Exploring the OWASP Top 10: Part 5

One of the top ten security risks identified by OWASP is security misconfiguration, which is explained in their 2021 report https://owasp.org/Top10/A05_2021-Security_Misconfiguration/.

An application might be vulnerable if the application is missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services, if it has unnecessary features enabled or installed, if default accounts and their passwords are enabled and unchanged, if error handling reveals stack traces or other overly informative error messages to users, or if an upgraded system does not have the latest security features enabled or if they are not properly configured. Using out of date software can also lead to this risk.

This leads to a few possible attacks. Firstly, if the application server comes with sample applications not removed from the production server. If these have known security flaws, attackers could use them to compromise the server. Suppose one of these applications is the admin console, and default accounts weren’t changed. In that case, an attacker could log in with the default credentials and immediately gain administrator privileges. This picture gives a brief demonstration of an attacker gaining access to a system by using unchanged default values:

CrowdStrike provides more examples of security misconfiguration and what dangers they could lead to: https://www.crowdstrike.com/cybersecurity-101/security-misconfiguration/#:~:text=Security%20misconfiguration%20is%20any%20error%20or%20vulnerability%20present,breach%20and%20attackers%20gaining%20unauthorized%20access%20to%20data.

If directory listing is not disabled on the server, an attacker can simply list directories. The attacker could find and download the compiled Java classes. Later, they could decompile and reverse engineer them to view the code. This allows the attacker to easily find access control flaws and other vulnerabilities in the application. Veracode has more information about possible attacks that could be caused by security misconfiguration: https://info.veracode.com/rs/790-ZKW-291/images/security-misconfiguration-prevention-guide-en.pdf.

In order to minimize this vulnerability, secure installation processes should be implemented, including a repeatable hardening process that makes it fast and easy to deploy another environment that is appropriately locked down. This process should be automated to minimize the effort required to set up a new secure environment. Using a minimal platform without any unnecessary features, components, documentation, and samples also helps to reduce the risk of security misconfiguration. Regularly reviewing and updating the configurations appropriate to all security notes, updates, and patches as part of the patch management process is also a good practice to make sure everything is properly configured and up to date. Using an automated process to verify the effectiveness of the configurations and settings in all environments would help developers to ensure that their security configuration works in any environment they need to use. This picture lists some of the top areas where people make security configuration mistakes:

Exploring the OWASP Top 10: Part 4

One of the top ten security risks identified by OWASP is broken access control according to their report https://owasp.org/Top10/A01_2021-Broken_Access_Control/. Access control enforces a policy so that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits. This picture is a brief explanation on how an attacker gains access:

Red Hat gives some good information about access control and explains three different types in their article: https://www.bing.com/search?q=broken+access+control&cvid=59f8de25013e483a9898f791fe6e051a&gs_lcrp=EgZjaHJvbWUqBAgAEAAyBAgAEAAyBAgBEAAyBAgCEAAyBAgDEAAyBAgEEAAyBAgFEAAyBAgGEAAyBAgHEAAyBAgIEADSAQgzMDExajBqNKgCALACAA&FORM=ANAB01&PC=LCTS

Common access control vulnerabilities include failure to utilize the least privilege practice or deny by default practice, where access should only be granted for specific capabilities, roles, or users, but is available to anyone. Another common issue is bypassing access control checks by modifying the, internal application state, or the HTML page. Allowing the ability to view or edit someone else’s account is another bad practice that can lead to attacks. Elevation of privilege is a common method attackers use to gain more permissions on a system. This comes in the form of acting as a user without being logged in or acting as an admin when logged in as a user. Another mistake is force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.

Access control is only effective in trusted server-side code or server-less API, where the attacker cannot modify the access control check or metadata. There are multiple ways to avoid these issues. Except for public resources, use the deny by default method when granting permissions. Implement access control mechanisms once and re-use them throughout the application. Ensure that model access controls enforce record ownership rather than accepting that the user create, read, update, or delete any record. Applications should disable web server directory listing and ensure file metadata and backup files are not present within web roots. Be sure to log access control failures, alert admins when appropriate. Session identifiers should be invalidated on the server after logout. Veracode explains some other ways to prevent broken access control: https://info.veracode.com/rs/790-ZKW-291/images/broken-access-control-prevention-guide-en.pdf.

