APPLICATION SECURITY AWARENESS eoccecce OWASP Top 10 A01:2021 Broken Access Control A02:2021 Cryptographic Failures A03:2021 Injection A04:2021 Insecure Design A05:2021 Security Misconfiguration CeeeceGeoeocee A06:2021 Vulnerable and © Outdated Components A07:2021 e Identification and Authentication Failures A08:2021 e pad Software and aS Data Integrity Failures | ® A09:2021 © Security Logging and Monitoring Failures @ A10:2021 $ @-VW< Server-Side aa Request Forgery (SSRF) represents a broad consensus about the most critical security risks to web applications, It was started in 2008 to help organizations and developers with a starting point for secure development. Over the years i's grown into a pseudo w "The OWASP Top Ten sa standard awareness document for developers and web application securty professionals. It ce standard thats used asa baseline far compliance, education, and vendor tools" @owrse svc, SEAPPLICATION SECURITY AWARENESS SC0eeeeeeee OWASP Top 10 A01:2021 Broken Access Control A02:2021 ® Cryptographic Failures A03:2021 & Injection A04:2021 y 5 A05:2021 Security Misconfiguration A07:2021 Identification ana ‘A06:2021 Vulnerable and Outdated Components Authentication Faltures ‘A08:2021 Software and Data integrity Failures ‘A09:2021 Security Loggingand Monitoring Failures @ A10:2021, Server-Side Request Forgery (SSRF) ‘Access Control manages or constrains what a user has access to and what actions they can perform, ifnot implemented correctly this can lead to confidentiality and integrity (modification or deletion of data) not being maintained. Special attention should therefore be paid when implementing Access Control in your applications. Bample ‘An attacker instead of navigating through the application, simply types the URL for the admin area of the site thet should requires Admin rights to be accessed. hitpsyjexamplecom/app/gstappinfo | or _|httpsi//example com/app/acimin. getappinfo If the unauthenticated or non-admin user can access either page, it's a flaw. They should either be redirected tothe login page or denied access. To avoid tis, two fundamental security principles should be employed inthe design: 1, Secure by Default - by default access denied and must be granted 2. Complete Mediation - every access by a subject to an objects authorized each time For additional information or assistance please talk to your Application Security Team or Security Architect who will be happy tohelp you. @owrse svc, SEAPPLICATION SECURITY AWARENESS SCeeeeeeeee OWASP Top 10 A01:2021 Broken Access Control A02:2021 Cryptographic Failures ‘A03:2021 Injection A04:2021 ® Insecure Design A05:2021 eS Security Misconfiguration A06:2021 e ‘lnerable and Outdated Components A07:2021 Identification and Authentication Faltures ‘A08:2021 software and Data integrity Failures e A10:2021 a server side Request Forgery (SSRF) A09:2021 Security Logging and Monitoring Failures Encryption is used to protect data conserving confidentiality, in transit, at rest and in theory when in use (ail very much an evolving area -homomorphic) “The first thing is to determine the protection needs of dato in transit and at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, mainly if thot data alls under privacy laws, eg., EU's General Data Protection Regulation (GDPR), or regulations, e.g, financial data protection such as PCI Data Security Standard (pcross)" Use encryption where necessary paying attention that the cryptographic algorithms are not weak or broken, otherwise an attacker ray be able to brute force the decryption and discover the data being protected. As cryptographic algorithms do get broken as the performance of computers increase, itis fecommended that Cryptographic aglty be used in designing the software to allow for migration to newer algorithms at some point inthe future. lfproperkey managementisrtin place then itmay be easy for an attacker to compromise key and the compromised key could then be used to perform a man in the middle attack allowing an adversary to access Sensitive information in transit or alternatively they might be able to decrypt sensitive information at rest. For additional information or assistance please talk to your Application Sect tohelp you. @owrse svc, SE Team o Security Architect who will be happyAPPLICATION SECURITY AWARENESS COeeeeeeee OWASP Top 10 non:021 A03:2021 Injection A04:2021 e8 Insecure Design ‘A05:2021 Security Misconfiguration ‘A06:2021 Vulnerable and Outdated Components A07:2021 Identification and Authentication Fares ‘A08:2021 Software and Data integrity Failures ‘A09:2021 a Security Logging and Monitoring Failures A10:2021 Serverside COCG0LO Request Forgery (SSRF) Injection has been quite a common flaw for some time, there are many different variants of injection that include SQL, NoSQL, OS Command and LDAP Injection amongst others, An example of SQL injection for authentication might be: You retrieve the username and password from the request [[Tisermame= request getParameter username’) | and [ password™= request getParameter( password") | ‘These values ae then used diectiyin the dynamic construction ofan SQL query [___ query = "select * rom users where username=""+ username +" and passwor If an attacker were to passin or''="1 for both the username and password then this would result the following query being executed [ select * rom users where usemname=" or T= and password” or =I ] ‘meaning that this would return al the users because '1'="1' would always return true for every rov. Usinguntrustedinput in the dynamic construction of queries isnot recommended, parameterized queries are the preferred approach, The best defence against