operates by serving the pick-up and delivery of groceries to customers. Users can order their groceries through websites or mobile apps in all U.S states. Cart-Delivery promises 2-hour delivery for certain locations and limited items and rest are just 2-day shipping. As part of daily transaction, Cart-Delivery stores PII information for 2 months and purges it across the system
all security controls for any system and removing default configurations of the application without any errors Examples of misconfigurations: 1. App server or DB Server exposing some sample API that is not secured 2. Sending entire error trace to front end or users when something goes wrong 3. Default accounts and passwords are enabled without modification
THE APPLICATION USES THE DEFAULT CONFIGURATION OR OUT-OF-DATE OR NOT UPGRADED. COMPONENT INCLUDES SERVERS, OS, DB. 01 IF THE APPLICATION EXPOSES ANY UNNECESSARY FEATURES OR SOME FEATURES THAT COMES DEFAULT WITH THE SYSTEM. 02 IF ANY IMPORTANT SECURITY CONFIGURATIONS ARE MISSING OR CONFIGURED INCORRECTLY IN THE APPLICATION STACK 03
CONFIGURATIONS SHOULD BE REMOVED REVIEW ALL THE CONFIGURATION, APP SETTINGS, UPDATES, PATCHES. ESPECIALLY WITH THE CLOUD APPLICATIONS AND STORAGE. PROVIDE SOME LEVEL OF ISOLATION OR SEGMENTATION WITH ACL ON IT. SOME EXAMPLES ARE CONTAINERIZATIONS VALIDATE THE SETTINGS PERIODICALLY AND VERIFY THE EFFECTIVENESS OF EACH CONFIGURATIONS THAT IS DEPLOYED
is also called as Authorization which ensures only few get access to certain resources. This is responsible for granting access to limited functions. Examples of Broken Access controls: 1. Application that has permission for users to view different users record 2. Getting elevated or user access to system without any login or authentication 3. Unauthorized API access by modifying the CORS configuration
DOESN’T HAVE ANY ACCESS CONTROL LIST FOR THEIR RESOURCES 01 IF THE DATA IS EXPOSED AND ANY UNAUTHORIZED USERS ARE ALLOWED TO CHANGE THE RECORDS OF SOME OTHER USER WITHOUT ANY PRIVILEGE 02 IF THERE IS NO LIMITATION ON NUMBER OF REQUESTS INCOMING 03
the resources of application across the eco- system Enforcing the ownership by modeling access control Creating a gateway Infront of apis that can-do rate limiting and provide limited access to resources Move the backup files to centralized system and disable web root directory
data is the information that includes user’s private data or secret information which can be classified as secret, confidential or top secret. Examples of Sensitive Data Exposure: 1. Unencrypted credit card information sent via wire 2. SSL is not used for all authenticated pages 3. The password database uses unsalted hashes to store everyone’s passwords
exposed, it can lead to serious damage to a person, society or sometime even the country. Damages such as financial loss, decreased brand trust, Identity hijacking Privileges of any system can be compromised by impersonating as victims. This can lead the attackers to take control of the application, the data and sometime entire system based on the victim’s access .
based on privacy laws and regulatory requirements. Ensure to encrypt the data based on classification If data is sensitive, reduce the retention policy and time to live in the systems. Discard any sensitive information and not store the information unnecessarily. Ensure to encrypt with strong algorithms and protocols. When the data is stored, encrypt it before storing with strong access control. Enabling HSTS allows the data to be encrypted when its on wire. Security can also be enhanced by disabling caching for sensitive information and with strong adaptive hashing functions.
based on user role. Ensure to prioritize all top 10 OWASP related validations before pushing application to production. Technical managers Identify the the right framework and identify the configurations that needs to be modified and also identifies the data that are classified Developers Implementing the framework or systems in secure way and making sure default configurations are modified and secured with restrictive access. DevOps Create dashboards and set up alerts for any of the issues from centralized logs to detect the anomalies or issue immediately Testers Creating test cases and check for any security flaws that include security configurations, Access controls and Storage of sensitive information Incident Response Team (IRT) Create the playbooks ready for each of incidents and how to react to each of them quickly.
iamshreeram
frievea
karlov
signer
ainischool
shiba_8ro
naokikato
codeforeveryone
ukky86
irocho
tammyeverts
pauljervisheath
morganepeng
shpigford
chriscoyier
hannesfritz
rocio
swwweet
destraynor
iamctodd
brad_frost
addyosmani