Exploring the OWASP Top 10: Part 3

One of the top ten security risks identified by OWASP is security logging and monitoring failures, according to their report https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/. This category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and active response allows attackers to gain access to systems and accounts for an extended amount of time, maximizing the damage they can cause.

This occurs when auditable events, such as logins, failed logins, and high-value transactions, are not logged, warnings and errors generate inadequate, or unclear log messages, logs of applications and APIs are not monitored for suspicious activity, logs are only stored locally, appropriate alerting thresholds and response escalation processes are not in place or effective, or the application cannot detect, escalate, or alert for active attacks in real-time or near real-time.

Veracode gives a good explanation about how to identify these issues: https://info.veracode.com/rs/790-ZKW-291/images/security-logging-and-monitoring-prevention-guide-en.pdf.

In order to combat these risks, developers should implement the following controls depending on the possible risk of the application: ensure all login, access control, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts. Ensure that logs are generated in a format that log management solutions can easily be understood. Ensure log data is encoded correctly to prevent injections or attacks on the logging or monitoring systems. Make sure that high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar. Most importantly, developers should implement or adopt an incident response and recovery plan. Tech target gives some more advice on the best practices for log monitoring: https://www.bing.com/search?q=why+is+logging+and+monitoring+important&cvid=f7efcaf241b84f79b044fc7ed42b982e&gs_lcrp=EgZjaHJvbWUqBAgAEAAyBAgAEAAyBAgBEAAyBAgCEAAyBAgDEAAyBAgEEAAyBAgFEAAyBAgGEAAyBAgHEAAyBAgIEADSAQg1NTg2ajBqOagCALACAA&FORM=ANAB01&PC=LCTS.

Exploring the OWASP Top 10: Part 2

One of the top ten security risks identified by OWASP is identification and authentication failures., which they discuss in this report: https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/. This is a big risk because it allows unapproved individuals to gain access to peoples accounts and systems and, as a result, sometimes elevated permissions or access to private information.

Confirmation of the user’s identity, authentication, and session management is critical to protect against authentication-related attacks. There may be authentication weaknesses if the application permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords, permits brute force or other automated attacks, permits default, weak, or well-known passwords, uses weak or ineffective credential recovery processes, uses plain text, encrypted, or weakly hashed passwords data stores, neglects to use multi factor authentication, does not correctly invalidate session IDs, or exposes the session identifier in the url.

These vulnerabilities can make way for multiple different attacks. Credential stuffing, which is making use of a list of known passwords, is a common attack. If an application does not implement automated threat or credential stuffing protection, such as delaying the amount of login attempts someone could make, credential stuffing is an easy way for a hacker to gain access to someone’s account or system. Another big issue is using a public computer or system. If session timeouts aren’t properly set and someone forgets to log out when they finish using it, the next person to use it would have access to their account. Cyolo goes into a lot more detail about the different types of attacks that can result from this: https://cyolo.io/blog/identification-and-authentication-failures-and-how-to-prevent-them/.

There are a few things someone can do to combat this. Where possible, implement multi-factor authentication to prevent automated credential stuffing, brute force, or stolen credential attacks. Applications can implement weak password checks and require a certain amount of characters and numbers in passwords. Application developers can also ensure that registration, credential recovery, and API pathways are hardened against account enumeration attacks. One can limit or increasingly delay failed login attempts. To prevent incorrectly invalidating or exposing a session ID, applications may use a server-side, built-in session manager that generates a new random session ID with high entropy after login. Veracode talks a lot more about how to prevent these risks in their guide: https://info.veracode.com/rs/790-ZKW-291/images/identification-authentication-failure-prevention-guide-en.pdf.

