Want to make creations as awesome as this one?

Transcript

Owasp breach A05:2020

START SLIDE

Vulnerabilities

  • Poor app-level security hardening and misconfigured permission
  • Unnecessary features are installed or activated like services, pages, accounts, etc.
  • Default accounts is enabled and not configured
  • For upgraded systems, the latest security features are disabled or not configured securely.
  • Application servers, frameworks, databases do not have safe values
  • The server does not send security headers or directives, or they are not set to secure values.
  • The software is out of date or vulnerable

Example Attack Scenarios

SCENARIO #3

SCENARIO #1

SCENARIO #2

SCENARIO #4

Example Attack Scenarios

The application server comes with test applications not removed from the production server. The examples have flaws. Attacker can login with default accounts if not configured

Scénario #1

Example Attack Scenarios

Scénario #2

Directory listing is not disabled on the server. An attacker discovers they can simply list directories. The attacker finds and downloads the compiled Java classes, which they decompile and reverse engineer to view the code. The attacker then finds a severe access control flaw in the application.

Example Attack Scenarios

Scénario #3

The application server's configuration allows detailed error messages, stack traces, to be returned to users. This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable.

Example Attack Scenarios

Scénario #4

A cloud service provider (CSP) has default sharing permissions open to the Internet by other CSP users. This allows sensitive data stored within cloud storage to be accessed.

How to prevent

  • A repeatable hardening process makes it fast and easy to deploy another environment that is appropriately locked down.
  • A minimal platform without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.
  • A task to review and update the configurations appropriate to all security notes, updates, and patches as part of the patch management process. Review cloud storage permissions
  • A segmented application architecture provides effective and secure separation between components or tenants
  • Sending security directives to clients, like Security Headers.
  • An automated process to verify the effectiveness of the configurations and settings in all environments.