Sunday, 22 May 2022

OWASP top 10 - 2021

 Always verify your system's have reviewed the OWASP top 10 vulnerabilities 2021

  1. Broken Access Control (ensure users only see what they should have access too).  Permission need to be correctly specified and enforced.  i.e. don't allow customers to have Admin account privileges or access to another customers details.  Security needs to allow enough right/privileges so people and clients can do what they need to but must not over allow privileges.  Prevention techniques must include least privilege (no access by default and give the minimum needed permissions), audit access and changes (think tomb tables/temporal changes) but can also include access auditing and logging access control changes.  Lastly, QA must verify permissions work as expected, so often it is just assume it works as the QA thinks and not to actual policy/specification), 
  2. Cryptographic failure (data in transit and at rest must be securely encrypted, more sensitive data must be more encrypted/scrambled.  By default everything should be encrypted but add extra encryption/controls to sensitive information like passwords.  For payment processing use a specialist provide like Stripe.  Encryption can be symmetric or asymmetric.  Ensure you use algorithms that are considered weak such as Triple DES also known as 3DES rather use AES, or hashing Algorithms such as SHA1 and RIPEMD160 are weak, rather use a SHA2 algorithm.  Manage your keys properly such as Azure Key Vault and rotate the keys regularly.  Salt hash key data to have encryption and hashing on sensitive data), 
  3. Injection (data input results in unintended processing) examples are SQL injections and Cross side scripting (XSS),
  4. Insecure Design (new addition in 2021, don't include sensitive information in error messages, ensure architecture can scale, passwords stored in plain text or are not rotatable, deal with DDoS, if 1 part of an app brings the whole solution down),
  5. Security misconfiguration (default setup that is not very secure e.g. default password is not changed on installed software, ensure security hardening happens.  I.e. short passwords, changing passwords, updating software,...)
  6. Vulnerable outdated components (we use components in code, if they have security weaknesses it's likely you also have it Log4J was an example.  You need to know all you supply chain dependencies so you need to ensure they are not vulnerable.  SAST scanning tools help identify vulnerabilities.  Know your component dependencies!), 
  7. Identification & authorisation failures (You are who you say you are, check claims, use OAuth, OIDC example is session hijacking or stealing someone else's identification, public pc, next user logs in as you previous user),
  8. Software and Data integrity failures (insured CI/CD pipeline, closely linked to item 6. example, could automatically update a nugget package to the latest automatically which has a security flaw in it),
  9. Security Logging and Monitoring failures (check logs to detect security issues, incidents will happen and can often see people scanning for vulnerabilities),
  10. Server-side Request Forgery (SSRF) (servers ask for endpoint info, use only-allow in headers or only allow the specific IP of the partner, ensure only relevant info is returned).


Post a Comment