Exploring the OWASP Top 10

One of the top ten security risks identified by OWASP is vulnerable and outdated components, which they talk about in this report: https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/. Applications have been using more and more pre-existing components rather than being coded completely from scratch. Web applications often need fast turnaround, and with the increasing quantity of open-source components available, it is no shock that developers are making use of it. In fact, an estimated 96% of applications use at least some open source components. On average, more than half of an application’s codebase consists of open-source code according to https://www.immuniweb.com/blog/OWASP-vulnerable-and-outdated-components.html. The result of this can be new websites and applications with deeply embedded vulnerabilities that are unknown to the application operator. Once those vulnerabilities are discovered and publicized, applications that use that vulnerable component may be found and exploited.

Components typically run with the same privileges as the application itself, so flaws in any component can result in serious impact. Such flaws may be accidental, such as a coding error, or intentional, such as a backdoor in a component. There are automated tools to help attackers find unpatched or misconfigured systems.

This is a risk if you do not know the versions of all the components you use, if your software is vulnerable or out of date, if you do not regularly scan for vulnerabilities and read updated information about the components you use, If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion, or if software developers do not  test the compatibility of updated, upgraded, or patched libraries. You can find more possible risks, as well as prevention methods, in this guide: https://info.veracode.com/rs/790-ZKW-291/images/vulnerable-and-outdated-components-prevention-guide-en.pdf.

There should also be a process in place to remove unused dependencies, unnecessary features, components, or files. Continuously inventory the versions of both client-side and server-side components and their dependencies, only obtain components from official sources over secure links, and monitor for libraries and components that are not maintained or do not create security patches for older versions because they may be insecure. This image gives a briefer, easier to understand explanation about vulnerable components:

Blog Post 8

Dear Blog,

Today I read a very informative article about adding visuals to a report. I often forget to consider adding visuals to my writing, and when I do I often am not sure how to add them. This article gave me a lot of good advice that I would like to share with you.

The first piece of advice was to label, number, and title my graphics. This one is something I often forget to do, but it is common practice to make sure your graphics make sense. This picture gives a visual example of how to label a graphic in APA format:

I found a picture that also describes how to properly label and place information on a line graph so it is clear and easy to read:

Their next piece of advice is to place the graphic in the right spot. I often struggle to decide where to put a specific graphic, but good placement is definitely important to make sure it is relevant to the current topic. It is also important to keep the overall layout looking clean and easy to navigate.

The next piece of advice was to explain each graphic. This is actually something I do very often. I think explaining the relevance of your graphics is important for them to have any actual meaning. We are also told to explain where each graphic comes from unless we make it ourselves. This one is important because if you do not explain where it originates from, it could be considered plagiarism. Explaining the source could also inform readers about any potential bias or misinformation the graphic could have. This article explains more about how to properly cite your graphics:

https://mytext.cnm.edu/lesson/chapter-7-integrate-visuals-and-apply-design-principles/#:~:text=Here%20are%20a%20few%20tips%20to%20keep%20in,graphics%20in%20nearby%20text%20preceding%20the%20graphic.%20

We are also told to make our graphics stand out. I often do not look to hard at graphics myself unless they seem interesting to me. If your graphic has important information that you want your reader to see, it is important to make sure they read it by peaking their interest enough for them to pay attention to it. This article talks a little more about considering your audience and their interest:

https://pressbooks.pub/coccoer/chapter/creating-and-integrating-graphics/#:~:text=Keep%20the%20following%20in%20mind%20as%20you%20consider,graphics%20fit%20within%20normal%20margins.%20…%20More%20items

The last advice I was given is to make my graphics easy to find. Sometimes it Is easy to miss graphics when they are hidden away on the side of the page or in the bottom corner. I often put my graphics right below the paragraph that explains them, so the reader sees them right after they read the context behind the graphic. This last article gives several more tips about how to use graphics and which ones to use depending on the information: https://pressbooks.bccampus.ca/communicating/chapter/chapter-31/

Blog Post 7

Dear Blog,

Today I read a very interesting article about how people read content online. It peaked my interest, and I thought A blog post would be the perfect spot to talk about it since you are all (probably) reading this online.

