Assess how a good software configuration management program is critical to your
ID: 3815442 • Letter: A
Question
Assess how a good software configuration management program is critical to your Web application security. Analyze and present the use of discretionary access control (DAC), mandatory access control (MAC), Rules-Based, or Role-Based Access Controls in your response.
For Web applications, discuss how the best practices for mitigating vulnerabilities prevent buffer overflow (BO) attacks or SQL Injections (SQI). Give a real-life example of an actual BO or SQI attack, and discuss how it was addressed.
Explanation / Answer
Discretionary access control (DAC) :-
It is a type of access control. In DAC user has full control on all task/program it executes and owns.
It also determines the permissions for programs and file.
DAC also called as the need to know access model.
- The user can find the access type of some other users.
- It can invoke the privilege if several fail / unauthorized access found.
- The user can transfer their object ownership.
- Unauthorized users don’t have access to find file characteristics.
Mandatory access control (MAC):-
Mandatory access control is a system, not a user it specifies which subject access data object.
The system policy decides that who is allowed access.
An individual user cannot able to alter this access.
- It relies on the system for controlling access.
- Mandatory access control mostly used in the system where the confidentiality is important.
Role-Based Access privileges:-
Role-based access control is a method to grant access to the network resource to a system based on their roles and responsibilities in particular organization.
Like an accountant, the role will be assigned to the accountant of the organization. This role gain access to all accountant related resources permitted by the system.
Best practices for mitigating vulnerabilities prevent buffer overflow (BO) attacks or SQL Injections (SQI).
SQL injection attack principle is when application or program is taking inputs from users there is a chance to the malicious user can enter crafted data that affect the system like SQL query instead of user data.
For example:-
select * from usertable where username = ‘$uname and password = ‘pwd;
This query result username and password from usertable but some hacker can enter input like 1' or '1' = '1 and 1' or '1' = '1.
This will create query like
select * from usertable where username = 1' OR '1' = '1' AND password='1' OR '1' = '1'
Now hacker injected OR clause to query and malicious the data.
Tips to avoid SQL injection.
Validate and sanitize the user data properly.
Avoid using dynamic SQL user parameterized query and prepared statement.
Use software or appliance based web firewall to avoid attacks.
User appropriate privileges avoid to use your account with admin privilege unless it needed.
Keep your account secrets secret.
Change your application and database password regularly.