Unit III

Secure coding practices and OWASP top 10

Declarative security
Declarative security is a security approach that focuses on defining
the desired security policies and rules in a high-level, declarative
manner rather than specifying the exact procedures or steps to
achieve security.
The term "declarative" comes from the concept of declaring what
you want to be done.
In declarative security, administrators or developers express
security policies and access control rules using a set of predefined
rules, policies, or a specialized language.
These policies who can access what resources, what actions they
can perform on those resources, and under what conditions such
permissions are granted or denied.
Advantages of declarative security
include
1.Simplicity: By expressing security policies in a clear ,it
becomes easier for administrators to manage and maintain
security configurations.
2.Abstraction: Declarative security abstracts away the
complexity of implementing security mechanisms, making it
easier to manage and enforce security across the entire
system.
3.Flexibility: Changes in policies can be applied without altering
the underlying implementation.
4.Separation of concerns: It separates security concerns from the
application logic, promoting better software design and
maintainability.
Common examples of declarative
security include
1.Role-Based Access Control (RBAC): RBAC defines access control
based on user roles and permissions. Administrators assign users
specific roles, and each role is associated with a set of
permissions, determining what actions users with that role can
perform.
2.Attribute-Based Access Control (ABAC): ABAC determines access
based on attributes associated with users, resources, and
environmental conditions.
3.AWS IAM Policies: In Amazon Web Services (AWS), Identity and
Access Management (IAM) policies are used to declaratively
define what AWS resources users and roles can access and what
actions they can perform.
Overall, declarative security offers a powerful and flexible way to
manage security in complex systems, helping to maintain
consistency and reduce the risk of misconfigurations or security
vulnerabilities.
programmatic security
• Programmatic security is an approach to implementing security
measures within a software application using code and
programmable logic. Unlike declarative security, which involves
defining security policies in a high-level, abstract manner,
programmatic security is more hands-on and involves writing.
• In programmatic security, developers explicitly implement
security checks and mechanisms throughout the application code
to ensure that only authorized users can access specific
resources or perform certain actions.
• This approach involves using security libraries, frameworks, or
programming interfaces provided by the application platform or
third-party security solutions.
examples of programmatic security
techniques include
1.authentication: Implementing login functionality and user
authentication to verify the identity of users before granting
access.
2.Authorization: Enforcing access controls to determine whether
authenticated users have the appropriate permissions to
perform specific actions or access certain resources.
3.Input validation: Validating and sanitizing user inputs to prevent
common security vulnerabilities such as SQL injection, cross-site
scripting (XSS), and other forms of code injection attacks.
4.Session management: Handling user sessions securely,
including session creation, maintenance, and termination, to
prevent unauthorized access and session hijacking.
5.Encryption and hashing: Protecting sensitive data by using encryption
and secure hashing algorithms to ensure data confidentiality and
integrity.

6.Role-based access control (RBAC): Implementing RBAC in code to

control access based on predefined roles and permissions.

7.Secure coding practices: Following security best practices and

guidelines while writing code to minimize vulnerabilities and potential
exploits.

Programmatic security requires a thorough understanding of security

principles, potential threats, and the specific security requirements of the
application.

a combination of both programmatic and declarative security can provide

a comprehensive and robust security strategy for software applications.
concurrency
Concurrency-related security issues can arise in web
applications due to the nature of modern web
technologies, such as multi-threading, asynchronous
programming, and distributed computing. Common
security challenges in concurrent web applications
include race conditions, deadlocks, inconsistent state,
and improper synchronization of shared resources.
1.OWASP Top Ten: The OWASP Top Ten is a well-known document
that lists the most critical web application security risks. Some of
these risks, like Injection, Cross-Site Scripting (XSS), and Insecure
Direct Object References, can be relevant in concurrent environments.

2.OWASP Application Security Verification Standard (ASVS):

ASVS provides a framework for testing and verifying the security of
web applications. While it may not explicitly cover concurrency, it can
help identify vulnerabilities in web applications.

3. OWASP Web Security Testing Guide (WSTG): The WSTG is a

comprehensive guide for testing web application security. While it
may not be specifically focused on concurrency, it covers various
testing methodologies that can help assess security in web
applications, including potential vulnerabilities related to concurrency.