They first talk about how people have a habit of skimming through writing while reading it online. I personally have a bad habit of doing this. I found this article about how to prevent your readers from skimming so much: https://irisreading.com/how-to-speed-read-without-skimming/.

The article also talks about the appearance of our writing. They say the appearance of our entries should be just as interesting as our writing. I definitely agree with this point. When I open an article and I dislike the font or the page layout, I often won’t even bother to read the first sentence. This article talks about how to edit the appearance of your writing or website to make it more pleasing: https://www.bing.com/search?q=how+to+make+your+online+writing+appearance+better&cvid=3110f56c8f0b46f3898a809bdefaa4af&gs_lcrp=EgZjaHJvbWUyBggAEEUYOdIBCDgzODBqMGo0qAIAsAIA&FORM=ANAB01&PC=LCTS. I also found a good example of a website I would immediately close because of the layout:

Another piece of advice they gave us was to make our big points first. This way, readers will read the important parts first. It will both gain their interest in your writing and will also get the point across before they stop reading if they end up finishing the article halfway through.

The article also advises to talk to the reader by addressing them as “you” or “we.” This forms a connection between your writing and the reader. This article lists a few more ways to connect with readers through your writing: https://thewritepractice.com/connect-with-readers/.

It is also recommended to use clear word choices that would be understandable to almost everyone. This makes your writing much more understandable. This part stood out to me because I often find myself trying to use more complex words in my writing. While it may sound smarter, it can also make your writing difficult to understand for the average person. Here are a few examples of complex words that can be reverted into simpler words:

The next advice is to keep paragraphs short and focused, and even add in a one-sentence paragraph every so often. The article also reminds us to use bullet points, headings, links, and bold words when needed. This is a good reminder because I often forget to add anything other than normal text to my writing. I am going to try to incorporate this advice in my future blog posts, and I hope to better hold you’re attention while doing so.

Blog Post 6

Dear Blog,

Today I read an insightful article that offered some good advice on how to recover from making mistakes in a job interview. I am what I would call a social klutz. With internship interviews and career fairs looming near in my future, I have been stressing because I have no doubts that I will have at least a few verbal slip-ups or weird fidgety habits that I forget to hide. I found a few articles that have given me advice on how to avoid making mistakes, such as this one from job hunt: https://www.job-hunt.org/avoid-interview-mistakes/. Beth Herring talks about several ways to recover from and make up for the mistake.

The first advice she gives is to apologize. I believe this is the most important way to recover, because it shows self awareness and a willingness to recognize one’s mistakes. People tend to be very forgiving when offered a sincere apology. Her second piece of advice is not to dwell on it. This can apply to a mistake in any area of life, because dwelling on a mistake can lead to making many more. Her third piece of advice is to think on your feet and come up with an excuse for your mistake that makes you look better. For example, if you forget a list of references or resume, you could tell them you wanted to wait to first know more about what qualifications and experience they are looking for. Her last piece of advice is to fix the mistake when you realize you are doing it. She explains that fixing the mistake immediately is better than feeling bad about it once the interview is over.

If the mistake is big enough to warrant one, the article also advises us to include an apology in a thank-you email or even a handwritten note. I found a good template for one of these messages:

I believe I would use a handwritten note. This article talks about the merits of both a handwritten note and an email: https://www.terrastaffinggroup.com/resources/blog/post-interview-thank-you-email-or-handwritten-thank-you-note/#:~:text=Sending%20both%20an%20email%20and%20a%20handwritten%20note,back%20to%20the%20forefront%20a%20few%20days%20later. They also give some examples where both would be acceptable. I think they make you more memorable and show you put effort and care into it as opposed to copy pasting the same email to all of your interviewers. This last article gives some advice on what you should and should not do in a handwritten thank you letter to your interviewer: https://www.indeed.com/career-advice/interviewing/handwritten-thank-you-notes-after-interview.

