Below list is a high level view of what application vulnerabilities are and how we can mitigate them by introducing proper controls.
Vulnerability Category
|
Potential Problem Due to Bad Design
|
Controls
|
| Input Validation | Attacks performed by embedding malicious strings in query strings, form fields, cookies, and HTTP headers. These include command execution, cross-site scripting (XSS), SQL injection, and buffer overflow attacks. | WAF, Input validation and verification |
| Authentication |
Identity spoofing, password cracking, elevation of privileges, and unauthorized access.
|
WAF, Session Management, Passwords, Two Factor, IDM |
| Authorization | Access to confidential or restricted data, tampering, and execution of unauthorized operations. | Session Management, Access Controls, IDM |
| Configuration Management | Unauthorized access to administration interfaces, ability to update configuration data, and unauthorized access to user accounts and account profiles. | Path Management, Access Filtering, IDM, PIM, Session Management |
| Sensitive Data | Confidential information disclosure and data tampering. | Encryption, Hashing controls |
| Session Management | Capture of session identifiers resulting in session hijacking and identity spoofing. | IDM, Session Management |
| Cryptography | Access to confidential data or account credentials, or both. | Encryption, Hashing controls, DB Access Controls |
| Parameter Manipulation | Path traversal attacks, command execution, and bypass of access control mechanisms among others, leading to information disclosure, elevation of privileges, and denial of service. | WAF, Input validation, Parameter validation, Header validation |
| Auditing and Logging | Failure to spot the signs of intrusion, inability to prove a user's actions, and difficulties in problem diagnosis. | Detailed logging, Syslog server, SIEM, Alerting, Reporting |
No comments:
Post a Comment