summarize each slide deck into 1 page each . Does not require any references or research.? Code security ?- 1 page Cloud Security – 1 PageCodeSecu
summarize each slide deck into 1 page each . Does not require any references or research.
Code security - 1 page
Cloud Security – 1 Page
Code Security – Issues and Best Practices
1
Outline
Intro to Code Security
Need for Code Security
Code Security Fundamentals
Code Security Issues
OWASP Top 10 – A4:2017– XML External Entities (XXE)
OWASP Top 10 – A8:2017– Insecure Deserialization
OWASP Top 10 – A9:2017– Using Components with Known Vulnerabilities
Attacks against Code Security Mechanisms
Code Security Best Practices
2
Intro to Code Security
3
Intro to Code Security
What is Code?
Code refers to instructions issued to a computer that tells it which actions to perform and in what order
Code is made of strings of typed letters, numbers, and figures, which constitute a language complete with spelling rules and syntax
Code is used to do all sorts of activities including:
Building websites
Flying airplanes
Running NASA satellites
Making cars/cellphones/TVs/gaming consoles, etc. work
4
Source: Indeed.com – How to Write Code in 6 Steps? –
https://www.indeed.com/career-advice/career-development/how-to-write-code
Intro to Code Security (contd.)
Code Types
Markup Languages – Use start tags (<>) and end tags (</>) to represent different components
Examples:
HTML – Is the code that describes the structure and content of a web application
XML – Is code that is designed to store and transport data in both human– and machine–readable format
SAML – Is a framework for describing and exchanging security information between online business partners
5
Intro to Code Security (contd.)
Code Types (continued)
Scripting Languages – Used to write small programs that are usually interpreted at runtime by a runtime environment
Examples (client-side):
JavaScript – Is a cross-platform scripting language that can be embedded within web pages to create interactive documents
AJAX – Is a collection of technologies that allows web developers to improve the response times between web pages
6
Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf
Intro to Code Security (contd.)
Code Types (continued)
Scripting Languages – Can also be used from server-side
Examples (server-side):
CGI – Is used to make web sites interact with databases and other applications
SSI – Is a limited scripting language supported by most web servers
ASP – Is used to create dynamic and interactive web applications for servers that serve “.asp” web pages using the .NET framework
PHP – Is used to create dynamic web pages that extract data from a database and present it on a web page
7
Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf
Intro to Code Security (contd.)
Code Types (continued)
Programming Languages – Used to code the business logic behind the web applications
Examples:
Java – Is a cross-platform programming language that is secure, fast, powerful, open-source, and free
C# – Is an object-oriented programming language created by Microsoft that runs on the .NET framework
Python – Is an interpreted programming language used to create web applications that can be used to handle big data and perform complex math
Ruby – Is an open-source programming language with a focus on simplicity and productivity
8
Intro to Code Security (contd.)
Code Market Share:
9
Source: Programming Languages Market Share Report – Datanyze –
https://www.datanyze.com/market-share/programming-languages–67/
Intro to Code Security (contd.)
Secure Coding Concepts – Professor Messer
10
Source: Professor Messer – Secure Coding Concepts – CompTIA Security+ SY0-401: 4.1 –
https://www.youtube.com/watch?v=N-tQtS5uQoo
Intro to Code Security (contd.)
Code security refers to “a set of technologies and best practices for making software as secure and stable as possible. It encompasses everything from encryption, certificates, and federated identity to recommendations for moving sensitive data, accessing a file system, and managing memory” (Red Hat, 2020)
As per Apple (2016), code security involves writing software that:
Is resistant to attack by malicious or mischievous people or programs
Stops an attacker from accessing and taking control of a server or a user’s computer resulting in denial of service, compromise of secrets, or damage to the systems of thousands of users
Protects a user’s data from theft or corruption
Is secure regardless of whether it is a small script or a commercial application
11
Need for Code Security
12
Need for Code Security
As per OWASP (2010):
It is much less expensive to build secure software than to correct security issues after the software package has been completed, not to mention the costs that may be associated with a security breach
Securing critical software resources is more important than ever as the focus of attackers has steadily moved toward the application layer
Failure to do secure coding can compromise:
The software and its associated information
The operating systems of the associated servers
The backend database
Other applications in a shared environment
13
Need for Code Security (contd.)
As per Veracode (2020):
Code security analysis is a must for competitive enterprises
Most current threats are directed at the application layer
It is critical to search code for vulnerabilities such as backdoors and malicious code before hackers discover and exploit those vulnerabilities using a variety of attacks
Such code-targeted attacks on the enterprise can have severe consequences:
Reduce productivity
Tie up valuable organizational resources
Damage brand reputation
Cut into profits
14
Need for Code Security (contd.)
As per the Veracode (2019) State of Software Security Report, web applications coded in most common languages have at least 1 vulnerability:
15
Need for Code Security (contd.)