Blog Post 5

Dear blog,
Today I read a post from Dr. Heather Holleman, the author of “Writing with Flair.” She talks about 5 different methods that can be used to make writing more interesting to read. The first method they introduced is choosing verbs with flair. They explain that verbs such as am, is, are, etc. don’t actually describe a specific action, and can make writing more dull. Using more interesting verbs can better help readers understand and visualize what the writer tries to convey.

Their second piece of advice is to take advantage of the big five punctuation marks. The big five punctuation marks are the semicolon, colon, dash, parentheses, and comma. They explain the use of each punctuation mark to us and advise us to use them when necessary to add more variety to our writing. Using these punctuation marks may help writers to convey their tone and can also make writing look less monotone and boring. I found an article that talks about even more punctuation marks you can incorporate into your writing: https://www.thesaurus.com/e/grammar/what-are-the-major-punctuation-marks/

The third method is to vary the length of our sentences. I definitely agree with using this method, because writing can sound repetitive when all the sentence lengths are the same. The fourth method stated is to use some clever word play. I am always a fan of a good play on words. It can add humor to your writing and keep the reader interested. This article lists three ways to incorporate wordplay into your writing: https://www.bing.com/search?q=incorporate+clever+play+on+words+into+your+writing&cvid=ed0a3aa4662f4ebba6a176250c450597&gs_lcrp=EgZjaHJvbWUyBggAEEUYOdIBCDcxMTRqMGo0qAIAsAIA&FORM=ANAB01&PC=LCTS.

The last method is to engage the audience. This one should go without saying, a reader that is not interested most likely will not continue reading. These methods should all add up to keeping the audience engaged, because that is one of the most important ways to get your audience to actually pay attention to your point. This last article gives a lot more detail on how to keep an audience engaged with your writing: https://hoist.digital/content/blog/10-effective-tips-to-reach-your-audience.

(no title)

Dear Blog,

Today I read Jack Dorsey’s letter to his employees in which he announces he will be laying off over 330 employees. At the beginning of the letter, Mr. Dorsey states that he will “give it to us straight.” He then proceeds to give ‘it’ to us in a maze of vague explanations of plans to better the company and promises to reimburse these 330 employees with a “generous” exit package of about 20% of his annual salary. For those wondering, this equals out to about one day of pay for every five employees that are now out of work.

I have no issue with companies deciding to lay off workers. I understand that sometimes, it is necessary to let people go, so Jack Dorsey is not in the wrong on that front. However, I am ticked off that I was expecting a straight explanation from his announcement, and instead was given a page and a half of explanations and excuses that I am sure nobody cares about. I understand the need to soften the blow by coating the bad news with a dozen layers of good news, but if I was one of the employees losing their job, that letter would have made me feel much worse. If he really wanted to show respect to the employees that were being laid off, he wouldn’t have spent 70 percent of his letter describing what a great future he has planned and the other 30 percent explaining how generous he’s going to be to those employees.

I would prefer he just announce that they were being laid off, explain how he will reimburse them, and end the letter there. This article I found goes more in depth about why people shouldn’t use this method https://www.reliableplant.com/Read/24506/Sweet-talk-sugar-coated.  Too many people in positions of power fail at delivering bad news because they try to disguise it as a part of a bigger set of good news instead of just allowing it to be bad news. It makes it a lot harder to actually accept when there is actual good news because we become so used to good news being partnered with bad news and vice versa. This article talks about how sugar coating bad news can actually cause people to receive it in a worse way than if it had been delivered bluntly. This article explains how sugar coating bad news can cause someone to seem condescending and manipulative https://psychologycorner.com/why-sugar-coated-communication-is-bad-for-you-and-for-everyone-else/. I think CEOs and other leaders need to start actually giving it to us straight instead of trying to give us big clusters of positivity to distract us from the main point.