Neslquenent | Pveevihe tn delail aboot bleh Hppiaaling Yew iby “thareAs Web applintion aerodthy theeada eNeornpaas a cone af potenttal Vineraali Mes and alan that car Com Pooet ee Nhe inde vi. Con iden tality and avatlabilisy tf Wels applica ttons Possible waus of threats élojectton Dental a Services ioe eDistibubed Dental: of aervires #Crosa.Site SerlpHea Cras) _ Cross Site Request Foeqery Coare. PSecorlty Mis conFiquration - Injections AN allacker Inject malicious: Code thot’ loetz like normal code and_can trike to unex pected Commands or accessing data uslthovt proper permission Taso uoatys of injection are Code_and..cor_. _ #Thie Can done by imyecting the Code ints an application. The Injected Code Can. change uray of Program. erecotes. woes ethts allows an attacker to Interface voith Queries that an_ application rakes to ths database. —- — tore \nyeclion: done. thy "Injecting Cocle Into an app- BBL \nyecHon: allow attackers jo Interface with Queries _ @ scanned with OKEN ScannerInes and mpas. efrntal e€ Service aitlaek the aliaekers. Qemrate fay, ‘vate theuyh differnt. vector to overload © tearges, Kin \ aDishiboted Dental o@ Service do the sorvel ina! \ sarge Scale. ' levoss site Rous! Forgery! An atlacter Can use. user account priviléqes ond \perferm Operation on Ahem bebal® armount Can be thePt ey Senile! or to alee User. ross site Saini = : \then an app drnbed s with aed data in wsdon C er website with user iputs through brouser rote : peaailaes ulthout Proper: Nalidahion . secur nis configrtion: | 14 ofeure tubes Seeatty Controls: Are aude Set (Correctly An twébapp ri fq Clovd_storage. posed to_ Interadt__usithy: “no _— lautnentitntion \ : Tools to "adkanda Atwende I State, Ape Security Test Game al WA. Anwolves: analy 7 [Aevelopenent ee vPing-4 apps esas code. ‘ava @ scanned with OKEN Scanner| ri ee 2) A ep gaa ae ieee p Sabie -CompostHan. Aralysis (sep). --——-—-- > : Kant . ARAN) Zee app tn. Identify Open gourre .Scktisace- Staining Keown vulnecabilidtes———— = ———=-—~ PON reracdive App Security Tea ting CAST. --—— - —|—~ It_ observes app behaviour .Such- ag lopat,. —— ~~ Pekpot teqte ete.. eal pee [ky Dynamic Rep Seeurity Test (DAsT) —— _ : analyzes the cade In_runtimeinelyding server ——2 E> plain about ticrasoft Secu tty Development a ~~ [Lifecycle spi) in detail = —-- ae -#tUcrosefi_Smi_ernbeda Comprehensive Security — ——tequirement-s_technol ies apecifle tooling 2 mandatory : ——.- |jprocess into develo prrent_ operation of Software prodoct- ~~} #14 consist of server Camponents Including Cive _ — ~~ fore phases ¢ 4180 Se pporting “Skeuri Hy activities ____ = —._|fAraining s ee : Ceveloper_and_ engineering oust also_parHelpate Ao role Specific training to_keee them informed or —_ Security basics & recen trends__in_Secure_ development _ Requirennen ts. s—— Software developrnent_is_a_continucus Process meaning _ yt associnted a¢curihy and Privec requirements change breuqtout. product \ifeaycle ta ve Fleck_¢hanges in fonetionality- 2 @ scanned with OKEN Scannerfowisnen 2h) se apprevéd deals - ay Seoutitn yeqvirement ST] Create quality qates Seraity 2 Ditvac : : — design ve4virement =] Analyse atack Serfare Amplemnentr-ton depremte unsafe: Fenctien \ a doalue Vevifica Hon ‘incident_response plan. 7} Final Secutity= reviews Execute Incident ot de oe tet ‘plan. Yesponse @ scanned with OKEN Scanner| a Desi - SS ahiest Merels are. created to helpldendify “caheq oie 1nd _rate- potentlal threats actzeding =o eS: = wlt_must be malrtalned {updated For ie heFecyele. = SS = : 7 —_ 7 Innpplementasion : amare a perenne alt _beq| na usith— developers ustitHog- code -aceording ko plan -—- = — _ we Micrnsoft provides: _with a Suite of secure develeprrent fieels to effectively implemeat.