Notes On Web Security Programming

Submitted By Mohantyankit
Words: 2128
Pages: 9

INFO6026
Web Security Programming






2

Test 1: Review
OWASP Top 10
Defense Approaches
Classification and Prioritization Systems

INFO6026

TEST 1: Review

OWASP: TOP 10
Open Web Application Security Project https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • Web applications are uniquely vulnerable
• It is estimated that up to 70 percent of attacks come through web applications
• This stems from the fact that user traffic needs to pass through the firewall to the web application

• Firewalls alone are an ineffective defense for attacks against web applications
• Unfortunately, most companies spend much more resources on network defense, than on building or configuring their web applications properly
5

INFO6026

The information presented here is from the 2013 release. • The official list was released in April 2013

OWASP
• Open Web Application Security Project
• Non-Profit
• Identifies the ten most critical web application security risks at time of release
• http://www.owasp.org
6

INFO6026

7

INFO6026

• Attacker can use many paths through a web application to harm the organization
• Each of these paths represents a risk
• The OWASP top 10 attempts to identify the most dangerous risks
• serious enough to warrant attention

8

INFO6026

For each risk OWASP provides detailed information
• Threat Agents
• Where are these attacks going to come from

• Attack Vector
• How easy is it to perform the attack

• Weakness Prevalence
• How Common is the weakness

• Weakness Detectability
• How easy is it to detect the weakness

9

INFO6026

• Technical Impact
• How severe will the attack be on the infrastructure

• Business Impact
• What will be the varied costs to the business if a successful attack takes place

10

INFO6026

Threat Agent Factors

How technically skilled is this group of threat agents?






12

Security penetration skills
Network and programming skills
Advanced computer user
Some technical skills
No technical skills

INFO6026

How motivated is this group of threat agents to find and exploit this vulnerability?
• Low or no reward
• Possible reward
• High reward

13

INFO6026

What resources and opportunity are required for this group of threat agents to find and exploit this vulnerability?
• Full access or expensive resources required
• Special access or resources required
• Some access or resources required
• No access or resources required

14

INFO6026

How large is this group of threat agents?







15

Developers
System administrators
Intranet users
Partners
Authenticated users anonymous Internet users

INFO6026

Vulnerability Factors

How easy is it for this group of threat agents to discover this vulnerability?





17

Practically impossible
Difficult
Easy
Automated tools available

INFO6026

How easy is it for this group of threat agents to actually exploit this vulnerability?





18

Theoretical
Difficult
Easy
Automated tools available

INFO6026

How well known is this vulnerability to this group of threat agents?





19

Unknown
Hidden
Obvious
Public knowledge

INFO6026

How likely is an exploit to be detected?





20

Active detection in application
Logged and reviewed
Logged without review
Not logged

INFO6026

• Loss of confidentiality
• How much data could be disclosed and how sensitive is it?

• Loss of integrity
• How much data could be corrupted and how damaged is it?

• Loss of availability
• How much service could be lost and how vital is it?

• Loss of accountability
• Are the threat agents' actions traceable to an individual?

21

INFO6026

• Financial damage
• How much financial damage will result from an exploit?

• Reputation damage
• Would an exploit result in reputation damage that would harm the business?

• Non-compliance
• How much exposure does non-compliance introduce?

• Privacy violation
• How much personally identifiable information could be disclosed? 22

INFO6026

OWASP Top 10 Highlights

• Common