Course Name: IT Security and Policies (IT409). Chapter 10: Information systems A
ID: 3703535 • Letter: C
Question
Course Name: IT Security and Policies (IT409).
Chapter 10: Information systems Acquisition, development and maintenance.
Learning Outcome 5: Use effective, proper and state of the art security tools and technologies.
Q2- The OSWAP (Open Web Application Security Project) releases top 10 security flaws in most critical web applications. Find out the latest release and list down the top 10 flaws. Explain at-least 2 flaws in your own words.
Note: No handwritting and use your own words (don't copy and paste from websites).
Explanation / Answer
As per 2017 release
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging&Monitoring
Sensitive Data Exposure
It been a common problem from the beginning . But now attacker are steeling keys instead of crypto attack. either they are cracking information from user side or middle man(man-in-the-middle attacks) like browser .
Another major reason for this flaw is compromising in security, still lots of database servers have week security by not encrypting data, using weak algorithms and protocols, low bit rate encryptions.
Broken Access Control
Broken Access Control usually happens at application developers side. Developers not sure about access control. They are not keen about giving permission to user are external applications that which data is to be given access. Attackers catches this using SAST and DAST tools and accessing sensitive data.
This also happens because of Automated testing tools usually they do not find this kind of flaws. To overcome this it has to be tested manually like HTTP methods GET vs PUT.