CYB_240_Module_Seven_Project_Two_Bailey_Holly

docx

School

University of Missouri, Columbia *

*We aren’t endorsed by this school

Course

7850

Subject

Computer Science

Date

Apr 3, 2024

Type

docx

Pages

Uploaded by bails4

Bailey Holly Professor Bernuy Application Security CYB-240-R3445 25 February 2024 Module 7-2 Project Two Submission: Recommendations Report Development Issue/Vulnerability One: Inject (A01:2017-Injection) Concern: The OWASP element, Injection (A01:2017-Injection), poses a significant area of concern for the development team due to its potential for devastating consequences. Injection vulnerabilities can lead to attackers tampering with data, bypassing security measures, and even hijacking the system. With the ability to inject malicious code into the application’s logic, attackers can manipulate sensitive information, gain unauthorized access to restricted areas, or take complete control of the server. This vulnerability demands stringent attention to proper input handling, secure coding practices, and dedicated security testing throughout the development process to mitigate the risk of data theft, system takeover, or malware deployment. Failure to address injection vulnerabilities can leave the application susceptible to exploitation and compromise its integrity and security. Recommendation: To address the crippling injection vulnerabilities identified, the principle of Input Validation and Sanitization (CWE-77, CWE-78) should be rigorously implemented. This involves employing robust validation techniques, potentially utilizing pre-defined functions from libraries or frameworks, to guarantee user input conforms to expected data types and formats. Additionally, all user input must be sanitized before being used in any context, such as database queries,

Bailey Holly Professor Bernuy Application Security CYB-240-R3445 25 February 2024 system commands, or output. This sanitization process involves removing or escaping potentially harmful characters to prevent them from being interpreted as malicious code. By adhering to these practices, the application becomes significantly less vulnerable to injection attacks, as only valid data is processed, effectively mitigating the consequences. Development Issue/Vulnerability Two: Broken Access Control (A05:2017-Broken Access) Concern: The OWASP element, Broken Access Control (A05:2017), is a potential area of concern for the development team due to its inherent vulnerability in the application’s access control mechanism. This vulnerability allows for unauthorized access to sensitive data and functionalities within the application. Leaky permissions and exploitable checkpoints create opportunities for intruders to gain access to confidential information, compromise user privacy, and disrupt system operations. The risk of broken access control poses a significant threat as it provides hackers with a gold mine of opportunities for data breaches, identity theft, and sabotage. Weak privilege assignments and manipulated tokens further exacerbate the vulnerability, allowing unauthorized individuals to exploit the system’s flaws and access restricted areas. Recommendation: To effectively address the vulnerabilities related to broken access control, the fundamental security principle of Least Privilege (CWE-250) should be rigorously enforced. This principle dictates that users be granted only the minimum set of permissions necessary to fulfill their

Bailey Holly Professor Bernuy Application Security CYB-240-R3445 25 February 2024 designated tasks. This can be achieved by implementing role-based access control (RBAC), a system that assigns specific permissions to predefined user roles. This approach eliminates the reliance on potentially insecure default permissions and prevents the granting of excessive privileges. Additionally, regular reviews and audits of user access controls are essential to ensure continued appropriateness and prevent the possibility of unauthorized access remaining undetected. By adhering to the principle of least privilege and implementing these complementary practices, we significantly reduce the potential damage that could be inflicted by an attacker who gains unauthorized access, effectively mitigating the risks associated with broken access control vulnerabilities. Value of Security Practitioners with Fundamental Principles: Security practitioners armed with fundamental security design principles are crucial for preventing vulnerabilities throughout the SDLC (Software Development Life Cycle). Their proactive approach allows them to identify and address potential security issues early in the development process, significantly reducing the cost and risk associated with fixing vulnerabilities after deployment. By integrating security considerations into every stage of development, they contribute to a culture of secure coding practices, ultimately leading to the creation of more principles, empowers security practitioners to actively mitigate risks like injection and broken access controls, ensuring the overall security and stability of the software.

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Bailey Holly Professor Bernuy Application Security CYB-240-R3445 25 February 2024 Citations OWASP. (2021). A03 Injection – OWASP Top 10:2021. Owasp.org; OWASP. https://owasp.org/Top10/A03_2021-Injection/ CWE – CWE-77: Improper Neutralization of Special Elements used in a Command (“Command Injection”) (4.0). (n.d.). Cwe.mitre.org. https://cwe.mitre.org/data/definitions/77.html CWE – CWE-78: Improper Neutralization of Special Elements used in an OS Command (“OS Command Injection”) (4.2). (n.d.). Cwe.mitre.org. https://cwe.mitre.org/data/definitions/78.html OWASP. (2021). A01 Broken Access Control – OWASP Top 10:2021. Owasp.org; OWASP. https://owasp.org/Top10?A01_2021-Broken_Access_Control/ CWE – CWE-250: Execution with Unnecessary Privileges (4.6). (n.d.). Cwe.mitre.org https://cwe.mitre.org/data/definitions/250.html

Related Documents

Lab - Simple Blockchain.docx

Lab - Financial Statements.docx

CYB_230_Module_Two_Lab_Bailey_Holly.docx

Annie CRM Assignment.doc

CYB_240_Module_One_Bailey_Holly.docx

CYB_240_Module_Four_Lab_Bailey_Holly.docx

WEEK 2.2 1 ASSIGNMENT.docx

CYB_240_Module_Three_Project_Two_Bailey_Holly.docx

CYB_240_Module_Three_Lab_Bailey_Holly.docx

Lab Activity Measuring Species Diversity Spring 2022.pdf

Assignment_III (1).pdf

ValenciaA_BUSN600week5.docx

Recommended textbooks for you

Fundamentals of Information Systems

Computer Science

ISBN:9781337097536

Author:Ralph Stair, George Reynolds

Publisher:Cengage Learning

Management Of Information Security

Computer Science

ISBN:9781337405713

Author:WHITMAN, Michael.

Publisher:Cengage Learning,

Fundamentals of Information Systems

Computer Science

ISBN:9781305082168

Author:Ralph Stair, George Reynolds

Publisher:Cengage Learning

Principles of Information Systems (MindTap Course...

Computer Science

ISBN:9781305971776

Author:Ralph Stair, George Reynolds

Publisher:Cengage Learning

Principles of Information Security (MindTap Cours...

Computer Science

ISBN:9781337102063

Author:Michael E. Whitman, Herbert J. Mattord

Publisher:Cengage Learning

MIS

Computer Science

ISBN:9781337681919

Author:BIDGOLI

Publisher:Cengage

SEE MORE TEXTBOOKS

Recommended textbooks for you

Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
MIS
Computer Science
ISBN:9781337681919
Author:BIDGOLI
Publisher:Cengage