3-3 Project Two Stepping Stone - Preliminary Report

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

240

Subject

Computer Science

Date

Dec 6, 2023

Type

docx

Pages

5

Uploaded by SuperKoala931

Report
1 3-3 Project Two Stepping Stone: Preliminary Report Chris Lawton Southern New Hampshire University CYB 240: Operating System Security Dr. Randy Arvay May 21, 2023
2 Throughout the process of application development, it is vital to have security personnel involved that can help provide that proactive security mindset. This will help address security issues as they come up throughout the developmental stage – as well as mitigate security attacks after launch. Preventing such attacks can help save money and time trying to fix the issue after it is too late. Some of the risks that arise include injection, broken authentication, sensitive data exposure, broken access control, and cross-site scripting (XSS). These are only a few of the security risks that are involved and for my preliminary report I will be focusing on two of these: injection and broken access control. Risk One: Injection Injection happens when an attacker can exploit insecure code to inject their own code within the program. This allows the attacker to access secure areas within the system where they can obtain sensitive or confidential information as though they have authorized access. There are many different types of injections, but some of the most common types are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection (OWASP, 2021). Some preventative measures that should be taken to help mitigate such attacks are the utilization of safe API. This helps to avoid using the interpreter entirely and provides a parameterized interface. This is the preferred option. Another route is using positive server-side input validation. While not a complete defense due to many applications still requiring special characters – it can help to mitigate simple SQLi. Employing SQL controls such as LIMIT within queries can help to prevent mass disclosure of information in the case of SQLi. Encoding and escaping would be the route guided by the OWASP Top Ten Proactive controls. These are defensive techniques to help prevent such attacks. Encoding is the translation of special
3 characters into a different but equivalent form that is not dangerous for the tarter interpreter. The use of escaping is by adding a special character before the character/string to avoid it from being misinterpreted (OWASP, 2018). Nothing is absolute, and everything requires consistent monitoring to ensure an attacker is not exploiting anything that might have been missed during production or afterwards. Risk Two: Broken Access Control Broken Access Control occurs when there is a violation of the least privilege policy. Least privilege is the idea that all users should only have access to software and data that they need to complete their tasks and nothing more. This prevents users from acting outside of their role and gaining sensitive information that they should not be allowed access to. An example of an attack that could happen from this is an elevation of privilege. This occurs when an attacker can hack into the system and use the lack of access control to elevate their privileges to access data they would not normally have access to. This can lead to data leaks as well as data manipulation. There are a few preventative measures that can be taken to prevent such attacks. Following the OWASP Top 10 Proactive Controls, the use of enforcing access control is vital. This step is extremely important throughout the lifespan of the application. The first step to ensuring this is by designing access control very thoroughly up front. This can start very simple, but it can grow to be a very complex procedure in the developmental stage. It can be very difficult trying to re-engineer the access control with a new pattern so designing up front can save a lot of time and resources on the backend. As mentioned above, one of the steps of enforcing access control is the application of least privilege. Giving the user access to only the tools needed to do their job ensures data integrity and confidentiality. Another step is to deny by
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
4 default. This is the principle in which if a request is not specifically allowed, it will automatically be denied. As stated above, nothing is absolute when it comes to security within an application. These are just a few steps to consider at the beginning, middle and end of application development to help mitigate attackers and ensure integrity and confidentiality throughout the application. Consistent monitoring and testing are highly recommended throughout the entire process to ensure that holes in security are being filled.
5 References OWASP. (2018a). OWASP Top Ten Proactive Controls 2018 | C4: Encode and Escape Data | OWASP Foundation . Retrieved May 19, 2023, from https://owasp.org/www-project- proactive-controls/v3/en/c4-encode-escape-data OWASP. (2018b). OWASP Top Ten Proactive Controls 2018 | C7: Enforce Access Controls | OWASP Foundation . https://owasp.org/www-project-proactive-controls/v3/en/c7- enforce-access-controls OWASP. (2021a). A01 Broken Access Control - OWASP Top 10:2021 . Retrieved May 19, 2023, from https://owasp.org/Top10/A01_2021-Broken_Access_Control/ OWASP. (2021b). A03 Injection - OWASP Top 10:2021 . Retrieved May 19, 2023, from https://owasp.org/Top10/A03_2021-Injection/

Related Documents

Lab #7 Digital Forensics(1).pdf
NOPE.docx
Ass05.docx
Lab08.docx
Lab05.docx
CYB 260 Module Three Worksheet.docx
CYB 240 Module One Lab Worksheet.docx
CYB 240 Module Five Lab Worksheet.docx
CYB 230 Module Two Lab Worksheet.docx
CYB 250 Stepping Stone Two.docx
CYB 250 Stepping Stone One.docx
CYB 240 Module Three Lab Worksheet.docx
Recommended textbooks for you
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Information Technology Project Management
Computer Science
ISBN:9781337101356
Author:Kathy Schwalbe
Publisher:Cengage Learning
Text book image
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
SEE MORE TEXTBOOKS
Recommended textbooks for you
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Information Technology Project Management
Computer Science
ISBN:9781337101356
Author:Kathy Schwalbe
Publisher:Cengage Learning
Text book image
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
SEE MORE TEXTBOOKS