMILAR. • SAST TOOLS CAN HELP DETECT XXE IN SOURCE CODE – ALTHOUGH MANUAL CODE REVIEW IS THE BEST ALTERNATIVE IN LARGE, COMPLEX APPLICATIONS WITH MANY INTEGRATIONS.
  • 14. ACCESS CONTROL IS THERE TO RESTRICT ACCESS ON DATA AND FUNCTIONS FOR UNWANTED PARTIES. IF ACCESS CONTROL IS NOT IMPLEMENTED PROPERLY IT WILL LEAD TO BROKEN ACCESS CONTROL WHICH ALLOWS ATTACKERS TO EXPLOIT VULNERABILITY TO ACCESS UNAUTHORIZED CRITICAL DATA AND FUNCTIONS. SOMETIMES, GAINING UNAUTHORIZED ACCESS IS AS SIMPLE AS MANUALLY ENTERING AN UNLINKED URL IN A BROWSER, SUCH AS, HTTP://EXAMPLE.COM/ADMIN..
  • 15. • BYPASSING ACCESS CONTROL CHECKS BY MODIFYING THE URL, INTERNAL APPLICATION STATE, OR THE HTML PAGE, OR SIMPLY USING A CUSTOM API ATTACK TOOL • ALLOWING THE PRIMARY KEY TO BE CHANGED TO ANOTHER'S USERS RECORD, PERMITTING VIEWING OR EDITING SOMEONE ELSE'S ACCOUNT. • ELEVATION OF PRIVILEGE. ACTING AS A USER WITHOUT BEING LOGGED IN, OR ACTING AS AN ADMIN WHEN LOGGED IN AS A USER. • METADATA MANIPULATION, SUCH AS REPLAYING OR TAMPERING WITH A JSON WEB TOKEN (JWT) ACCESS CONTROL TOKEN OR A COOKIE OR HIDDEN FIELD MANIPULATED TO ELEVATE PRIVILEGES, OR ABUSING JWT INVALIDATION • CORS MISCONFIGURATION ALLOWS UNAUTHORIZED API ACCESS. • FORCE BROWSING TO AUTHENTICATED PAGES AS AN UNAUTHENTICATED USER OR TO PRIVILEGED PAGES AS A STANDARD USER. ACCESSING API WITH MISSING ACCESS CONTROLS FOR POST, PUT AND DELETE.
  • 16. • WITH THE EXCEPTION OF PUBLIC RESOURCES, DENY BY DEFAULT. • IMPLEMENT ACCESS CONTROL MECHANISMS ONCE AND RE-USE THEM THROUGHOUT THE APPLICATION, INCLUDING MINIMIZING CORS USAGE. • MODEL ACCESS CONTROLS SHOULD ENFORCE RECORD OWNERSHIP, RATHER THAN ACCEPTING THAT THE USER CAN CREATE, READ, UPDATE, OR DELETE ANY RECORD. • UNIQUE APPLICATION BUSINESS LIMIT REQUIREMENTS SHOULD BE ENFORCED BY DOMAIN MODELS. • DISABLE WEB SERVER DIRECTORY LISTING AND ENSURE FILE METADATA (E.G. .GIT) AND BACKUP FILES ARE NOT PRESENT WITHIN WEB ROOTS. • LOG ACCESS CONTROL FAILURES, ALERT ADMINS WHEN APPROPRIATE (E.G. REPEATED FAILURES). • RATE LIMIT API AND CONTROLLER ACCESS TO MINIMIZE THE HARM FROM AUTOMATED ATTACK TOOLING. • JWT TOKENS SHOULD BE INVALIDATED ON THE SERVER AFTER LOGOUT.
