Secure Computing OWASP

Card Set Information

Secure Computing OWASP
2014-10-16 01:28:07

OWASP secure computing
Show Answers:

  1. what is owasp top ten
    the 10 most critical web application security risks at time of release
  2. threat agents
    where are these attacks going to come from
  3. attack vector
    how easy is it to perform the attack
  4. weakness prevalence
    how common is the weakness
  5. weakness detectability
    how easy is it to detect the weakness
  6. technical impact
    how severe will the attack be on the infrastructure
  7. business impact
    what will be the varied costs to the business if a successful attack takes place
  8. 3 primary defence approaches
    • input validation - never trust the user
    • access surface reduction - don't give functionality if they don't need
    • classification and prioritization of threats
  9. 2 types of input validation
    • blacklist validation - input that should not come from a user, then blocking it
    • whitelist validation - input that should come from a user, then allowing it
  10. STRIDE
    • spoofing
    • tampering
    • repudiation
    • information disclosure
    • denial of service
    • elevation of privilege
  11. FIRST
    • Forum of Incident Response and Security Teams
    • ranks vulnerabilities on a scale of 1 to 10, ten being the highest
  12. similarities to XSS and CSRF
    • attack the victim's browser instead of the server
    • take advantage of vulnerabilities to circumvent the SOP
  13. XSS
    • A3
    • Cross-site scripting
    • allows attackers to execute scripts in the victim's browser.
    • occurs whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping
  14. CSRF
    • A8
    • cross-site request forgery
    • forces the users browser to send a forged HTTP request to a vulnerable web app.
    • this includes cookies and automatic authentication information
  15. skills
    how technically skilled is this group of threat agents?
  16. motive
    how motivated is this group of threat agents
  17. opportunity
    what resources and opportunity is required for this group of threat agents?
  18. awareness
    how well know is this vulnerability to this group of threat agents?
  19. intrusion detection
    how likely is an exploit detected