Define security requirements is the most important control and this is because for an application, security requirements lay the groundwork for tested security functionality. Standard security requirements enable developers to reuse the definition of security controls and best practices rather than having to develop a unique security strategy for every application. The same thoroughly examined security criteria offer remedies for previous security problems. To avoid the recurrence of previous security errors, requirements are necessary.
one of the most important controls is “Injection” prevention
Injection attacks are one of the most common and devastating types of attacks that can occur in web applications. They occur when untrusted user input is interpreted as code by a web application, allowing an attacker to execute malicious commands on the server-side or to manipulate the database. Injection attacks can result in data loss, data corruption, unauthorized access, or even complete system compromise.
Preventing injection attacks is critical to the security of web applications, and implementing secure coding practices such as input validation, parameterized queries, and escaping untrusted data can go a long way in mitigating this threat. Without proper controls in place, injection attacks can easily bypass other security measures and compromise the entire application.
Therefore, protecting against injection attacks is critical to ensuring the security and integrity of web applications, making it one of the most important controls among the OWASP Top 10 2021.
The current OWASP Top 10 suggests “Broken Access Control” to be the most common web application security risk. However, as per my experience with vulnerability reports for internet facing application, I would suggest “Injection” to be the most common security risk. If you analyze the the OWASP TOP 10 2017 with 2021, “XSS” climbed from A07 to A03 and “SQL Injection” security risk remained high which only dropped from A01 to A03.
The most common web application security risk from OWASP Top 10 would be injection flaws occur when untrusted/invalid data is sent to a code interpreter by the attackers.
I think the most common is Broken Authentication. Based off the numerous case studies we have read in class, this seems to be one of the most common ways for an attack to occur.
The choice between application-level authentication and operating system authentication depends on the specific use case and security requirements of the system in question.
Operating system authentication is a form of authentication that is provided by the underlying operating system. It typically involves the use of usernames and passwords or other authentication methods to verify the identity of users before granting access to the system. Operating system authentication is typically more robust and secure than application-level authentication, as it is often based on industry-standard authentication protocols and is implemented at the system level.
On the other hand, application-level authentication is authentication that is implemented at the application level. This means that the authentication mechanisms are built into the application itself, rather than being provided by the underlying operating system. Application-level authentication is often used in web applications, where users are required to enter a username and password to access the application.
The choice between these two forms of authentication depends on the specific needs of the system in question. If the system needs to enforce strong authentication requirements, such as multifactor authentication, or if it needs to integrate with external authentication systems, then operating system authentication may be the better option. However, if the system needs to provide user-friendly and seamless authentication, or if it needs to implement custom authentication logic, then application-level authentication may be the better option.
In summary, the choice between application-level authentication and operating system authentication depends on the specific security requirements of the system in question, and both have their own strengths and weaknesses.
Yes, I think application-level authentication is superior to operating system authentication because hackers have to find an exploit and also gain access to the server.
My experience with systems administration and application design suggests that operating system authentication is generally better than trying to do authentication inside application development. Windows and Linux have very robust authentication mechanisms and store the user data securely. That is very often not the case for one-off developer created solutions.
Superior to both would be dedicated IAM applications that are designed and tested specifically to handle secure user access. These applications can leverage both operating system level and application level tools along with incorporating multi-factor authentication
Developers play a critical role in web application security. They are responsible for implementing the functionality of the application, including security measures that prevent unauthorized access, data breaches, and other security threats. Developers also need to ensure that the application is designed to handle inputs from users and external systems securely, and that sensitive data is encrypted and protected at all times.
The web developers are the key players in web application security. They are who prevent security problems and close down web vulnerabilities once identified. The developers empowerment to develop more source code would depend on the organization they work for and the structure of that business.
Application security developers focus on creating software that is designed to protect applications from security threats. They are responsible for identifying vulnerabilities in software and implementing security measures to protect against those vulnerabilities. Developers can be empowered to be the first line of defense in their organization by making security highly visible and providing them with the skills and tools to write secure code at the most efficient stage of the SDLC.
Developers can be provided with Web vulnerability scanners, such as Netsparker, and Acunetix, as well as source code analyzers, such as Veracode and CodeSonar to empower them to develop more secure code. Moreover, developers can be asked to take mandatory application security training.
