OWASP and Secure Coding Practices

Questions and Answers

What is the primary goal of software security according to OWASP?

• To maintain the confidentiality, integrity, and availability of information resources. (correct)
• To develop software rapidly, ignoring potential vulnerabilities.
• To focus solely on the aesthetic design of software applications.
• To make software as complex as possible to deter reverse engineering.

At which stage of the Software Development Life Cycle (SDLC) can software security flaws be introduced?

• Only during the coding phase.
• Only during the deployment phase.
• At the analysis, design, implementation, and maintenance stages. (correct)
• Only during the testing phase.

Why is input validation crucial in secure coding practices?

• To ensure that only properly formatted data is entered into the system, protecting the database. (correct)
• To restrict users from providing any input to the system.
• To bypass security checks and allow any type of data to be processed.
• To speed up the user interface response time.

What is the primary focus of password management in the context of application security?

Storing passwords in a way that prevents them from being obtained by an attacker, even if the database is compromised. (C)

Which of the following should occur when a user logs out of a web application to ensure secure session management?

Terminating the associated session completely. (A)

What does error handling primarily involve in secure coding practices?

Anticipation, detection, and resolution of programming, application, and communications errors without exposing sensitive information. (B)

Why is it important for databases to be isolated in secure coding practices?

To minimize the risk of unauthorized access and potential breaches. (D)

What does proper memory management involve in secure coding?

Strict programming discipline to ensure the long-term correctness and reliability of the programs. (B)

What is the purpose of the OWASP?

To improve the security of software. (B)

What does OWASP promote to protect the web?

Community-led open source software projects. (C)

How often do OWASP and ARU meet?

Every 3-4 months. (C)

Which of the following is a type of injection vulnerability?

SQL injection. (B)

What is the major objective of utilizing parameterized queries?

They help prevent SQL injection attacks by treating user inputs as data rather than executable code. (C)

What is the primary impact of a Broken Authentication vulnerability?

Allows attackers to compromise passwords and bypass authentication controls. (A)

Which of the following is a potential consequence of Sensitive Data Exposure?

Compromised financial or healthcare information. (B)

What does an XML External Entity (XXE) vulnerability allow an attacker to do?

Load external entity values from outside of the document type definition based on the contents of a file path or URL. (D)

What is the primary risk associated with Broken Access Control?

Attackers gain unauthorized access to functionality and data. (A)

What is a typical cause of Security Misconfiguration?

Insecure default configurations and verbose error messages. (A)

What is the main purpose of a Cross-Site Scripting (XSS) attack?

To inject client-side scripts into web pages viewed by other users, potentially stealing cookies or defacing websites. (A)

In the context of Insecure Deserialization vulnerabilities, what does deserialization refer to?

The process of translating data structures or object state into a format that can be stored or transmitted and reconstructed later. (D)

What is a common consequence of insecure deserialization?

Remote code execution. (C)

What does it mean to use components with known vulnerabilities?

The libraries and frameworks aren't as secure as they can be. (B)

What does failing to log and monitor make difficult?

Detecting suspicious activity. (D)

Select the security practices that are part of the OWASP secure coding practice checklist.

Output Encoding (A)

What is OWASP?

A non-profit foundation that works to improve the security of software (B)

What is the meaning of availability within the CIA triad?

Authorized users have reliable and timely access to resources. (A)

Why is it advised not to hardcode passwords?

It creates a significant vulnerability if the code is exposed or compromised. (B)

Which of the following is an example of the implementation of security controls ?

Implementing data encryption (A)

If database is set to default configurations without adding additional security, Which vulnerability is possible?

Security Misconfiguration (C)

How can cross-site scripting be used?

Enable client side scripts (C)

What has to be done to data for it to be available?

Protected (D)

What can using applications with no authentication lead to?

Vulnerabilities (D)

How can XML External entities be defined?

From external source (A)

What does broken access control lead to?

Data breaches and theft (A)

How can logging reduce a vulnerability?

Log and monitor to report it (B)

What is the function of the session ID or token?

Links the user authentication credentials to the user’s HTTP session traffic. (A)

Why is security compliance often bypassed?

The business believes the cost doesn't justify the means (B)

Why are standards often bypassed?

They are too extensive and time consuming (A)

In the context of OWASP guidelines, what is the purpose of regularly turning off default settings?

