Scribd Logo
Upload

Welcome to Scribd!

  • A03 - Injection

    Uploaded by

    Paraku Nageswara Reddy
    26 views16 pages

    Original Title

    ppt 1

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    26 views16 pages

    A03 - Injection

    Uploaded by

    Paraku Nageswara Reddy

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    A03 - Injection

    •User input is not validated ,filtered or sanitized by the application.


    •User input is directly used or concatenated.
    - SQL injection
    - Command injection.

    1
    A03 – How to prevent

    •Do not pass user input directly to executable statements.


    •Prepared statements
    - Parameterized Queries.

    •Proper patching or updating of database.

    2
    A04 – Insecure Design

    •A secure design still have insecure implementation


    •An insecure design cannot be fixed by an implementation.

    3
    A04 – How to implement

    •Secure Development Lifecycle (SDL)


    •Threat modeling manifesto.

    4
    A05 – Security Misconfiguration

    • Missing security hardening


    •Unnecessary features are enabled or installed
    - Unnecessary ports
    - Services
    - Accounts

    •Default accounts
    •Default passwords

    5
    A05 – How to prevent

    •Apply security hardening


    •Close unnecessary ports
    •Disable unnecessary services
    •Remove default accounts
    •Change default passwords

    6
    A06 – Vulnerable or Outdated components

    •Software is vulnerable , unsupported or outdated


    - Apache Log4j(Log4shell) vulnerabilities.

    7
    A06 – How to prevent

    •Update software periodically


    •Use software composition Analysis (SCA) tools.

    8
    A07 – Identification and Authentication failures

    •Missing brute force protection


    •Missing Multi- factor authentication
    •Using default ,weak or well known passwords.
    •Reusing session identifier after successful login

    9
    A07 – How to prevent

    •Implement brute force protection


    •Implement multi factor authentication
    •Change default credentials
    •Implement password complexity
    •Rotate Session IDs after successful login

    10
    A08 – Software and Data Integrity failures

    •Software and data integrity failures that does not protect against integrity
    violations
    - Solarwinds 2020 attack

    11
    A08 – How to prevent

    •Use digital signatures to verify passwords


    •Ensure you consume trusted repositories

    12
    A09 – Security Logging and Monitoring Failures

    •Insufficient logging
    - Logins
    - Failed Logins
    - High value transactions

    •Logs are only stored locally

    13
    A09 - how to prevent

    •Log important events with sufficient user content


    - username
    - Client IP
    - Time

    14
    A10 – Server Side Request Forgery (SSRF)

    •A web application is fetching a remote resource without validating the user


    supplied URL

    15
    A10 – How to prevent

    •Sanitize and validate all client supplied input data


    •Validate URL components.
    - URL schema , port and destination

    •Do not send Raw responses to client

    16

    You might also like