COMPUTER AND NETWORK SECURITY

Open Worldwide Application Security Project

(OWASP)

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

 About OWASP

• A nonprofit foundation working to improve the software

security.
• It is a standard awareness document for developers and web
application security.
• It represents a broad consensus about the most critical
security risks to web applications.

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

 What OWASP Offers
 At OWASP, you'll find free and open:
• Application security tools and standards
• Cutting edge research
• Standard security controls and libraries
• Complete books on application security testing, secure
code development, and secure code review
• Chapters meetings
• Events, training, and conferences.
• Google Groups and many more..

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

 OWASP Top 10: 2021 List
• A01:2021-Broken Access Control
• A02:2021-Cryptographic Failures
• A03:2021-Injection
• A04:2021-Insecure Design
• A05:2021-Security Misconfiguration
• A06:2021-Vulnerable and Outdated Components
• A07:2021-Identification and Authentication Failures
• A08:2021-Software and Data Integrity Failures
• A09:2021-Security Logging and Monitoring Failures
• A10:2021-Server-Side Request Forgery
Dr.Vikash Kumar, Dept. of CSE Computer and Network Security
What’s Changed in the Top 10 for 2021

• Three new categories

• Four categories with naming and scoping changes, and
• Some consolidation

https://www.blackduck.com/glossary/what-is-owasp-top-10
Dr.Vikash Kumar, Dept. of CSE Computer and Network Security
Broken Access Control
 Vulnerabilities in authentication (login) systems.
 A weakness that allows an attacker to gain access to user
accounts

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Broken Access Control
 Exploitation Methods
• Cross-Site Scripting (XSS)
• Injection Flaws
• Broken Authentication and Session Management
• Brute Force Attacks
• Session Hijacking
• Man-in-the-Middle (MitM) Attacks
• Replay Attacks
• Privilege Escalation Attacks

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Broken Access Control
 Prevention Methods
• Implement least privilege principles
• Schedule regular updates and patches
• Use multi-factor authentication
• Regularly review and monitor your website logs
• Perform access validation checks
• Use server-side access controls
• Enforce mandatory access declaration
• Audit and test access controls
• Segment your network
• Use a Web Application Firewall
Dr.Vikash Kumar, Dept. of CSE Computer and Network Security
Cryptographic Failures

 Occur when there is no proper mechanism to secure

communications or information.
 It is a vulnerability that occurs due to ineffective cryptography
that is used to secure data whether in transit or stored.

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Cryptographic Failures

 Cause?

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Cryptographic Failures

 Cause?
 Weak EA
 Implementation flaws
 Compromised endpoints
 Insufficient Randomness

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Cryptographic Failures

 Cause?
 Weak EA
 Implementation flaws
 Compromised endpoints
 Insufficient Randomness

 Prevention?

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Injection

 Injection flaws, such as SQL,

OS, and LDAP injection occur
when untrusted data is sent to
an interpreter as part of a
command or query.
 Tricking the interpreter into
executing unintended commands
or accessing unauthorized data.

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Insecure Design

 Many web applications do not

properly protect sensitive data,
such as credit cards, Social
Security Numbers (SSNs), and
authentication credentials, with
appropriate encryption or hashing.
 Related to risks posed by insecure
software architecture.

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Security Misconfiguration

 Design or configuration weaknesses that

result from a configuration error or
shortcoming
 Risks: Weak default settings, outdated
systems.
 Impact: Exploitable gaps in application
defenses.
 Mitigation: Regular updates, secure
configurations.

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Vulnerable and Outdated Components

 Components with known vulnerabilities, such as CVEs, should

be identified and patched, whereas stale or malicious
components should be evaluated for viability and the risk they
may introduce.
 Risks: Exploitable libraries (e.g., Log4j vulnerabilities).
 Impact: Server takeovers, data loss.
 Mitigation: Update libraries, monitor for vulnerabilities.
 Example: Unpatched software with known exploits.

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Identification and Authentication Failures

 Includes CWEs related to identification failures, Specifically,

functions related to authentication and session management.
 Mitigation: Robust authentication mechanisms.
 Example: Weak passwords (e.g., "password1").

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Software and Data Integrity Failures

 Vulnerabilities in the software supply chain have led to

significant attacks in recent years.
 The more pervasive the library, the more likely there will be
attempts to exploit it.

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Security Logging and Monitoring Failures

 Insufficient logging and monitoring, coupled with missing or

ineffective integration with incident response.
 Most breach studies show time to detect a breach is over 200
days, typically detected by external parties rather than internal
processes or monitoring.
 Risks: Undetected breaches, prolonged attacks.
 Impact: Extensive data and financial loss.
 Mitigation: Implement comprehensive logging and monitoring.
 Example: Failing to log failed login attempts.

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

Server-Side Request Forgery (SSRF)

 Web applications often rely on network requests to query

external resources and retrieve data in order to process it.
 SSRF can happen when a web application fetches a remote
resource without validating the user-supplied URL.
 The severity and incidence of SSRF attacks are increasing due
to cloud services and the increased complexity of architectures.
 Risks: Outbound request manipulation.
 Impact: Internal network compromise.
 Mitigation: Validate and restrict network requests.
 Example: Exploiting SSRF to retrieve internal system files.
Dr.Vikash Kumar, Dept. of CSE Computer and Network Security
General Recommendations

 Automated Tools: Integrate tools like Seeker®, Coverity®, and

Black Duck® into your development and CI/CD pipelines.
 Manual Penetration Testing: Regularly supplement automated
scans with manual reviews.
 Secure Development Practices: Shift left with secure design,
threat modeling, and architecture reviews.
 Continuous Monitoring: Use IAST for dynamic runtime
assessments.

Dr.Vikash Kumar, Dept. of CSE Computer and Network Security

 Contents of the slides are taken from the following resources:
1. https://owasp.org/Top10/
2. https://www.blackduck.com/glossary/what-is-owasp-top-10.html
3. https://www.cloudflare.com/learning/security/threats/owasp-top-10/