Common cloud vulnerabilities

- [Instructor] Web security vulnerabilities are among the trickiest problems tackled by cybersecurity professionals. The Open Web Application Security Project, OWASP, maintains a list of the top 10 web security vulnerabilities that cybersecurity experts need to understand and defend against to maintain secure web services. The current version of the OWASP top 10 was developed in 2021. According to OWASP, the top 10 web application security issues are broken access controls, cryptographic failures, injection vulnerabilities, insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, and server-side request forgery. Let's take a little deeper look at each one of these issues in this video, and then we'll use individual videos to dive into even more detail on some of the more complicated web application security challenges. Broken access control occurs when developers fail to check on the backend whether a user is authorized to access a particular function of an application. Users with knowledge of the application may send requests directly to the server, bypassing the security controls built into the user interface. This category also includes insecure direct object references. These occur when a developer exposes some details of how an underlying application functions and then doesn't perform proper security checks to prevent unauthorized use of the application. For example, imagine a website URL like this one, that has user's account number embedded in the request. An attacker might try to simply change that account number to access a different account. If the web application doesn't check to make sure that the user is authorized to access each account, an attacker may gain unauthorized access. Cryptographic failures occur when an insecure web application accidentally exposes sensitive information to eavesdroppers because of poorly configured cryptography. This may be as simple as accidentally placing a customer file on a publicly accessible portion of a website without encryption or it may occur when web server administrators fail to implement the HTTPS protocol to encrypt information that's sent over the internet. Injection flaws occur when an attacker is able to insert code into a request that's sent to a website, and then trick that website into passing the code along to a backend server, where it's executed. The most common example of this is the SQL injection attack against databases, which we'll cover in another video. Insecure design traces security issues back to the initial creation of code. It includes issues that arise when an organization does not properly identify and satisfy security requirements, when it conducts insufficient threat modeling, and when it fails to follow security best practices. Organizations can combat these vulnerabilities by using secure design patterns and following security reference architectures. Security misconfigurations occur because web applications depend upon a large number of complex systems, including web servers, application servers, database servers, firewalls, routers and other components. Each of these components has its own security settings and an error anywhere in those settings could jeopardize the security of the entire system. Web developers must be very cautious about the components that they use to build their applications, as many components have known vulnerabilities. If a web application is built using a vulnerable component, attackers could exploit that component to attack the application itself. Administrators must be sure to monitor their environment regularly and apply security patches to components as soon as they become available. Identification and authentication failures occur when websites require that users authenticate, but then have flaws in the mechanisms that provide that authentication. I talk about how attackers might exploit this using an attack called session hijacking in a video later in this course. Software and data integrity failures include issues that arise when an organization doesn't perform appropriate verification checks in their software pipeline. This can lead to corrupted or malicious updates to software and operating systems, insecure code injected into a development pipeline and other critical failures. Security logging and monitoring failures occur when applications don't create detailed log records that contain information crucial to security investigations and troubleshooting efforts. Server-side request forgery, or SSRF attacks, occur when an attacker is able to trick a web server into retrieving a URL that hasn't been validated. I'll discuss this attack more in the request forgeries video later in this course. OWASP isn't the only organization that provides secure coding best practices. The SANS Institute provides a similar list of common programming errors that they call the top 25 most dangerous software errors. Another website that you might want to visit is the Center for Internet Security. They offer the cybersecurity community system design recommendations, as well as a comprehensive series of security benchmarks that describe the secure configuration of a wide variety of operating systems, applications and programming environments.