Decrease vulnerability. (B)

Flashcards

What is OWASP?

A nonprofit foundation improving software security through community-led projects, members, and conferences.

Goal of Software Security

Maintaining confidentiality, integrity, and availability of information resources.

How to Achieve Software Security

Implementing security controls to reduce the likelihood of software vulnerabilities.

What is Input Validation?

Ensuring that only properly formatted data is entered into the system.

Input Validation Examples

Minimum/maximum value ranges, data type checks, allowed values and standard data encoding.

Why Validate Inputs?

Ensuring the application only accepts expected inputs.

Authentication & Password Management

Verifying user identity and managing passwords to prevent unauthorized access.

Authentication Best Practices

Fail securely, hash passwords, enforce complexity, centralize controls, no hardcoding.

What is a Web Session?

A sequence of HTTP request/response transactions associated with the same user.

Practices for Session Management

Correctly terminate, enable on all pages, use inactivity timeouts, regenerate after re-auth.

What are Cryptographic Practices?

Protecting data integrity via industry-standard cryptographic methods.

Best Practices for Cryptography

Fail securely, random numbers, use approved functions, FIPS 140-2 compliance.

What is Error Handling?

Anticipation, detection, and resolution of errors in programs & applications.

Best Practices for Error Handling

Preventing sensitive information leakage and ensuring generic messages.

What is Database Security?

Encompasses a range of security controls aimed at protecting the database.

Database Security Checklist

Parameterized queries, input & output encoding, strong typing, close connections, disable defaults.

What is Memory Management?

The process of controlling and coordinating how software applications use computer memory.

Memory Management Best Practices

Check buffer, free allocated memory, control input/output, close resources.

What is Injection?

Untrusted data sent to an interpreter is executed as part of a command/query.

What is SQL Injection?

Placing malicious code in SQL statements via web page inputs.

What is Broken Authentication?

Attackers bypass or compromise authentication factors due to flaws.

What is Sensitive Data Exposure?

Web apps do not protect sensitive data appropriately.

What are XML External Entities (XXE)?

XML entity values are loaded from outside the document type definition.

What is Broken Access Control?

Restrictions on actions authenticated users can perform are not properly enforced.

What is Security Misconfiguration?

Result of insecure settings, incomplete configurations, or verbose error messages.

What is Cross-Site Scripting (XSS)?

Attackers inject client-side scripts into web pages.

What is Serialization?

Translating data structures into a storable/transmittable format.

What is Insecure Deserialization?

Insecure deserialization often leads to remote code execution or opens a backdoor.

Vulnerable Components

Exploiting known flaws in application components (libraries, frameworks).

Insufficient Logging & Monitoring

Apps don't sufficiently log, monitor, and report security incidents.

Study Notes

OWASP Overview

• OWASP (Open Web Application Security Project) is a nonprofit foundation.
• It aims to improve software security through community-led open source projects.
• This includes educational resources, training, and conferences.
• OWASP serves as a resource for developers and technologists looking to secure the web.
• It was founded in December 2001.

Secure Coding Practices

• The goal is to maintain the confidentiality, integrity, and availability of information.
• This can be achieved by implementing security controls to mitigate software vulnerabilities.
• Software security flaws can be introduced at any stage of the Software Development Lifecycle (SDLC).
• This includes not identifying security requirements upfront as well as introducing flaws during maintenance or updating
• Secure coding practices should be checked for Input validation, output encoding, Authentication, Access control, and Cryptographic practices.
• Error handling, databse, file and memroy management are important security areas.

Input Validation

• It ensures that only properly formatted data is entered into the system.
• Protecting the database from malformed or corrupted data.
• Examples include setting minimum/maximum value ranges and utilizing data type validators.
• Encode data to a common character set.

Authentication and Password Management

• Concerned with securely storing passwords to prevent attackers from obtaining them, even if the database is compromised.
• Authentication should fail securely.
• Password hashing needs to be implemented on a trusted system,
• Use centralized implementations for authorization
• Enforce password complexity requirements.
• Do not allow password hardcoding.