4.OWASP Secure Coding Practices Quick Reference Guide: This

guide offers practical guidance on secure coding principles for various
programming languages. Following secure coding practices is
essential for writing concurrent code that is less prone to security
issues.
configuration
• In the context of the Open Web Application Security
Project (OWASP), "configuration" typically refers to the
security configuration of web applications, web servers,
databases, and other components involved in the
application's architecture. Properly configuring these
components is crucial to ensure that the application
operates securely .
• OWASP acknowledges the significance of secure
configuration and offers guidance and resources to help
developers and administrators mitigate potential risks.
OWASP projects and resources
related to configuration security
include
1.OWASP Application Security Verification
Standard (ASVS): ASVS includes requirements for
secure configuration in its various levels. It outlines
security controls that should be in place to the proper
configuration of web applications and their components.
2.OWASP Web Security Testing Guide (WSTG): The
WSTG provides guidance on testing the security of web
applications, including how to assess configuration-
related security issues.
3.OWASP Cheat Sheet Series: The OWASP Cheat
Sheet Series includes a "Secure Configuration Cheat
Sheet" that provides guidelines for securely configuring
4.OWASP Application Security Curriculum: OWASP provides a
collection of educational materials and exercises for application security
training. This curriculum may cover security configuration concepts and
practices.

5.OWASP Security Knowledge Framework: The Security Knowledge

Framework (SKF) is a web application that helps developers and security
professionals learn and identify security-related best practices

security configuration can help prevent various types of attacks, such as

injection attacks, insecure defaults, sensitive data exposure, and more.

Secure configuration involves setting appropriate values for security-

related parameters, enabling security features, and disabling
unnecessary or risky options.
cryptography
Cryptography is the science and practice of securing
information by converting it into a form that is
unreadable for unauthorized users.
It involves techniques for encoding and decoding data to
protect its confidentiality, integrity, and authenticity.
Cryptography is widely used in various fields, including
computer security, data protection, electronic commerce,
and communication networks.
The main goals of cryptography are
1.Confidentiality: Ensuring that only authorized parties can access and
read the encrypted data. Cryptographic algorithms scramble the original
data in such a way that it becomes unreadable without the proper
decryption key.
2.Integrity: Verifying that the data has not been altered or tampered with
during transmission or storage. Cryptographic techniques can detect any
unauthorized changes to the encrypted data.
3.Authentication: Verifying the identity of the communicating.
Cryptographic protocols can help establish the authenticity of users and
prevent impersonation.
4.Non-repudiation: Ensuring that a sender cannot deny sending a
specific message, and a receiver cannot deny receiving it. Cryptography
can provide mechanisms to prove the origin and delivery of messages.
There are two main categories of
cryptography
1.Symmetric Key Cryptography (Secret Key Cryptography): In
symmetric key cryptography, the same secret key is used for both
encryption and decryption. Both the sender and the receiver must
possess the secret key and keep it secure. While symmetric key
cryptography is fast and efficient.
2.Asymmetric Key Cryptography (Public Key Cryptography):
Asymmetric key cryptography uses a pair of mathematically related
keys: a public key and a private key. The public key is used for
encryption, while the private key is used for decryption. Anyone can
use the public key to encrypt data, but only the recipient with the
corresponding private key can decrypt it. Asymmetric cryptography
solves the key distribution problem faced by symmetric cryptography,
but it is typically slower and computationally more intensive.
Input and output sanitization
Input and output sanitization are critical security
measures used to protect web applications and software
systems from various forms of attacks, particularly those
related to data manipulation and injection vulnerabilities.
These techniques aim to ensure that user-supplied input
data is safe and free from malicious content, and that the
output data presented to users or stored in databases is
properly formatted and secure.
Input Sanitization:
Input sanitization, also known as input validation or input filtering,
involves inspecting and cleansing user-supplied data.
The goal is to prevent attackers from injecting malicious content or
exploiting vulnerabilities through crafted input.
Common types of input sanitization include:
• Whitelisting: Only allowing specific characters or patterns in user
input, effectively rejecting any input that does not conform to the
specified format.
• Blacklisting: Disallowing known harmful characters or patterns in
input data. However, blacklisting can be less effective than
whitelisting since attackers can find alternative ways to evade the
blacklist.
•Encoding: For example, converting "<" to "<" to prevent HTML
injection.

•Length Validation: Ensuring that input data to specified length limits

to avoid buffer overflow and other related vulnerabilities.

Proper input sanitization helps prevent various attacks, such as Cross-

Site Scripting (XSS), SQL injection, Command Injection, and Directory
Traversal.