Step 1.OWASP Top Ten Today more than ever we have to be vigilant in protecting o

Question

Step 1.OWASP Top Ten

Today more than ever we have to be vigilant in protecting our personal and company data. OWASP is The Open Web Application Security Projectat https://www.owasp.org/index.php/About_OWASP (Links to an external site.)Links to an external site.. The top ten project lists the top ten security risks for web applications and has been updated many times. You can learn more about this list at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (Links to an external site.)Links to an external site..

You can see in this chart on OWASP, https://www.owasp.org/index.php/Top_10_2013-Details_About_Risk_Factors (Links to an external site.)Links to an external site. that the risk is real and can be severe. The OWASP Top 10 - 2013 is as follows and described at https://www.owasp.org/index.php/Top_10_2013-Top_10 (Links to an external site.)Links to an external site..

A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards

The one that is concerning is injection as it's been on the top of the list for a while. (https://www.owasp.org/index.php/Top_10_2013-A1-Injection (Links to an external site.)Links to an external site.) This means that the data from the form injected into the database is not safe or valid. The model is to "Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators." So even if they logged in, consider them untrusted.

Consider a form you complete, that is used to upload your data to a database. If you come back, you might want to edit that data, only to discover someone already edited it and added some malicious code, providing them with access to the data server and all of the client data! So any data from a form, that is stored on the server or used in any way should be validated before that happens.

Useful OWASP Resources

XSS - http://www.computerweekly.com/tip/Cross-site-scripting-explained-How-to-prevent-XSS-attacks (Links to an external site.)Links to an external site.

Data Validation - https://www.owasp.org/index.php/Data_Validation (Links to an external site.)Links to an external site.

XSS - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) (Links to an external site.)Links to an external site.

Cheat sheets that describes the attacks and prevention - https://www.owasp.org/index.php/Cheat_Sheets (Links to an external site.)Links to an external site.

Describes how to prevent attacks with input validation - https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet (Links to an external site.)Links to an external site.

OWASP used to distribute products such as WebScarab, which is now called ZED Attack proxy (ZAP), available at https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project (Links to an external site.)Links to an external site..

Watch the video below to learn more about ZAP. (Reference: "https://youtu.be/TyhaA3DJ5oM")

CWE-20 Improper Input Validation

OWASP isn't the only organization raising awareness and concerns about validation and security of web applications. MITRE and co-sponsored by the office of Cybersecurity and Communications (Links to an external site.)Links to an external site. at the U.S. Department of Homeland Security (Links to an external site.)Links to an external site. provide a web site on Common Weakness Enumeration (CWE)

CWE-20 states that improper input validation is "The product does not validate or incorrectlyvalidates input that can affect the control flow or data flow of a program." (Reference: https://cwe.mitre.org/data/definitions/20.html (Links to an external site.)Links to an external site.)

Here is one example based on the CWE-20 on the impact of improper input validation. This example is from a shopping application. The hacker can specify the quantity of items to be purchased. The user cannot change the price, but they can change the quantity and put in a negative number, resulting in a negative total and a credit!

Step 2

Locate 2 articles on web application security. Cite your references in APA format.

Summarize the article and describe the risks, as well as how developers can prevent security issues.

Explanation / Answer

This is a very good website.

You can find many more articles on this parent domain.

there explained many case-studies. Because of case-studies, you will experience real time problems and solutions.

For each case study, description, policy and for what it is applies to by describing CIA(Confidentiality, Integrity, Availability) values.

http://www.webappsec.org/projects/articles/091007.shtml

http://www.webappsec.org/projects/articles/041607.shtml

You want the links.

Hope these links are very useful.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.