Based on the information provided, it is difficult to definitively say which risk is "bigger" without more context about the system and environment. Some factors to consider when comparing risks include: - Likelihood of occurrence - Potential impact of an exploit - Existing controls and their effectiveness - Cost to address A structured approach like assigning ratings (e.g. high, medium, low) across these dimensions can help to systematically compare risks. Ultimately, the organization's priorities and risk tolerance also influence which risks should be addressed first. Regular re-evaluation is important as the environment changes over time. Addressing the highest priority risks based on a well-defined analysis process helps to strengthen security in a cost-effective manner.

1. SDLC(Software Development Lifecycle)
• Security
Frameworks
• Standards &
Guidelines
• Threat Modeling
• Vulnerability
Management
• Risk rating
• Statis analysis
• Dynamic Analysis

2. Definition: Security
Security is anything we do to protect an asset that is
vulnerable to some threats.

3. Definition: Security terms
1. Assets:
• Holds value
• Produces value
• Provides access to value
2. Vulnerable:Weakness in an asset that makes it susceptible to attack or failure
attack or failure
3. Threats: Reduce value of an asset
• Intentional: Attacks => DDOS, Injection, RCE
• Non-intentional: Errors or bugs

4. • Confidentiality: Information is only available
to those who have access.
• Integrity: Data is known to be correct and
trusted.
• Availability: Information is available to
legitimate users when it is needed.
Security Goals

5. Security Principles
• Complete mediation: all accesses to objects be
checked to ensure they are
allowed(Authorization)
• Open design : Security through security. For
example, hiding house keys underneath the
rock is not secure.
• Least CM: Make the component common for
which security is major concern so that if
required can be maintained quickly.
• Least CM: Make security easier, approachable.
If it’s difficult, users tries to find alternatives.
• Work factor: Effort required in breaking security
should be higher than the asset trying to get.
• Compromise recording: Record everything logs,

6. OWASP Top 10

7. OWASP Top 10: Injection
Types:
• Queries
• OS commands
• HTTP Redirects
How does it happen?
• Trust of user input
• No sanitization of data
• No separation of untrusted data
Potential Impact
• Steal data from database
• Access PII/PHI/PCI data
• Remove data for DB
Definition: Allowing attackers to manipulate the inputs due to inadequate
validation and sanitization,

8. foo’ OR ‘A’=‘A’#
1: SQL Injection example
Username:
Password:
Login
SQL Statement: (“SELECT first, last, admin DROM users WHERE
uname=‘$uname’ AND pword=‘$pword’ AND state=1”)
Do I need a password?

9. 1: SQL Injection prevention
• Parameterized Queries/Prepared statements
• Parameter sanitization (white lists) in conjunction with
parameterized queries
• Using accounts with least privileged possible
preparedStatement stmt = connection.preparedStatement(
“SELECT * FROM users WHERE userid = ? And password=?”
);
stmt.setString(1, userid);
stmt.setString(test, password);
ResultSet rs= stmt.executeQuery();

10. 2: Broken authentication
Application functions related to authentication and session
management are often not implemented correctly, allowing attackers
to compromise passwords, keys, or session tokens, or to exploit other
implementation flaws to assume other users’ identities. – OWASP

11. 2: Broken authentication
How can authentication be broken?
• Missing authentication
• Shared/bookmarkedURL
• Poor credential strength
• Well known credentials
• Poor credential handling/management/storage
• Username/password as query param or stored in plain text
• Poor account recovery practices
• Secret questions with answers that can be easily socially engineered
• Unlimited attempts & attacks
• Dictionary attacks, Brute force attack, Phishing

12. 2: Broken authentication prevention
How can broken authentication be prevented?
• Don’t build your authentication mechanism on your own.
• Encryption at rest and SSL transit.
• Implement captcha,API rate limits for DDOS and brute-force attacks.
• Rotate you keys is used in sessions or cookies
• Implement MFAs

13. 3: Sensitive data exposure
Breach in confidentiality. Breach of data which should’ve been, otherwise protected.
• PHI (Protected Health Information)
Names, Dates, SSN, Biometric
• PII (Personally Identifiable Information)
Name, Address, Vehicle information, Drivers license, DOB
• Sensitive Financial Information
Credit/Debit card numbers, Account numbers, loans agreements

14. 3: Sensitive data exposure
Causes
• Sensitive data logs in files
• Plain data storage in database
• Memory leaks in the code itself
• Insecure object access
Preventions
• Data masking & Anonymization
• Encryption and Hashing
• Access controls
• Protecting data in motion(PGP & SSL)
• Protecting data at rest

15. 5: Broken access control
Broken access control means the broken authorization.
• Authentication: Validates the identity. Who are you?
• Authorization: Validates the access for an identity? What can you access?
• Access control enforces policy such that users cannot act outside of their intended
permissions.
• Failures typically lead to unauthorized information disclosure, modification or destruction
of all data, elevated access.
Causes: Lack of functional testing, CORS mis-configuration.
Impact: Provides the elevated access as admin and can modify the records.
Prevention:
Fail safe defaults, Proper CORS configuration, disable web server directory listing, Rate limit
API, Invalidate JWT after use.