As per the Veracode (2019) State of Software Security Report, the flaw intensity vs flaw prevalence are:
16
Need for Code Security (contd.)
As per the Veracode (2019) State of Software Security Report, the flaw intensity vs flaw prevalence are :
17
Need for Code Security (contd.)
As per the Veracode (2019) State of Software Security Report, the flaw debt types by language are :
18
Need for Code Security (contd.)
Poor code security continues to be a major cause data breaches (Privacy Rights Clearinghouse, 2020)
19
Code Security Fundamentals
20
Code Security Fundamentals
Secure Coding Standards – SEI | CMU | CERT
21
Source: SEI | CMU | CERT – Secure Coding Standards –
https://www.youtube.com/watch?v=WYKSivnp3gA
Code Security Fundamentals (contd.)
Code security (by code type):
Markup language security
HTML security
XML security
SAML security
Scripting language (client-side) security
JavaScript security (in Firefox)
AJAX security
22
Code Security Fundamentals (contd.)
Code security (by code type):
Scripting language (server-side) security
CGI security
SSI security
ASP security
PHP security
Programming language security
Java security
C++ security
Python security
Ruby security
23
Code Security Issues
24
Code Security Issues
Specific code security issues include the following:
Vulnerabilities in C amounted to 50% of all reported vulnerabilities
The most common CWEs across most programming languages are Cross-Site-Scripting (XSS), Input Validation, Permissions, Privileges, and Access Control, and Information Leak / Disclosure
A significant rise was seen in reported vulnerabilities as a result of the use of automated tools and the trend of bug bounty programs
While there was a spike in the number of reported security vulnerabilities in the past couple of years, the number of high severity vulnerabilities has decreased in most languages.
25
Source: Whitesource – Most Secure Programming Languages –
https://www.whitesourcesoftware.com/most-secure-programming-languages/
Code Security Issues (contd.)
Specific code security issues include the following:
Total reported vulnerabilities per language
26
Source: Whitesource – Most Secure Programming Languages –
https://www.whitesourcesoftware.com/most-secure-programming-languages/
Code Security Issues (contd.)
Top 3 vulnerabilities per language
27
Source: Whitesource – Most Secure Programming Languages –
https://www.whitesourcesoftware.com/most-secure-programming-languages/
Code Security Issues (contd.)
Top 3 vulnerabilities per language
28
Source: Whitesource – Most Secure Programming Languages –
https://www.whitesourcesoftware.com/most-secure-programming-languages/
Code Security Issues (contd.)
OWASP Top 10–A4:2017 – XML External Entities (XXE)
29
Source: OWASP Top 10 2017 A4 – XML External Entities (XXE) –
https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE).html
Code Security Issues (contd.)
Common code security vulnerabilities:
30
Source: OWASP Top 10 2017 A4 – XML External Entities (XXE) –
https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE).html
Code Security Issues (contd.)
OWASP Top 10–A8:2017 – Insecure Deserialization
31
Source: OWASP Top 10 2017 A8 – Insecure Deserialization –
https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization
Code Security Issues (contd.)
Common code security vulnerabilities:
32
Source: OWASP Top 10 2017 A8 – Insecure Deserialization –
https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization
Code Security Issues (contd.)
OWASP Top 10–A9:2017 – Using Components with Known Vulnerabilities
33
Source: OWASP Top 10 2017 A9 – Using Components with Known Vulnerabilities –
https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities
Code Security Issues (contd.)
Common code security vulnerabilities:
34
Source: OWASP Top 10 2017 A9 – Using Components with Known Vulnerabilities –
https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities
Code Security Attacks
35
Code Security Attacks
Most common code security attacks:
36
Attack Type | Description |
Billion Laughs Attack / XML Bomb | A block of XML that is both well-formed and valid according to the rules of an XML schema but which crashes or hangs a program when that program attempts to parse it (Microsoft, 2015) |
Buffer Overflow | An attack which consists of overwriting memory fragments of a process resulting in errors that end execution of the application in an unexpected way |
Code Injection | An attack which consists of injecting code that is then interpreted/executed by the application |
Code Security Attacks (contd.)
Most common code security attacks (continued):
37
Attack Type | Description |
JSON Injection | A simple server-side attack that could be performed in PHP to grant admin privileges to a regular user |
SSI Injection | An attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely |
XXE Attack | The attacker breaks out of the usual processing schema and bypasses the security verification and reads locally stored files |
Code Security Attacks (contd.)
What is an XXE Attack – Hacksplaining
38
Source: Hacksplaining – What is an XXE Attack? –
https://www.youtube.com/watch?v=hIHrGuG3r5w
Code Security Best Practices
39
Code Security Best Practices
Best practices for code security include :
Establishing coding standards and conventions
Select languages based on security issues they inherit
Use built-in security features
Use loosely coupled frameworks / libraries / components
Enforce standards
Using safe functions / APIs only
Provide guidance to developers on what functions / APIs to avoid
Use appropriate tools to assist in identifying and reviewing the usage of dangerous functions
Use the latest versions of compliers / interpreters / runtime environments
40
Source: SAFEcode.org – Fundamental Practices for Secure Software Development –
Code Security Best Practices (contd.)
