C8: Protect Data Everywhere

The GitHub Security Lab examined the most popular open source software running on our home labs, with the aim of enhancing its security. Here’s what we found and what you can do to better protect your own smart home. This lesser-known OWASP project aims to help developers prevent vulnerabilities from being introduced in the first place. This story contains the same message as the traditional requirement from ASVS, with additional user or attacker details to help make the requirement more testable.

Use the extensive project presentation that expands on the information in the document. The session cookie value should never be predictable, and should comply with strong complexity for better security. Always treat data as untrusted, since it can originate from different sources which you may not always have insights into. Recently, I was thinking back at a great opening session of DevSecCon community we had last year, featuring no other than Jim Manico.

Encrypting Data in Transit¶

I’ll keep this post updated with links to each part of the series as they come out. No matter how many layers of validation data goes through, it should always be escaped/encoded for the right context. This concept is not only relevant for Cross-Site Scripting (XSS) vulnerabilities and the different HTML contexts, it also applies to any context where data and control planes are mixed. Database injections are probably one of the best-known security vulnerabilities, and many injection vulnerabilities are reported every year. In this blog post, I’ll cover the basics of query parameterization and how to avoid using string concatenation when creating your database queries. This requirement contains both an action to verify that no default passwords exist, and also carries with it the guidance that no default passwords should be used within the application.

The OWASP Application Security Verification Standard (ASVS) is a catalog of available security requirements and verification criteria. OWASP ASVS can be a source of detailed security requirements for development teams. The OWASP Top 10 Proactive Controls is similar to the OWASP Top 10 but is focused on defensive techniques and controls as opposed to risks. Each technique or control in this document will map to one or more items in the risk based OWASP Top 10. This mapping information is included at the end of each control description.

Services   – Fixed Rate Service Plans Available

So you don’t have to write one from scratch and then get it security tested. It is better to use industry tested regular expressions than writing one on your own (which in most cases will be flawed). In the next section you will see how input validation can secure an application.

An application could have vulnerable and outdated components due to a lack of updating dependencies. A component, in this case, was added at some point in the past, and the developers do not have a mechanism to check for security problems and update their software components. Sometimes developers unwittingly download parts that come built-in with known security issues.

Live Hack: Exploiting AI-Generated Code

In this phase the developer first determines the design required to address the requirement, and then completes the code changes to meet the requirement. This investigation culminates in the documentation of the results of the review. A Server Side Request Forgery (SSRF) is when an application is used as a proxy to access local or internal resources, bypassing the security controls that protect against external access.

But developers have a lot on their plates and asking them to become familiar with every single vulnerability category under the sun isn’t always feasible. Even for security practitioners, it’s overwhelming to keep up with every new vulnerability, attack vector, technique, and mitigation bypass. Developers are already wielding new languages and libraries at the speed of DevOps, agility, and CI/CD. The above code shows that here sensitive information (i.e. password) is stored in a salted MD5 format. If the database is compromised, then the attacker will have to find clear text for the hashed passwords, or else it will be of no use. If the database is compromised at the same time, the attacker will be able to access the user account easily.

Stored XSS can be carried out in public forums to conduct mass user exploitation. Using a parameterized query makes sure that the SQL logic is defined first and locked. Then the user input is added to it where it is needed, but treated owasp proactive controls as a particular data type string, integer, etc. as whole. In a database operation with a parameterized query in the backend, an attacker has no way to manipulate the SQL logic, leading to no SQL injection and database compromise.

The first rule of sensitive data management is to avoid storing sensitive data when at all possible. If you must store sensitive data then make sure it’s cryptographically protected in some way to avoid unauthorized disclosure and modification. Observe in the above code that the session cookie JSESSIONID remains the same for pre- and post-login.