  • 17. SECURITY MISCONFIGURATION IS THE MOST COMMON VULNERABILITY ON THE LIST, AND IS OFTEN THE RESULT OF USING DEFAULT CONFIGURATIONS OR DISPLAYING EXCESSIVELY VERBOSE ERRORS. FOR INSTANCE, AN APPLICATION COULD SHOW A USER OVERLY-DESCRIPTIVE ERRORS WHICH MAY REVEAL VULNERABILITIES IN THE APPLICATION. THIS CAN BE MITIGATED BY REMOVING ANY UNUSED FEATURES IN THE CODE AND ENSURING THAT ERROR MESSAGES ARE MORE GENERAL. PEOPLE GET BUSY, THINGS GET MISSED, PRIORITIZATION DECISIONS ARE MADE. AND VULNERABILITIES ARE LEFT UNCHECKED.
  • 18. • UNNECESSARY FEATURES ARE ENABLED OR INSTALLED (E.G. UNNECESSARY PORTS, SERVICES, PAGES, ACCOUNTS, OR PRIVILEGES) • ERROR HANDLING REVEALS STACK TRACES OR OTHER OVERLY INFORMATIVE ERROR MESSAGES TO USERS. • THE SERVER DOES NOT SEND SECURITY HEADERS OR DIRECTIVES OR THEY ARE NOT SET TO SECURE VALUES. • DEFAULT ACCOUNTS AND THEIR PASSWORDS STILL ENABLED AND UNCHANGED. • FOR UPGRADED SYSTEMS, LATEST SECURITY FEATURES ARE DISABLED OR NOT CONFIGURED SECURELY.
  • 19. • A MINIMAL PLATFORM WITHOUT ANY UNNECESSARY FEATURES, COMPONENTS, DOCUMENTATION, AND SAMPLES. • REMOVE OR DO NOT INSTALL UNUSED FEATURES AND FRAMEWORKS. • AN AUTOMATED PROCESS TO VERIFY THE EFFECTIVENESS OF THE CONFIGURATIONS AND SETTINGS IN ALL ENVIRONMENTS. . • AN AUTOMATED PROCESS TO VERIFY THE EFFECTIVENESS OF THE CONFIGURATIONS AND SETTINGS IN ALL ENVIRONMENTS.
  • 20. CROSS-SITE SCRIPTING VULNERABILITIES OCCUR WHEN WEB APPLICATIONS ALLOW USERS TO ADD CUSTOM CODE INTO A URL PATH OR ONTO A WEBSITE THAT WILL BE SEEN BY OTHER USERS. THIS VULNERABILITY CAN BE EXPLOITED TO RUN MALICIOUS JAVASCRIPT CODE ON A VICTIM’S BROWSER. WHEN A WEB PAGE OR APP UTILIZES USER-ENTERED CONTENT AS PART OF A RESULTING PAGE WITHOUT CHECKING FOR BAD STUFF, A MALICIOUS USER COULD ENTER CONTENT THAT INCLUDES HTML ENTITIES.
  • 21. THERE ARE THREE FORMS OF XSS , • REFLECTED XSS: AN XSS ALLOWS AN ATTACKER TO INJECT A SCRIPT INTO THE CONTENT OF A WEBSITE OR APP. WHEN A USER VISITS THE INFECTED PAGE, THE SCRIPT WILL EXECUTE IN THE VICTIM’S BROWSER. THIS ALLOWS ATTACKERS TO STEAL PRIVATE INFORMATION LIKE COOKIES, ACCOUNT INFORMATION, OR TO PERFORM CUSTOM OPERATIONS WHILE IMPERSONATING THE VICTIM’S IDENTITY. • STORES XSS: THE MOST DANGEROUS TYPE OF XSS INJECTION, REQUIRES SERVER SIDE INTERPRETATION OF THE QUERY .IT OCCURS WHEN THE DATA PROVIDED BY THE ATTACKER IS SAVED BY THE SERVER. • DOM XSS: APPEARS IN THE DOM (DOCUMENT OBJECT MODEL) INSTEAD OF PART OF THE HTML. DOM BASED CROSS-SITE SCRIPTING, THE HTML SOURCE CODE AND RESPONSE OF THE ATTACK WILL BE EXACTLY THE SAME, THEREFOR THE PAYLOAD CANNOT BE FOUND IN THE RESPONSE. IT CAN ONLY BE OBSERVED ON RUNTIME OR BY INVESTIGATING THE DOM OF THE PAGE.