injection attacks is input validation using whitelist, although ths isnot inalable so you should also use other methods. Validation should be performed both on the client but above all on the server in the event that the attacker Circumwents the user interface. In addition to validation input sanitization escaping known bad charactesis also good approach. F password "57 | For additional information or assistance please talk to your Application Security Team or Security Architect who will be happy. tohelp you. @oursp ——APPLICATION SECURITY AWARENESS ee Ifthe house was designed correctly and had walls on all sides but the doors had locks that are easy to break, this would be an example eeeeeeeeee OWASP Top 10 A01:2021 © Broken Access Control A02:2021 ‘cryptographic Failures A03:2021 injection e a : © : Insecure Design A05:2021 - Security Msconiguration A07:2021 ‘A06:2021 Vulnerable and Outdated Components Identification and Authentication Fatures ‘A08:2021 Software and Data integrity Failures A10:2021 ; y Server-Side Request Forgery (SSRF) ‘A09:2021 Security Logging and Monitoring Failures "There isa difference between insecure design ond insecure implementation. A secure design can still ‘have implementation defects leading to vulnerabilities that may be exploited. An insecure design cannot be fixed by « perfect implementation as by definition, needed security controls were never created to defend against specific attacks” Example ‘An insecure design might be a hause with an open front (no wall), it doesn't matter if you put the most ‘secure doors available on the back ofthe house and the most secure windows throughout f the front of the house is open someone could walk right in. To remediate bad design it often means redesigning and rebuilding the system from scratch. The foundations need to be correct. ofan implementation defect and could be remediated once the house was complete For additional information or assistance please talk to your Application Security Team or Security Architect who will be happy tohelp you. @oursp scxconiy GMAPPLICATION SECURITY AWARENESS SC0eeeeeeee OWASP Top 10 A05:2021 = Security Misconfiguration ‘072021 Identification and Authentication Failures ‘A08:2021 oftware and Data integrity Failures e A10:2021 a Server-Side Request Forgery (SSRF) A06:2021 Vulnerable and Outdated Components ‘A09:2021 Security Loggingand Monitoring Failures Security Misconfigurations can take many forms but are usually because the system hasn't been hardened before go live. To harden a system, you should follow the manufacturers guidelines for hardware and software components Remove any software or disable any services that are not required to reduce the attack surface and make sure that default credentials are not being used Ensure any debug settings have been removed, log levels set accordingly and that proper exception By handling sin piace to avoid leaking information fo an attacker ‘Once you have this configuration in place its @ good practice to create a baseline from it and implement ‘a contiguration/change management process to ensure that the baseline image skept up to date and its state is documented. Example: Configuration UI access from the WAN to your router with default admin credentials could grant an attacker access te your internal network and devices. For additional information or assistance please talk to your Application Security Team or Security Architect who will be happy tohelp you. @owrse svc, SEAPPLICATION SECURITY AWARENESS eeeeeeeeee OWASP Top 10 01:2021 Broken Access Control 802:2021 e pF coypogrophi atures 03:2021 injection 04:2021 e vrsacur design 05:2021 . A06:2021 @ Vulnerable and Outdated Components © ‘A08:2021 software and Data integrity Failures ‘A10:2021 ® a server side Request Forgery (SSRF) A07:2021 identification and Authentication Faltures ‘A09:2021 Security Logging and Monitoring Failures ‘hen using thie patra itis fundamental hat they be kept up to daeso that reredtions for oo Srysnowr erie: oe propagated downto yout pies ifthey arenotthen an attacker could easly discover or guess that you are usinga particular library and try toexploit known winerabilty A recent example was the logashell vulnerability that within hours of being made public was being exploited by attackers globally, to take control of systems and breach networks. ‘nother feason for upgradingto te latest versions in particular major versions thatthe developers will probably stop supporting oder versions and any vulnerabilities that they contain will no longer be remedied. Software composition analysis tools can be used to alert developers when their dependencies have vulnerabilities, for example (OWASP Dependency Track and OWASP Dependency Check. For additional information or assistance please talk to your Application Security Team or Security Architect who will be happy tohelp you. @owrse svc, SEAPPLICATION SECURITY AWARENESS eeeeeeeoeeo OWASP Top 10 A01:2021 ° Broken Access Control © A02:2021 CcyptographicFlires ‘A03:2021 e Injection ‘A04:2021 @ Jy Insecure Design ‘A06:2021 A05:2021 security Misconfiguration Vulnerable and Outdated Components A07:2021 Identification and Authentication Failures A08:2021 » sohware and Data integrity Failures A10:2021 e Server-Side Request Forgery (SSRF) ‘A09:2021 Security Loggingand Monitoring Failures 0) Verifying a users identity is Fundamental, so that you can then determine what they can access and you can also create an audit tral of actions they performed. Authentication isthe action of verifying with factors a uses identity. Fone of those factors is broken then an attacker could take over the account of avalid user. ‘Common