Best practices for code security include (continued):
Using code analysis tools to find security issues early
Use tools to analyze code to identify deviation from requirements
Use tools that plug in directly into the IDE
Use secure code review to identify logical errors in the source code
Handling data safely / handling errors gracefully
Use input validation techniques to begin with
Enforce data segregation to prevent data from becoming application logic
Use encoding so that data is interpreted in the context in which it is used
Use data binding which prevents data from being interpreted as control logic
Use sanitization techniques to remove, replace, or encode unwanted characters
41
Source: SAFEcode.org – Fundamental Practices for Secure Software Development –
Code Security Best Practices (contd.)
Best practices for code security include the following:
Take Security Requirements and Risk Information into Account During Software Design
Review the Software Design to Verify Compliance with Security Requirements and Risk Information
Verify Third-Party Software Complies with Security Requirements
Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality
Create Source Code Adhering to Secure Coding Practices
42
Source: NIST – Cybersecurity White Paper –
Code Security Best Practices (contd.)
Best practices for code security include the following:
Configure the Compilation and Build Processes to Improve Executable Security
Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
Configure the Software to Have Secure Settings by Default
43
Source: NIST – Cybersecurity White Paper –
Code Security Best Practices (contd.)
Use the following code security best practices to protect against XML External Entities (XXE):
44
Source: OWASP Top 10 2017 A4 – XML External Entities (XXE) –
https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE).html
Code Security Best Practices (contd.)
Use the following code security best practices to protect against insecure deserialization:
45
Source: OWASP Top 10 2017 A8 – Insecure Deserialization –
https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html
Code Security Best Practices (contd.)
Use the following code security best practices to protect against using components with known vulnerabilities:
46
Source: OWASP Top 10 2017 A9 – Using Components with Known Vulnerabilities –
https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities.html
Recap
Code security issues are among the OWASP Top 10 list of web application security risks
This is due to weaknesses in coding technologies such as markup languages, scripting languages (client- and server-side), programming languages, etc.
Hackers are able to exploit the weaknesses using attacks such as billion laughs, buffer overflow, code/SSI/JSON injection, XXE attacks, etc.
Best practices to protect code include establishing coding standards, protecting data, performing input validation/error handling/logging, ensuring proper memory management, using code analysis tools to do secure code review, etc.
47
Thank you!!!
48
,
Cloud Security – Issues and Best Practices
1
Outline
Intro to Cloud Security
Need for Cloud Security
Cloud Security Fundamentals
Cloud Security Issues
OWASP Top 10 – A6:2017– Security Misconfiguration
OWASP Cloud-Native Application Security Top 10
Attacks against Cloud Security Mechanisms
Cloud Security Best Practices
2
Intro to Cloud Security
3
Intro to Cloud Security
What is the cloud?
According to Microsoft (2022) the cloud refers to “a vast network of remote servers around the globe which are hooked together and meant to operate as a single ecosystem”
Cloud servers are designed to:
Store and manage data
Run applications
Deliver content/service such as streaming videos, web mail, office productivity software, social media to any Internet-connected device
According to NSA (2018), cloud browsers can be used to completely separate the web browser from the user’s O/S by hosting the browser in a remote cloud environment
4
Intro to Cloud Security (contd.)
What is the cloud? – PowerCert Animated Videos
5
Source: PowerCert Animated Videos – Cloud Computing Explained –
https://www.youtube.com/watch?v=_a6us8kaq0g/
Intro to Cloud Security (contd.)
Cloud deployment methods
Public cloud – shares resources and offers services over the public Internet
Private cloud – does not share resources and offers services over a private internal network typically hosted in an on-premise datacenter
Hybrid cloud – shares resources between public and private clouds depending on their purpose
Community cloud – shares resources only between specific organizations such as government institutions
6
Source: Microsoft.com – What is the Cloud? –
https://azure.microsoft.com/en-us/overview/what-is-the-cloud/
Intro to Cloud Security (contd.)
Cloud service models:
Examples: Amazon SaaS Factory, Office 365, Google Kubernetes Engine
Examples: Elastic Beanstalk, Azure App Service, Google Cloud Run
Examples: Amazon EC2, Azure IaaS, Google Compute Engine
7
Cloud Service Model | Hardware | Operating System | Applications | Data |
SaaS | ||||
PaaS | ||||
IaaS |
SP – Service Provider C – Customer
Intro to Cloud Security (contd.)
Cloud market share:
8
Source: 64 Significant Cloud Computing Statistics for 2022 – FinancesOnline &#
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.
All Rights Reserved Terms and Conditions
College pals.com Privacy Policy 2010-2018