7-2 Project Two - Recommendations Report

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

240

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

6

Uploaded by SuperKoala931

Report
1 7-2 Project Two: Recommendations Report Chris Lawton Southern New Hampshire University CYB 240: Operating System Security Dr. Randy Arvay June 18, 2023
2 As a security analyst being hired to oversee the proper security coding during the software development life cycle (SDLC), it is my responsibility to collaborate with the programmers to ensure proper security programming is put into place. I have been asked to provide my input in the form of a recommendations report for the development team. This will be a report to help point out potential areas of concern and how to avoid them – as well as going over the value of an analyst being a part of the SDLC. Development Issue/Vulnerability One The first vulnerability I would like to point out is the number one security risk on the OWASP top ten and went from fifth in 2017 to first in 2021 and has a 3.81% incidence rate from 94.55% of applications evaluated. This security risk is broken access control. Broken access control is a process put in place to enforce security policies that do not allow users to act outside of their allowed permissions. This prevents users from having a free for all in the network where they can view sensitive information at all. For example, someone in customer service should not have access to sensitive HR information such as payroll or employee’s sensitive information. Not having proper access controls put into place can also make elevated privilege attacks much easier. This is allowed by an attacker having the capability to exploit a user’s credentials and easily access all the information on the network as whatever user they can exploit as access. Following a proper fundamental security design principle to assist in the security of broken access control would be the application of least privilege. Least privilege is the thought that no user should have access to anything that is not required for them to do their day-to-day tasks. This will prevent the above example from happening and ensure that the confidentiality of data is held up. Another fundamental security design to follow would be layering. This can be
3 applied in many different situations of the design, but this vulnerability will be applied towards authentication layering. This would come in the form of two-factor authentication. This is usually when someone will have login credentials that have to be validated through a third-party authentication. This can include common access cards or special apps/software designed to give codes that have a time limit to be used. Development Issue/Vulnerability Two The second vulnerability that I would like to discuss is the third ranked of the OWASP top ten and had an average incident rate of 3.37% of 94.04% of applications evaluated. This vulnerability is injection. Injections can come in different forms but the main ones of concern in this situation would be SQL injections and cross-site scripting (XSS). The issue has gotten slightly better overtime as this was the number one concern in 2017 but dropped down to the third in 2021, but make no mistake, these attacks can be extremely dangerous. SQL injection is an attack that occurs when an attacker can exploit insecure code to inject their own code within a program. This attack is easy to exploit and can lead to an entire database being stolen, wiped, or modified (OWASP Top Ten Proactive Controls 2018 | C3: Secure Database Access | OWASP Foundation, n.d.). It can also lead to the application being used to run malicious commands against the OS holding the database. Cross-site scripting occurs when malicious scripts are injected into what would normally be considered a trusted site. An attacker can exploit any cookies, session tokens, or other sensitive information held by the browser by sending malicious code to an unsuspecting user. The end browser usually has no way of knowing this code is malicious and will execute it.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
4 In keeping within the fundamental security design principles, the one that would apply to these types of attacks would be encapsulation. This principle follows the idea that resources should only be allowed to be used in the way they are intended for. This is to prevent anything being used maliciously or in a way that is originally unintended to prevent any detrimental damage to the system. This security principle is applied because SQLi usually occur when you are asked for user input such as a username or password field, the attacker will give an SQL statement that can unknowingly run on the database allowing for access to credentials that should not be accessed. This means they are using the username and password field in a way for which they are not intended. The best method to help mitigate these attacks would be to prevent untrusted input from being interpreted as part of a SQL command. This can be done with a technique called ‘Query Parameterization.’ This is a SQL query that requires at least one parameter to execute. A placeholder is normally substituted for the parameter in the SQL query. The parameter is then passed to the query in a separate statement (Techopedia, 2011). While this method is not always perfect, it is listed as the best way to prevent SQLi from occurring. It is not always in a programmer’s wheelhouse to constantly check for proper security measures when it comes to writing a program. This is where a security practitioner can come in with an emphasis on a security mindset that can assist in ensuring proper measures are put into place throughout the SDLC process. Having a second set of eyes can always be important in a lot of situations but it especially applies when sensitive information is put on the line. This can help the long-term lifespan of the program being written as most security holes can be filled before the programs is set public use. This can help companies avoid attacks that exploit sensitive information that can lead to a huge cost to the company or even major legal issues.
5 References A01 Broken Access Control - OWASP Top 10:2021 . (n.d.). https://owasp.org/Top10/A01_2021- Broken_Access_Control/ Contributor, T., & Rosencrance, L. (2021). principle of least privilege (POLP). Security . https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP Cross Site Scripting (XSS) | OWASP Foundation . (n.d.). https://owasp.org/www- community/attacks/xss/#:~:text=Cross%2DSite%20Scripting%20(XSS),to%20a %20different%20end%20user. Michali. (2022, September 15). What is Secure SDLC? Check Point Software. https://www.checkpoint.com/cyber-hub/cloud-security/what-is-secure-sdlc/#:~:text=Put %20simply%2C%20Secure%20SDLC%20is,impact%20should%20they%20be %20found. OWASP. (n.d.). OWASP Top Ten Proactive Controls 2018 | C3: Secure Database Access | OWASP Foundation . https://owasp.org/www-project-proactive-controls/v3/en/c3-secure- database OWASP Top Ten | OWASP Foundation . (n.d.). https://owasp.org/www-project-top-ten/ OWASP Top Ten Proactive Controls 2018 | C7: Enforce Access Controls | OWASP Foundation . (n.d.). https://owasp.org/www-project-proactive-controls/v3/en/c7-enforce-access- controls SQL Injection . (n.d.). https://www.w3schools.com/sql/sql_injection.asp#:~:text=SQL %20injection%20usually%20occurs%20when,unknowingly%20run%20on%20your %20database.
6 SQL Injection | OWASP Foundation . (n.d.). https://owasp.org/www- community/attacks/SQL_Injection Techopedia. (2011, August 18). What is Parameterized Query? - Definition from Techopedia . https://www.techopedia.com/definition/24414/parameterized-query Techopedia. (2013, February 1). What is Layered Authentication? - Definition from Techopedia . https://www.techopedia.com/definition/23925/layered-authentication#:~:text=Layered %20authentication%20is%20an%20information,transaction%2C%20system%20or %20operational%20environment.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

4-3 Project One Milestone - Vulnerability Identification Report.docx
CYB 230 6-1 Project One - Permission Modification.docx
6-1 Discussion - Cybersecurity Awareness and Training.docx
CYB 230 Module Five Lab Worksheet.docx
CYB 230 6-2 Project Two - Server Configuration Verification Report.docx
7-1 Final Project Submission - Cyber Defense and Emerging Trends Paper.docx
5-2 Short Response - Breach Analysis Simulation Two.docx
6-3 Project Two Submission - Legal and Ethical Recommendations Brief.docx
2-3 Short Response - Breach Analysis Simulation One.docx
CYB 240 Module Two Lab Worksheet.docx
ITT-380 Public Key Infrastructure (PKI) for Payment Card Industry Data Security Standard (PCI-DSS) C
CYB 230 Module Three Lab Worksheet.docx