failures are caused by: + Credential Stuffing + Allowing weak or well-known passwords + Not blocking when an adversary triesa brute force attack + Use ofineffective password recovery protection + Missing or weak eryptography/hashing of stored passwords + Missing multifactor authentication + Session I exposurein the URL + Session Fiation + Sessions not being expired or invalidated To avoid these issues: + Block ater a numberof successive failed login attempts + Ensure Password retrieval functionality is implemented securely + Use strong hashing algorithms with salt and do not store the passwords in plaintext + Allow users to enable multifactor authentication + Hide session ids, change them after login and invalidate them ater logout or after brief time For additional information or assistance please talk to your Application Security Team or Security Architect who will be happy tohelp you. @owrse svc, SEAPPLICATION SECURITY AWARENESS COCeeeeeee OWASP Top 10 ® © © A02:2021 ‘cryptographic Fallures A03:2021 e Injection A04:2021 Insecure Design A05:2021 a ‘Security Misconfiguration ‘A06:2021 Vulnerable and Outdated Components ; A08:2021 Software and ‘dantfcation and Authentication Failures Data Integrity Failures A09:2021 erity Security Logging and Monitoring Failures A10:2021 Server-side Request Forgery (SSRF] Many software applications automatically update themselves if these updates are not digitally signed and subsequent verified during the update process, maybe possible for an attacker to insert malicious code into 2 dovinfoad which wil then be automatialy installed with the next update Digitally Signing code, demonstrates the update came from the authors and it hesn't been modified, This isn’t to say that someone working forthe authors hasn't inserted malicious code but f the company are vetting their employees and are protecting their network you should feel less at risk with these procedures in place. Arecent example was the SolarWinds attack which was one of the most far reaching attacks of this type in history Using internal repositories for libraries that ae first vetted by security is another way to subvert this type of attack, For additional information or assistance please talk to your Application Sect tohelp you. @owrse svc, SE Team o Security Architect who will be happyAPPLICATION SECURITY AWARENESS eeeeeeeeee OWASP Top 10 01:2021, ° Broken Access Control © ‘A02:2021 SF ceyrosraphic Fares 03:2021 e © A04:2021 © en A06:2021 A05:2021 Security Misconfiguration Vulnerable and Outdated Components Authentication Failures ‘A08:2021 ‘A07:2021 & Identification ana Software and Data integrity Failures A09:2021 iB Security Logging and A10:2021, © ° server Side Monitoring Failures equest Forgery S57) ‘Without logging and monitoring, breaches cannot be detected. @® Insult logging, detection, monitoring and active response occurs any time: "auditable events, suchas logis, led logis, and high-value encoctions, are nt logged oO “Mvamings and errs penerte no nadequate, or unceat log messoges + Logs of applications and APIs are nat monitored for suspicious activity + Logs are only stored locally + Appropriate alerting thresholds and response escalation processes are notin place or effective + Penetration testing and scans by dynamic application security testing (DAST) tools (such as OWASP ZAP) donot trigger alerts + The application cannot detect, escalate, or alert for active attacks in real-time or near real-time ‘On the flip side, too much logging can: + Create too much noise + Beavector of 00S attacks So itis necessary to get the balance right and log what is important. Logs should also have proper access control because they may be a source of sensitive information and they should also be centralized, timestamps should be synchronized, and they should be aggregated and correlated in @ Security Information and Event Management (SIEM) system where possible For additional information or assistance please talk to your Application Security Team or Security Architect who will be happy tohelp you. @owrse svc, SEAPPLICATION SECURITY AWARENESS ececeeeeeoeo OWASP Top 10 01:2021, @ Broken cen Cone © A02:2021 I crogrohc ales ‘A03:2021 @ Injection © ‘A04:2021, Insecure Design ‘A05:2021 @ Security Msconfigurtion ‘A06:2021 Vulnerable and Outdated Components A07:2021 & Identification and Authentication Fallures A08:2021 Software and Data integrity Failures Monitoring Faltures ‘A09:2021 Security Logging and SSSRF flaws occur when web applications fetch remote resources without validating the user supplied URL, for example in an Ajax call It allows an attacker to coerce the application to send a crafted request to an unexpected destination, leven when protected by a firewall, PN, or another type of network access contra ist (ACL). ‘Asmodem web applications provide end-users with convenient features, fetching a URL becomes a ‘common scenario. As a result and due to modern architectures the incidence of SSRF and severity are increasing, ‘This could potentially allow an attacker to scan parts ofthe internal network if not segmented properly, they could also use the FILE schema to read files from the local filesystem, among other types of attack ‘There are a number of methods for protected against this, here are a sample few: « Segment the network to reduce the impact of a successful attack + Sanitize and valid all untrusted input + Create allow lists for URL Schemas, ports and destinations For additional information or assistance please talk to your Application Security Team or Security Architect who will be happy tohelp you. @oursp A10:2021 Server-Side Request Forgery (SSRF) scxconiy GM