Session Management

• A web session is a sequence of network HTTP request and response transactions associated with the same user.
• It requires retaining user information during the session.
• The session ID or token binds the user's authentication credentials to the user's HTTP session traffic.
• Logout functionality should fully end the session and be available from all protected pages.
• Session inactivity timeout that is as short as possible needs to be established.
• A new session identifier should be generated on any re-authentication.
• Do not allow concurrent logins with the same user ID.

Cryptographic Practices

• Industry-standard cryptographic practices are crucial in various stages of web applications.
• This includes data entry, transmission, and storage.
• Cryptographic modules should fail securely.
• All random numbers need generation using a cryptography-approved random number generator.
• Only established cryptography-approved functions should be used.
• Cryptographic modules should comply with FIPS 140-2 or equivalent standards.

Error Handling and Logging

• Error handling involves anticipating, detecting, and resolving programming, application, and communication errors.
• Improper error handling can expose internal error messages, stack traces, or database dumps, leading to security problems.
• Sensitive information should not be disclosed in error responses.
• Error handlers should not display stack trace information (methods and calls).
• Generic error messages should be implemented.
• All logging controls should be implemented.
• Sensitive information should not be stored in logs.
• All input validation failures should be logged for future reference.

Database Security

• It encompasses a range of security controls designed to protect the DBMS (Database Management System).
• The database should be isolated as much as possible.
• The DBMS must be properly configured and hardened.
• Monitoring and auditing processes must be arranged accordingly.
• Strongly typed parameterized queries need to be utilized.
• Input validation and output encoding also need to be utilized.
• Variables need regulation and strong typing.
• The connection should be closed as soon as possible.
• Default accounts should be disabled.
• All unnecessary database functionality should be turned off.

Memory Management

• It is the process of controlling and coordinating how a software application accesses computer memory.
• Ensure long-term validity and program reliability
• Good memory management need strict programming discipline.
• The buffer should be double-checked to ensure that it is as large as specified.
• Allocated memory should be properly freed after function completion.
• Input and output control should be utilized for untrusted data.
• You should close resources specifically and not rely on garbage collection.

OWASP Top 10 Web Application Security Risks

• Injection Vulnerabilities
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging & Monitoring

Injection Vulnerabilities

• Occur when untrusted data is sent to an interpreter as part of a command or query.
• An attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
• SQL injection is the placement of malicious code in SQL statements via web page input.

Broken Authentication

• Occurs when Authentication and session management is misimplemented.
• Allows attackers to compromise passwords, keys, or session tokens and bypass the authentication.
• Credential Stuffing, brute force access and Session hijacking are primary attacking patterns.

Sensitive Data Exposure

• Occurs when Many web applications don't protect sensitive data, such as financial and healthcare data.
• All Sensitive data must be protected at various data lifecycles.
• Sensitive data may be compromised without encryption at rest or in transit.

XML External Entities (XXE)

• XML external entities are custom XML entities with values loaded from outside the Document type definition.
• These entities allow definitions based on a file path or URL, creating security vulnerabilities.

Broken Access Control

• Restrictions on what authenticated users are allowed to do not get enforced.
• The attacker can exploit flaws to access unauthorized functionality and/or data.

Security Misconfiguration

• It is the most commonly seen vulnerability.
• This usually results from insecure default configurations, incomplete configurations, and verbose error messages with sensitive information.

Cross-Site Scripting (XSS)

• XSS attacks enable attackers to inject client-side scripts into web pages viewed by public users.
• An attacker could send a victim a misleading email with a link containing malicious JavaScript.
• May allow cookies to be stolen and an account to be taken over.

Insecure Deserialization

• Serialization converts data structures into a format for storage or transmission.
• Insecure deserialization can lead to remote code execution or creating a backdoor.
• Untrusted sources, lack of verification, and not checking for integrity are common causes.

Using Components with Known Vulnerabilities

• Using libraries, frameworks, and other software modules, can have the same running privileges as any application to which they contribute.
• If a vulnerable component or library is exploited it can cause data loss or takeover a server.
• Vulnerabilities in components can allow an unauthenticated attacker to execute arbitrary code on a targeted system.

Insufficient Logging & Monitoring

• Failure to adequately log, monitor, and report security events makes detecting suspicious behavior difficult.
• It increases the chances that applications will be exploited by an attacker undetected.
• Logging and monitoring makes it difficult for attackers to go un-noticed, preventing an application flaw being exploited and utilized.