Application Security Risks

RESPOND TO THESE DISCUSSION POST BASED ON THE TOPIC “Choose one of the OWASP Top 10 Web Application Security Risks and recommend a mitigation for the vulnerability.”

 1.Aby Iy D). XSS

One of the top 10 web vulnerabilities include Cross-Site-Scripting (XSS). This vulnerability happens when a web application sends information that is not trusted to a web browser that has not been validated properly. The issue allows an attack to hijack a user’s session or redirect to sites coded with malicious activity (OWASP, 2015).  Ways to mitigate/prevent XSS is to deny all and never insert untrusted data except in allowed locations (OWASP, 2015). With proper coding it can be blocked so that untrusted data is not allowed in certain portions of a web browser’s page.  The same goes with escaping data for untrusted data, by using the proper codes to not allow various characters on a browser. Encoding all command characters helps prevent this as well.

2Dvd BCHR). Vulnerability Mitigation (Security Misconfiguration)

Vulnerabilities come in many shapes and sizes, and while this list is a little old, many of the threats still hold true. An extremely common and also equally as dangerous vulnerability is the misconfiguration of security devices. It's is incredibly easy to use a vulnerability scanner on a network to look for open ports, and a lack of a hardened operating system, or in ordinary terms, an OS that has unnecessary processes running and ports open. Proper security base-lining should involve identifying the state of the organization's security and from there a plan of attack should be developed. Misconfiguration can be as simple as out of date software, which should be addressed in a patch management policy, or poor error handling which can lead to giving attackers dangerous information about the type of back end database. (Security Misconfiguration, 2013) Input validation can prevent XSS, SQL Injection, Buffer Overflow attacks, etc. and can lead to more involved documentation which upholds strong security configurations.

A sound security policy, coupled with change management, periodic vulnerability assessments (with documented follow up actions), user rights audits, and patch management policies should mitigate most security misconfiguration & similar issues.

3Jme Cn ). SQL Injection

 SQL injection attacks can occur when code is not escaped properly, making it possible for a malicious user to enter a certain input that acts as a SQL Query.  This can result in unauthorized access to a whole database of information, the alteration of that data, and the subsequent compromise of the entire network (Rubens, 2010).

                To avoid these types of attacks, there are numerous preemptive steps one can take.  First of all, dynamic SQL should be avoided and adequate code should be utilized to meet coding standards.  Lazy coding is unsecure coding.  Not only this, but a layered, defense-in-depth approach should be taken by having a strong web application firewall with good rules in place, updates and security patches should regularly be downloaded and installed, strong passwords should be utilized, and privileges should be set based upon a need-to-know basis.  That is, access should be granted based upon who needs to access what to adequately perform their duties, with no more access granted than what is necessary.  Not only this, but if a certain aspect of a database is not necessary, it is best to do away with it to reduce attack surface and ensure there is one less vulnerability.

PLEASE READ THIS.IT IS VERY IMPORTANT

Allow your discussion posts to be detailed and capable of sharing knowledge, ideas and points.  You must discuss the topic using your own words first.  Using your own words indicate you understand the topic of discussions.  Secondly, you must cite your sources in-text.  This is necessary to justify your points. Sources from several sources showed good research abilities.  Lastly, you must provide references at the bottom of your post.  A discussion post without justification with sources does not show proper research abilities. A terse and not detailed discussions represent post that would not provide enough sharing of knowledge or proper understanding of the topic. DO NOT just copy and paste a sentence from online with citation at the end as your own discussion. I have not asked for definitions, I asked for discussions and will not buy this.  You must show understanding of the discussion topic by using your own words to describe the topic and then justify that with sources.

www.citationmachine.net to format references into the APA style if necessary. Extremely important. Intext citations is very essential and highly needed as well.

use double spacing, 12-point Times New Roman font, and one-inch margins. Sources should be cited according to APA citation method (citation should be relevant and current). Page-length requirements:2 PAPARAGRAPHS FOR EACH PROMPT ANSWER. Make sure you cite if you take a piece of someone’s work, very important and your reference should relate to your writing (don’t cite a reference because it relates to the course and not this very paper) at least 2 current and relevant academic references. No heavy paraphrasing of others work.