  • 22. • TAKING THE DATA AN APPLICATION HAS RECEIVED AND ENSURING IT’S SECURE BEFORE RENDERING IT FOR THE END USER. • BY ESCAPING USER INPUT, KEY CHARACTERS IN THE DATA RECEIVED BY A WEB PAGE WILL BE PREVENTED FROM BEING INTERPRETED IN ANY MALICIOUS WAY • ENSURING AN APPLICATION IS RENDERING THE CORRECT DATA AND PREVENTING MALICIOUS DATA FROM DOING HARM TO THE SITE, DATABASE, AND USERS. • WHILE WHITELISTING AND INPUT VALIDATION ARE MORE COMMONLY ASSOCIATED WITH SQL INJECTION, THEY CAN ALSO BE USED AS AN ADDITIONAL METHOD OF PREVENTION FOR XSS • SANITIZING DATA IS A STRONG DEFENSE, BUT SHOULD NOT BE USED ALONE TO BATTLE XSS ATTACKS.
  • 23. DESERIALIZED DATA CAN BE MODIFIED TO INCLUDE MALICIOUS CODE, WHICH IS LIKELY TO CAUSE ISSUES IF THE APPLICATION DOES NOT VERIFY THE DATA’S SOURCE OR CONTENTS BEFORE DESERIALIZATION. ATTACKERS CAN BUILD ILLEGITIMATE OBJECTS THAT EXECUTE COMMANDS WITHIN AN INFECTED APPLICATION . BEFORE DATA IS STORED OR TRANSMITTED, THE BITS ARE OFTEN SERIALIZED SO THAT THEY CAN BE LATER RESTORED TO THE DATA’S ORIGINAL STRUCTURE. REASSEMBLING A SERIES OF BITS BACK INTO A FILE OR OBJECT IS CALLED DESERIALIZATION.
  • 24. • IT IS HARD TO DETECT ATTACKS CAUSED BY INSECURE DESERIALIZATION SINCE THE PROCESS OF DESERIALIZATION USES COMMON CODE LIBRARIES FOUND IN WEB DEVELOPMENT. • HOWEVER, SOME WAYS TO HELP IDENTIFY INSECURE DESERIALIZATION INCLUDE • CHECK DESERIALIZATIONS TO SEE IF THE DATA IS CORRECTLY HANDLED AS USER INPUT INSTEAD OF TRUSTED INTERNAL DATA. • CHECK DESERIALIZATIONS TO ENSURE THE DATA IS WHAT IT IS SUPPOSED TO BE BEFORE BEING USED. • RUN SECURITY SCANS REGULARLY. • USE A MONITORING TOOL SUCH AS DETECTIFY OR THREAT STACK TO MONITOR DESERIALIZATIONS AND SET NOTIFICATIONS FOR COMMON VULNERABLE COMPONENTS.
  • 25. • WAYS TO AVOID INSECURE DESERIALIZATION INCLUDE: • MONITORING THE DESERIALIZATION PROCESS. • ENCRYPTING SERIALIZATION PROCESSES. • NOT ACCEPTING SERIALIZED OBJECTS FROM UNKNOWN OR UNTRUSTED SOURCES. • RUNNING THE DESERIALIZATION CODE WITH LIMITED ACCESS PERMISSIONS. • USING A FIREWALL WHICH CAN HELP DETECT INSECURE DESERIALIZATION.
  • 26. MANY MODERN WEB DEVELOPERS USE COMPONENTS SUCH AS LIBRARIES AND FRAMEWORKS IN THEIR WEB APPLICATIONS. THESE COMPONENTS ARE PIECES OF SOFTWARE THAT HELP DEVELOPERS AVOID REDUNDANT WORK AND PROVIDE NEEDED FUNCTIONALITY; COMMON EXAMPLE INCLUDE FRONT-END FRAMEWORKS LIKE REACT AND SMALLER LIBRARIES THAT USED TO ADD SHARE ICONS OR A/B TESTING. SOME ATTACKERS LOOK FOR VULNERABILITIES IN THESE COMPONENTS WHICH THEY CAN THEN USE TO ORCHESTRATE ATTACKS.