-all_deurity, Privacy and _ FincHten Yequirerent of Sef husare they ideale Os ee IMerification: — a een aCede undergoes Several chee! and approval are ieequived to verify the Code ts_error Free _ To ensure No Cede_Can_be torltlen_and_ released xy Sarne person leading 40 malicious harm. a The Security Checks ctre.. @ scanned with OKEN Scannera _ — ii - en x Giatic rail analysis + =: i. “Analyse: Code! t potential secur Pls jiineluding crddentiale a = 3 _ |x Binad} Analisis- bi ' 3 __Desess vulnerabilities ad laren tode level te oftm Cote is Prodeclton vend. - 7 pe Fuzz Testing + - st ne i Use mal farmed and “unexpected dala to 2X cersles INPIS and Passes do check for vulnera bilities and _|alidate error handling - ==. _____ Relense 2 = _ - — Builds_are —qtndvally— Yeleased_to dargqer & larger reupa in that is Called Safe depleyrnent_ Process - ___|.Bing = developmen! jeam_res ean for service. ——+-[.Ringi = Pill miersoft employees = Specific_users outside microsoft 1! Worldutde Standard velnsée on!" = SU enicosoft Service. ate—extensivelytoq qed aod — 2 {enn toed afters release OWASP Is_a_non- — en Hesrdation for Ampeg: _ test. @ scanned with OKEN Scannerdic Ppun on prevent “fixation — allack in da lenslser base ss Bs Nea ate each SN i ppg ISessian_Cookles : fats ee allel application fan.create Sesslon_feotcie track land user_data. ———— ePfter User authentcaton. ‘the loin. eniigat ints veturn Sel- Cookies — — - _ Sub Sequent request ta the Saree Side toil! Include the to¥en as Cookie header Method to Ccall_Sessino Canktes : __ Sessian— sesslan_<_request = Sesion CTrue)2_ __ lter brouser. @ scanned with OKEN ScannerHeit Lifespan. lsession Fixation Atlack Sieg ce ly! Sratnn. — Nie af Ze hacker lent Thie_atlack_ octure when? Pol fails to fererate a |cesclon tnken after a_user has authenticated \Coalle Security Priributes « a nn Secure _ —-—— — sH TTP. ely _ ; —-—— ®SameSite_ | _pemain — .. #Fhib Preventing Fixation —Atacks in token based outhentizadien hypieally involves measuielilte cession - Neqeneradion_and Secure_to ken handling —— |, Seasio. Reqeneratoa: _—- — ofr ilecically regenerate Session Anken 4o limit zinvalidate old 4o¥en_when_anew. Seeston ts _ established. _ ——— @ scanned with OKEN Scanner4 f t i _ gop _. Secure token. handling. i eStore tnken Sect 90 dient Side! ty Wop caly _. = Tt inten leivoopet A and cgay prevent token itercest = |. elmeternent prepa token Validalnn mechenlens— 0 the- patadle catlack. In ittercept Connection bebe eer nod ty pur lech server ond _inyeels_a ce set ccobvie header uth ¢_ frokie ——— _# To prevent this alae er HTTPS Grelorded __ tr |. Prevent Cookie Oversiri ting ond ConSiqure {your Tis __S settings pre perl —— a : f _Cenkie with the = ~hoct prefit and the ‘Secure adribute tn prevent —_— raprimiaed subdomain from_overusiting tse Coo¥ies —_ Prevent ¥*SS_aHacks_ asthe app tan.de nothing tn prevent the Cookie _ een. Overtonttlen in event. cf Successfully sess atlacks 4 _ #8, toe have to _CorePo vstd_xss_ volrerol Itty pot ise Strick CSP Ccontent Security Policy) 40 fe ther harder out application _agaiest them. ___ Be careful with leqacy application frameworks. oe “I ~— wleqacy application Framework . can have Feature Had paake them Vulnerable 40. Session. fixation eks buy design eee @ scanned with OKEN Scannerathe best defenge isto shay ame For Neqace Aamework ond develop ee ine o These ore the tuays- far— prevention sage _ Coeation_atjack in_toKen based authenditetion. —— @ scanned with OKEN Scanner