Extrusion detection and prevention revolves around preventing an infected system form spreading or gaining access to other systems. This will help to limit the damage that can occur in the event of malware or security breach.
Extrusion prevention refers to techniques and technologies used to prevent the unauthorized disclosure or exfiltration of sensitive or confidential data outside of an organization’s authorized boundaries. It typically involves the use of specialized software or hardware tools that monitor network traffic and data transmissions to detect and block attempts to transfer sensitive data outside of an organization’s network. Examples of extrusion prevention techniques include firewalls, intrusion detection and prevention systems (IDPS), and data loss prevention (DLP) systems.
I think the reason why we need to figure out the role of the server then to protect it is that different servers perform different functions, which place different vulnerabilities that can be exploited by attackers. For example, a web server hosting a public web may be more vulnerable to attacks such as cross-site scripting (XSS) or SQL injection, while an email server may be more vulnerable to attacks such as phishing or spear phishing.
RTP add several features to UDP including:
1. sequencing number : allows the receiver to detect and discard duplicate packets and reorder out-of-order packets
2. timestamp: allows receiver to sync the audio/video stream with the presentation time
3. error detection and recovery: RTP can forward error correction and retransmission mechanism to recover lost or damaged packets.
Hi Nick! Some points I would consider for evaluating the threat surface of an application are connectivity (internal/external facing), insecure default sockets, error message display, improper access configurations and vulnerable libraries.
I think due to the higher market visibility of off-the-shelf application has higher security risks than custom application. Potential hackers have relatively higher access to the software and will try to attack it. The risk is relatively lower in the case of custom development as lower visibility translates to a reduced probability of cyberattacks.
Hey Aayush,
I agree with you. Inevitably, however, a custom application may have unexpected vulnerabilities due to programmer negligence or other reason, which increases unknown risks and the organization does not realize where to remedy them. So I think there are pros and cons to both custom and off-the-shelf applications, depending on how much risk the organization is willing to take.
This is a great question. There are a couple prerequisite questions such as how much time you have, how much money you’re willing to spend, what do you need from the app, etc. If you’re solely judging based on a security perspective, I would agree that in-house apps, especially if the app is not web connected would be best. When you expose this app to the web, things become a bit muddier in that it heavily depends on how well your organization can manage the application.
What are some IT security control strategies that web applications could implement to protect against attacks (such as Spam, Phishing, SQL injection, cross-site scripting (XSS), etc.)?
Some IT security control strategies for a SQL injection for instance involve
a) Restricting database code.
b) Monitoring application and database inputs and communications.
c)Restricting database access and
d) Maintaining applications and databases through patching.
A better way to track browser attacks or make them more secure will be to install an anti-spyware package. I believe in keeping your operation system, apps, and browser up-to-date as well ad using virtualization will provide more security.
This is an interesting question as you mention host. What kind of host are you referring to? If for example, we’re comparing an entire OS or VM to a singular app. Then I would say the OS/VM is more difficult as there are far more moving pieces. However, the more apps you add to the mix, the shorter the gap between difficulty becomes. Eventually, if you have enough apps, they will trump in difficulty a VM and even an OS.
It basically depends on several factors, including the severity of vulnerabilities, the risk of exploitation, and the organization’s risk tolerance. However, application servers and web servers should be patched as soon as security updates become available.
According to the reading, the most common web application security risk as of 2021 was Broken Access Control. Noting “the contributed data indicates that on average, 3.81% of applications tested had one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category.”
What do you think is one of the most important controls of the Top 10 OWASP 2021 controls? Why?
Define security requirements is the most important control and this is because for an application, security requirements lay the groundwork for tested security functionality. Standard security requirements enable developers to reuse the definition of security controls and best practices rather than having to develop a unique security strategy for every application. The same thoroughly examined security criteria offer remedies for previous security problems. To avoid the recurrence of previous security errors, requirements are necessary.
one of the most important controls is “Injection” prevention
Injection attacks are one of the most common and devastating types of attacks that can occur in web applications. They occur when untrusted user input is interpreted as code by a web application, allowing an attacker to execute malicious commands on the server-side or to manipulate the database. Injection attacks can result in data loss, data corruption, unauthorized access, or even complete system compromise.
