Security based on two different principles of authentication of an individual. For example, the login/password is supplemented by an additional control on a previously registered smartphone
Logging
Area: Defense
Implementation: requires technical skills and suitable organization
Benefit: Facilitates preventive and curative analysis in the event of a compromise
Records all actions performed by users. The created registry allows you to
understand the ins and outs in the event of a cyberattack;
detect malicious actions;
identify suspicious connections.
Study of the TOP 10 2021 guide
What are the differences between the TOP 10 2017 and the TOP 10 2021?
Over the years, the ranking of TOP vulnerabilities continues to evolve, but what about today?
The old ranking focused on specific vulnerabilities (XSS, XXe vulnerabilities, etc.).
It is clear that attacks are becoming more modern and following technological developments.
The guide has therefore evolved accordingly.
Some of its categories are grouped into a more generic set to simplify the guide:
A4:2017-XML External Entities (2017) has been added to vulnerability type A05:2021-Security Misconfiguration;
A7:2017-Cross-Site Scripting (XSS) has been added to the A03:2021-Injection vulnerability type;
A8
Insecure Deserialization (2017) is now part of the vulnerability type A08:2021-Lack of data and software integrity.These groupings, which may seem abstruse to a beginner, allow specialists to structure their analysis around a finite number of categories.
What are the main new features of the TOP 10 2021?
After 4 years of data collection and analysis, OWASP released a new version of the OWASP TOP 10 2021 in September 2021.
New controls will strengthen the security of web applications:
cryptographic operation;
implemented better logging;
in-depth verification of access controls (A07:2021-Poor identification and authentication).
Three new categories have been developed:
A04:2021-Insecure design
These are safety issues related to design flaws.
This category considers bad implementations:
data protection mechanisms;
of logic programming problems;
displaying content revealing sensitive information.
A08:2021-Lack of data and software integrity
This category focuses on
the implementation of software brick updates;
protecting critical data without verifying their integrity.
It also incorporates A8:2017-Insecure Deserialization, from the OWASP TOP 10 2017.
A10:2021-Server-Side Request Forgery
Better known as Server-Side Request Forgery (SSRF), this vulnerability allows the attacker to establish a connection with internal services of the organization's infrastructure through a third-party server.
What are the consequences of a lack of data and software integrity?
software and data integrity failures klee group
In this diagram data and software integrity is represented by two elements:
Network security includes the policies and practices adopted to prevent and monitor access to, modification of, and unauthorized access to data on a computer network.
The concept of Security by design includes the policies and practices for strengthening the security of an application during its development phase.
Like the story of the three little pigs, we can see that the concepts of network security and security by design are complementary. If one of the concepts is not implemented, then security is set to fail. We see that these two concepts are essential to effectively secure an application.
In this attack, the hacker gains access to sensitive resources by using intermediary servers. Let’s take a look at how he does this.
server side request forgery blog klee group
In this scenario, an attacker wants to access a protected resource on a target server that we will uae telegram data call the victim server (request #1). The attacker finds a third-party server that can communicate with the victim server to access the protected resource. The hacker can then send a malicious script to the third-party server (request #2). This request is routed to the victim server (request #3). The victim server executes the request from the third-party server (request #4).
Reduce the threat using OWASP TOP 10!
Security is a never-ending battle, cyber attackers keep sharpening their swords and showing ever more ingenuity to bypass our shield.
Strengthening our defenses means:
implement security as early as possible, from the design phase of an application;
monitor compliance with OWASP TOP 10 practices throughout the project;
take into account security developments including those of the OWASP TOP 10.
Cybersecurity is not a new problem, but the risks have increased. The OWASP TOP 10 covers the majority of current application vulnerabilities, so it is an essential tool to implement during developments. To do this, we recommend the use of vulnerability scanners that include this repository.
React before it's too late!