  • 27. • IF SOFTWARE IS VULNERABLE, UNSUPPORTED, OR OUT OF DATE. THIS INCLUDES THE OS, WEB/APPLICATION SERVER, DATABASE MANAGEMENT SYSTEM (DBMS), APPLICATIONS, AND ALL COMPONENTS, RUNTIME ENVIRONMENTS, AND LIBRARIES. • IF YOU DO NOT SCAN FOR VULNERABILITIES REGULARLY AND SUBSCRIBE TO SECURITY BULLETINS RELATED TO THE COMPONENTS YOU USE. • IF SOFTWARE DEVELOPERS DO NOT TEST THE COMPATIBILITY OF UPDATED, UPGRADED, OR PATCHED LIBRARIES • IF YOU DO NOT FIX OR UPGRADE THE UNDERLYING PLATFORM, FRAMEWORKS, AND DEPENDENCIES IN A RISK-BASED, TIMELY FASHION.
  • 28. • REMOVE UNUSED DEPENDENCIES, UNNECESSARY FEATURES, COMPONENTS, FILES, AND DOCUMENTATION. • CONTINUOUSLY INVENTORY THE VERSIONS OF BOTH CLIENT-SIDE AND SERVER-SIDE COMPONENTS (E.G. FRAMEWORKS, LIBRARIES). • ONLY OBTAIN COMPONENTS FROM OFFICIAL SOURCES OVER SECURE LINKS. • MONITOR FOR LIBRARIES AND COMPONENTS THAT ARE UNMAINTAINED OR DO NOT CREATE SECURITY PATCHES FOR OLDER VERSIONS.
  • 29. MANY WEB APPLICATIONS ARE NOT TAKING ENOUGH STEPS TO DETECT DATA BREACHES. THE AVERAGE DISCOVERY TIME FOR A BREACH IS AROUND 200 DAYS AFTER IT HAS HAPPENED. THIS GIVES ATTACKERS A LOT OF TIME TO CAUSE DAMAGE BEFORE THERE IS ANY RESPONSE. OWASP RECOMMENDS THAT WEB DEVELOPERS SHOULD IMPLEMENT LOGGING AND MONITORING AS WELL AS INCIDENT RESPONSE PLANS TO ENSURE THAT THEY ARE MADE AWARE OF ATTACKS ON THEIR APPLICATIONS.
  • 30. • AUDITABLE EVENTS, SUCH AS LOGINS, FAILED LOGINS, AND HIGH-VALUE TRANSACTIONS ARE NOT LOGGED. • LOGS ARE ONLY STORED LOCALLY. • THE APPLICATION IS UNABLE TO DETECT, ESCALATE, OR ALERT FOR ACTIVE ATTACKS IN REAL TIME OR NEAR REAL TIME. • WARNINGS AND ERRORS GENERATE NO, INADEQUATE, OR UNCLEAR LOG MESSAGES
  • 31. • ENSURE THAT LOGS ARE GENERATED IN A FORMAT THAT CAN BE EASILY CONSUMED BY A CENTRALIZED LOG MANAGEMENT SOLUTIONS. • ESTABLISH EFFECTIVE MONITORING AND ALERTING SUCH THAT SUSPICIOUS ACTIVITIES ARE DETECTED AND RESPONDED TO IN A TIMELY FASHION. • ENSURE ALL LOGIN, ACCESS CONTROL FAILURES, AND SERVER-SIDE INPUT VALIDATION FAILURES CAN BE LOGGED WITH SUFFICIENT USER CONTEXT TO IDENTIFY SUSPICIOUS OR MALICIOUS ACCOUNTS