Preventing injection attacks is critical to the security of web applications, and implementing secure coding practices such as input validation, parameterized queries, and escaping untrusted data can go a long way in mitigating this threat. Without proper controls in place, injection attacks can easily bypass other security measures and compromise the entire application.
Therefore, protecting against injection attacks is critical to ensuring the security and integrity of web applications, making it one of the most important controls among the OWASP Top 10 2021.
Looking at this week’s reading on OWASP Top 10, which would you say is the most common web application security risk?
The current OWASP Top 10 suggests “Broken Access Control” to be the most common web application security risk. However, as per my experience with vulnerability reports for internet facing application, I would suggest “Injection” to be the most common security risk. If you analyze the the OWASP TOP 10 2017 with 2021, “XSS” climbed from A07 to A03 and “SQL Injection” security risk remained high which only dropped from A01 to A03.
The most common web application security risk from OWASP Top 10 would be injection flaws occur when untrusted/invalid data is sent to a code interpreter by the attackers.
I think the most common is Broken Authentication. Based off the numerous case studies we have read in class, this seems to be one of the most common ways for an attack to occur.
Do you think application-level authentication is superior to operating system authentication? Why?
The choice between application-level authentication and operating system authentication depends on the specific use case and security requirements of the system in question.
Operating system authentication is a form of authentication that is provided by the underlying operating system. It typically involves the use of usernames and passwords or other authentication methods to verify the identity of users before granting access to the system. Operating system authentication is typically more robust and secure than application-level authentication, as it is often based on industry-standard authentication protocols and is implemented at the system level.
On the other hand, application-level authentication is authentication that is implemented at the application level. This means that the authentication mechanisms are built into the application itself, rather than being provided by the underlying operating system. Application-level authentication is often used in web applications, where users are required to enter a username and password to access the application.
The choice between these two forms of authentication depends on the specific needs of the system in question. If the system needs to enforce strong authentication requirements, such as multifactor authentication, or if it needs to integrate with external authentication systems, then operating system authentication may be the better option. However, if the system needs to provide user-friendly and seamless authentication, or if it needs to implement custom authentication logic, then application-level authentication may be the better option.
In summary, the choice between application-level authentication and operating system authentication depends on the specific security requirements of the system in question, and both have their own strengths and weaknesses.
Yes, I think application-level authentication is superior to operating system authentication because hackers have to find an exploit and also gain access to the server.
My experience with systems administration and application design suggests that operating system authentication is generally better than trying to do authentication inside application development. Windows and Linux have very robust authentication mechanisms and store the user data securely. That is very often not the case for one-off developer created solutions.
Superior to both would be dedicated IAM applications that are designed and tested specifically to handle secure user access. These applications can leverage both operating system level and application level tools along with incorporating multi-factor authentication
What role do developers play in web application security, and how can they be empowered to develop more secure code?
Developers play a critical role in web application security. They are responsible for implementing the functionality of the application, including security measures that prevent unauthorized access, data breaches, and other security threats. Developers also need to ensure that the application is designed to handle inputs from users and external systems securely, and that sensitive data is encrypted and protected at all times.
The web developers are the key players in web application security. They are who prevent security problems and close down web vulnerabilities once identified. The developers empowerment to develop more source code would depend on the organization they work for and the structure of that business.
Application security developers focus on creating software that is designed to protect applications from security threats. They are responsible for identifying vulnerabilities in software and implementing security measures to protect against those vulnerabilities. Developers can be empowered to be the first line of defense in their organization by making security highly visible and providing them with the skills and tools to write secure code at the most efficient stage of the SDLC.
Developers can be provided with Web vulnerability scanners, such as Netsparker, and Acunetix, as well as source code analyzers, such as Veracode and CodeSonar to empower them to develop more secure code. Moreover, developers can be asked to take mandatory application security training.
What is extrusion prevention?
Extrusion detection and prevention revolves around preventing an infected system form spreading or gaining access to other systems. This will help to limit the damage that can occur in the event of malware or security breach.
