Quick, name that hip hop group! (OK, that might not have been the exact song lyrics, but some of you may have gotten it.) What is an Insufficient Transport Layer Protection Vulnerability? This is a security weakness that happens when applications do not protect network traffic, which can lead to sensitive data being exposed, intercepted, and used to steal information. The lack of protection can occur due to a number of reasons, such as the use of weak encryption algorithms o

Under my umbrella, -ella, -ella, -eh, -eh, -eh Securing sensitive data stored and transmitted within our applications is a significant concern. To address this, we need robust encryption, strong access controls, and a thorough understanding of data protection techniques. In this article, we'll explore the importance of using data protection in our applications. “With Little Miss Sunshine, Rihanna, Where you at?" An Umbrella Analogy An umbrella and data protection both act

In the world of cybersecurity, a beaver's habits can teach us valuable lessons about the importance of logging and monitoring. While beavers are renowned for their engineering skills, particularly when it comes to building dams with logs, we, too, can learn from their example. Security Logging and Monitoring failures are in the Top Ten of the OWASP 2021 list, at number 9, but there’s no direct vulnerability that can be exploited. Yet it remains a vulnerability and can be d

TL;DR: Fuzzing is an automated dynamic software testing method that improves software security and reliability by feeding programs a wide range of random or unexpected inputs to detect crashes, errors, and vulnerabilities, including zero-day exploits. It is cost-effective, efficient, and particularly adept at uncovering issues like SQL injection and cross-site scripting attacks, enabling developers to identify and fix bugs early in the development process for better, more se

I wrote an article titled “Broken Access Controls—Protect The Fortress!” as we dove into authentication and authorization, and what happens when access controls fail. For a brief refresher: Authentication: Are you who you say you are? Access control: now that we know who you are and what you're attempting, do you have the access to do so? Specific best practices can be followed to accomplish proper access controls. In this article, we’ll be covering how to implement robu

I wrote an article titled “Vulnerability Highlight: Beavers, Insufficient Logging and Monitoring,” and we learned about Insufficient Logging and Monitoring at a high level... and beavers. I also wrote an article titled “Breach Please! Use of proper logging and monitoring to avoid security breaches!” In this article, we’ll take a deeper look into the importance of comprehensive application logging for detecting malicious activity and how it can help investigate security incid

“Moving up from the fifth position, 94% of applications were tested for some form of broken access control with the average incidence rate of 3.81%, and has the most occurrences in the contributed dataset with over 318k.” (OWASP.org) What is broken access control? Let's take a step back and talk about access control. Companies follow the principle of least privilege, which basically says, “Hey, we only grant access for certain things, and you can't do things outside of your

In a previous article, I discussed cryptographic failures. Well, we’re gonna talk about it a bit more. Don’t think of it as a comeback, but a remix? We’ll actually focus in a little deeper on these three areas of Cryptographic Failures: Exposed Key/Poor Key Management Insecure Randomness Weak Algorithm Use/Inefficient Algorithms For a brief refresher, what is a Cryptographic Failure? It’s a symptom, not necessarily a cause! It’s a security vulnerability that happens when a th

No, XSS isn't a shirt size. It stands for Cross-Site Scripting. These are attacks when an attacker injects a malicious script into a trusted website in a user-provided input. They might use a web application to inject the malicious code. This frequently happens when a web application uses input from a user but generates without validating or encoding the data passed. They can also launch an attack by modifying a request. In summary, XSS is a vulnerability that can enable th

OWASP Topic — “A05:2021 Security Misconfiguration” “Moving up from #6 in the previous edition, 90% of applications were tested for some form of misconfiguration, with an average incidence rate of 4.%, and over 208k occurrences of a Common Weakness Enumeration (CWE) in this risk category.” -OWASP What? Security Misconfiguration? Man, this sounds serious! What exactly is a Security Misconfiguration? They are attacks that exploit weaknesses in configurations found in our web ap

Let’s learn about HSTS Max-Age Directives. Is it just me, or does this sound like something out of RoboCop or Wall-E? What is your directive LOL? Ok seriously now, what are we talking about? Let’s start with the basics. HTTP Strict Transport Security, or HSTS, is a response header that improves a site’s security as it instructs the browser to always use HTTPS instead of HTTP when visiting your site. It helps to protect against man-in-the-middle attacks and other vulnerabilit

I got your attention, didn’t I? HTTP response security headers are a fundamental part of website security and are easy to implement too! As a subset of HTTP headers, they are exchanged explicitly between a client and a server to specify security details for HTTP communication. They can help prevent modern browsers from easily falling prey to preventable vulnerabilities and protect against common attacks, such as cross-site scripting (XSS), clickjacking, information disclosure

“Vulnerable Components are a known issue that we struggle to test and assess risk and is the only category to not have any Common Vulnerability and Exposures (CVEs) mapped to...” https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ Vulnerable and Outdated Components.   Ugh.  Gross.  Sounds like a communicable disease and an outdated vaccine for an application.  Wait, maybe that’s a good analogy.  Let’s roll with it. What exactly is a Vulnerable and Outdated C

Do you look forward to receiving an injection? No? The same applies for our systems! Let’s learn more about SQL injections and how this can impact our applications! “Injection slides down to the third position. 94% of the applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3%, and 274k occurrences. Notable Common Weakness Enumerations (CWEs) included are CWE-79: Cross-site Scripting, CWE-89: SQL Injection, and

“Shifting up one position to #2, previously known as Sensitive Data Exposure, which is more of a broad symptom rather than a root cause, the focus is on failures related to cryptography (or lack thereof). Which often lead to exposure of sensitive data.” Cleopatra is making an online purchase of a new sheath dress When I think of cryptographic failures, my mind immediately pictures Cleopatra on her laptop. Close enough, right? For what it’s worth, cryptology really does orig

We’re going to take a deeper dive into Access Controls !  Let’s jump right in.  Broken access controls are the number one vulnerability according to OWASP and the most serious.  This may sound harsh, but the truth is that a malicious attacker has exploited a weak access control point in one of our web applications, taking advantage of a vulnerability.  Broken access controls have been responsible for data breaches, identity theft, financial losses, and reputational damage to

Published on Medium.com Broken access control could be an attacker exploiting these vulnerabilities, or it could be unintended. They could be: Injection flaws: untrusted input injected into an application. Cross-site scripting (XSS): untrusted input is included in a web page output. Broken authentication/session management: the application doesn’t validate or protect information. Inadequate role-based authorization or allowing users to access functionality beyond their permis

Published on Medium.com We have to be super careful with our client’s sensitive data, including PII, financial records, and login credentials. That’s a given! Sensitive Data Exposure occurs when a web application fails to protect confidential information, accidentally or intentionally. Either way, there are serious consequences. Exposed data can then be exploited by malicious actors, ranging from identity theft to financial fraud. One way this can happen is by returning too m

Posted on Medium.com We don’t want a security breach! That’s why we rely heavily on logging and monitoring our applications-without it, breaches cannot be detected. Though challenging to test, it can be beneficial for accountability, visibility, incident alerting, and forensics. That’s why this is in the OWASP Top 10 of vulnerabilities-to help detect, escalate, and respond to active breaches! A security logging/monitoring failure is a vulnerability that occurs when a system/a

“Previously known as Broken Authentication , this category slid down from the second position and now includes Common Weakness Enumerations (CWEs) related to identification failures.” ( OWASP ) Kenny Loggins is a famous singer and songwriter spanning multiple decades. If you’re not familiar with his work, just think of Footloose, Caddyshack, or Top Gun, just to name a few. I celebrate his entire collection. Let’s briefly review the basics of identification and authentication.