16. Session management
Http is stateless protocol.
A web session is a sequence of network HTTP request and response transactions associated
to the same user. Basically, done through cookies.

17. Session fixation

18. Session management
Poor session management
• Guessable session IDs
• Not destroying when the session is over
• Reusing the sessions
• Exposing the sessions
Session management best practices
• Automatically end/expire session after
inactivity
• Don’t allow long lived sessions
• Generate non-guessable session IDs
• Don’t re-use session IDs
Cookies setting:
• Mark session cookie as Secure (prevents
sniffing)
• Mark session cookie as HttpOnly (prevent
XSS)
• Avoid setting values for Max-Age and
expires.

19. JSON Web Token(JWT)
JWT is an open standard that defines a compact and self-contained way for securely
transmitting information between parties as a JOSN object.
Use Cases:
1) Authorization: This is the most common scenario for using JWT. Once the user is logged
in, each subsequent request will include the JWT, allowing the user to access routes,
services and resources that are permitted with that token.
2) Information Exchange: Good way of securely transmitting information between parties.
Signed tokens: Confirm the senders are who they say they are
Hashed: Verified that the content hasn’t been tampered with.

20. How JWT works?

21. OAuth & OpenID
OAuth:
Open standard for access delegation, commonly used as a way for internet users to grant
websites or applications access to their information on the other websites but without
giving them the passwords.
OpenID:
OpenID allows us to use an existing account to sign into multiple websites, without needing
to create new passwords.
Example: Google SSO.

23. OAuth & OpenID
https://accounts.google.com/o/oauth2/v2/auth?
response_type=code&
client_id=424911365001.apps.googleusercontent.com&
scope=openid%20email&
redirect_uri=https%3A//oauth2.example.com/code&
state=security_token%3D138r5719ru3e1%26url%3Dhttps%3A%2F%2Foauth2-login-
demo.example.com%2FmyHome& login_hint=jsmith@example.com& nonce=0394852-3190485-2490358&
hd=example.com

24. Risk rating & Threat modeling
Risk Rating
Process of assessing the risks involved in the daily activities of a business and classifying
them (low, medium, high risk) on the basis of the impact on the business.
Risk = Likelihood * Impact

25. Steps in Risk rating
Identify the Risk
Factors for Estimating likelihood
Factors for Estimating Impact
Determine severity of the Risk
Deciding what to fix

26. Factors: Risk rating
Factors
Threat agents Vulnerability
• Skill level
• Motive
• Opportunity
• Size
• Ease of discovery
• Ease of exploit
• Awareness
• Intrusion detection

27. Impacts: Risk rating
Impacts
Technical Impacts Business Impacts
• Loss of
confidentiality
• Loss of integrity
• Loss of availability
• Loss of
accountability
• Financial damage
• Reputation damage
• Non-compliance
• Privacy violation

28. Severity: Risk rating
Severity
Informal Repeatable
Seat round the table and
decide the severity.
• Rate the each factors
• Calculate the severity

29. Example: Risk rating

30. Threat modeling
Definition
Threat modeling is an investigative technique for identifying an application security
risks/hazards that are technical.
Threats:
Everything from hackers and malware, natural disasters and so on.

31. Types: Threat modeling(STRIDE)
1. Spoofing: One person masquerades as another.
Eg: using others username and password.
Prevention: MFA
2. Tampering: Alteration of data in transit.
Prevention: using hashing, signature, checksum for verification
3. Repudiation: Denying the source of truth
Prevention: Encryption and digital signature
4. Information disclosure: CIA
Prevention: Encryption at rest and TLS at transit
5. Denial of service: Make service temporarily unavailable.
Prevention: Make available, rate limits
6. Elevation and privileges: Access with high roles, gain elevated access
Prevention: Authorization

32. You shouldn’t & Benefits: Threat modeling
You shouldn’t assume you have a secure environment.
You shouldn’t assume that compute, network, or storage resources are reliable.
You shouldn’t assume your environment is correctly configured.
You shouldn’t consider your gut feelings.
Benefits
• Better understanding of the architecture
• Create reusable architecture models
• Inputs to other components like risk mangement, code reviews, penetration testing.
Tools: Wiki, PPT,Visio,TM tool

33. Quantifying & Addressing: Threats modeling
Which of these is a bigger risk?