Extrusion prevention refers to techniques and technologies used to prevent the unauthorized disclosure or exfiltration of sensitive or confidential data outside of an organization’s authorized boundaries. It typically involves the use of specialized software or hardware tools that monitor network traffic and data transmissions to detect and block attempts to transfer sensitive data outside of an organization’s network. Examples of extrusion prevention techniques include firewalls, intrusion detection and prevention systems (IDPS), and data loss prevention (DLP) systems.
Compare the OWASP Top 10 with the OWSP ASVS Program. Why are they different and when would you use each in a web application development lifecycle?
Why must you know a server’s role to know how to protect it?
Hi Shepherd,
I think the reason why we need to figure out the role of the server then to protect it is that different servers perform different functions, which place different vulnerabilities that can be exploited by attackers. For example, a web server hosting a public web may be more vulnerable to attacks such as cross-site scripting (XSS) or SQL injection, while an email server may be more vulnerable to attacks such as phishing or spear phishing.
What does RTP add to compensate for the limitations of UDP?
RTP add several features to UDP including:
1. sequencing number : allows the receiver to detect and discard duplicate packets and reorder out-of-order packets
2. timestamp: allows receiver to sync the audio/video stream with the presentation time
3. error detection and recovery: RTP can forward error correction and retransmission mechanism to recover lost or damaged packets.
What are some common points of ingress/egress that you would need to take into consideration when evaluating a threat surface of an application?
Hi Nick! Some points I would consider for evaluating the threat surface of an application are connectivity (internal/external facing), insecure default sockets, error message display, improper access configurations and vulnerable libraries.
From security perspective, would you recommend using custom applications or off-the-shelf applications? What are your reasons?
I think due to the higher market visibility of off-the-shelf application has higher security risks than custom application. Potential hackers have relatively higher access to the software and will try to attack it. The risk is relatively lower in the case of custom development as lower visibility translates to a reduced probability of cyberattacks.
Hey Aayush,
I agree with you. Inevitably, however, a custom application may have unexpected vulnerabilities due to programmer negligence or other reason, which increases unknown risks and the organization does not realize where to remedy them. So I think there are pros and cons to both custom and off-the-shelf applications, depending on how much risk the organization is willing to take.
Hi Nishant,
This is a great question. There are a couple prerequisite questions such as how much time you have, how much money you’re willing to spend, what do you need from the app, etc. If you’re solely judging based on a security perspective, I would agree that in-house apps, especially if the app is not web connected would be best. When you expose this app to the web, things become a bit muddier in that it heavily depends on how well your organization can manage the application.
What are some IT security control strategies that web applications could implement to protect against attacks (such as Spam, Phishing, SQL injection, cross-site scripting (XSS), etc.)?
Some IT security control strategies for a SQL injection for instance involve
a) Restricting database code.
b) Monitoring application and database inputs and communications.
c)Restricting database access and
d) Maintaining applications and databases through patching.
What would be a better way to track browser attacks or make them more secure?
A better way to track browser attacks or make them more secure will be to install an anti-spyware package. I believe in keeping your operation system, apps, and browser up-to-date as well ad using virtualization will provide more security.
Do you think application security is more complex than the host hardening mentioned in the previous chapter?
Hi Wei,
This is an interesting question as you mention host. What kind of host are you referring to? If for example, we’re comparing an entire OS or VM to a singular app. Then I would say the OS/VM is more difficult as there are far more moving pieces. However, the more apps you add to the mix, the shorter the gap between difficulty becomes. Eventually, if you have enough apps, they will trump in difficulty a VM and even an OS.
How frequently should application server and web server be patched??
It basically depends on several factors, including the severity of vulnerabilities, the risk of exploitation, and the organization’s risk tolerance. However, application servers and web servers should be patched as soon as security updates become available.
Out of the OWASP top 10 application risks, which one do you believe have the most effect on CIA?
Which of the following web application security risks is the most common, according to our reading this week on the OWASP Top 10?
Hi Samuel,
According to the reading, the most common web application security risk as of 2021 was Broken Access Control. Noting “the contributed data indicates that on average, 3.81% of applications tested had one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category.”