[Manny Varela]

Discuss at least one of the top 10 OWASP security principles and why it is a critical control.

[Jacob Mannon]

One of the OWASP top 10 is security logging and monitoring failure. I found an updated article at OWASP.org that appears to have the most up to date information. These failures can occur in situations where logins are not properly recorded, alarms are not triggered during penetration testing, and applications are unable to detect attacks in real time. OWASP recommendations to correct these failures include the ability to log logins and access controls, have a recovery plan in the event of attacks, make sure data is properly coded, and have traceable trails for transactions.

Monitoring logins is incredibly important because we don’t want just anyone to have access to our data. We need to ensure that whoever is attempting to access data has proper permissions and need to know. When this fails, attackers can gain access to our data and use it for malicious purposes.

-Jacob

[Latoya Stoudmire]

Hello Jacob, I thought that our OWASP were very similar. I almost actually picked yours. I think authentication and logins are vital to a corporation safety. I also view the OWASP website which gave a lot of vital information. Did you look at any of the new technology that may be available to secure login credentials?

[Jacob Mannon]

Latoya,

It has been a while since I looked at the most up to date technology regarding login credentials. In my experience, the best methods that I have personally used were the CAC (Common Access Card) that I used while on active duty, and SSO that I use currently. I like my current organizations single sign on method because we have regularly changing passwords that require us to make a new password each time. Both methods have been good due to nobody being able to login to any of my information without my CAC card, and those who don’t have my exact password are unable to access any of my data for my SSO.

-Jacob

[Kanthony]

We need to think of a way where we don’t have to change our passwords so often. Biometrics help with this.

[Latoya Stoudmire]

One of the top 10 OWASP security principles is identification and authentication failures. Identification and authentication failures are number seven on the OWASP list. Identification and authentication are imperative to an organization’s security. If a corporation does not have a secure authentication process. It leaves their company data susceptible to attack from hackers. Some of the vulnerable areas that have been noticed in identification and authentication are missing multifactor authentication, and the reuse of user IDs and passwords. There are many ways to prevent authentication or identification vulnerabilities. listed by owasp.org, are multiple ways prevent identification or authentication hacking. One of the ways is to align password, length, complexity, and rotation policies with national institutes of standards and technology. (NIST), by doing this it makes the password harder to identify and periodically reminds you to update password. Another is do not ship or deploy with any default credentials, particularly for admin users. It’s never good to use default credentials and this is because they typically have easy to guess passwords or usernames making it vulnerable to attacks and ensure registration credential recovery at API pathways are hardened against account enumeration attacks by using the same messages for all outcomes. There are more options for preventing authentication failures. I thought those were some of the most effective and commonly used methods.

[Amy Hastings]

Hi Latoya, your discussion post was very informative, and I can say that while reading your post I learned new information on the OWASP principle. I like that you used the identification and authentication failures, it was informative, and you also included a lot of good information here.

[Jason Springer]

Hello Latoya,
After reading your discussion post I thought it was well researched and thought through. I liked how you brought up the NIST or National Institutes of Standards and Technology as a way to prevent authentication or identification vulnerabilities. NIST is still very new to me so I’m glad I was able to learn more about it through your discussion post.

[Amy Hastings]

One of the top ten OWASP security principles is the broken access control because it is what lets the hackers gain access to your important information. This can also allow the hackers to be able to take over your information and allow it to become vulnerable to them, which can lead to financial loss in the business. This is a critical control because it is easy to prevent these things if you take the correct precautions.

[Jason Springer]

One of the top ten OWASP security principles is broken authentication. Broken authentication is crucial to control because attackers can detect it manually and exploit it using brute force and dictionary attacks. If an attacker finds the weaknesses in this broken authentication then they can take control over an admin or multiple other accounts which then allow them to infiltrate the network or system. To prevent this type of attack from happening companies are starting to require two-factor authentication which requires the user to use something they know, have, or are to access the account. This method of authentication is becoming more and more popular because even though people are warned about these attackers many still use simple passwords that the hackers can easily figure out and gain access to that person’s account and possibly more. By implementing two-factor authentication people are forced to use something physical whether biometric or some type of ID card or physical token.

[Kanthony]

I always think that there could be more than 10. Can you think of the 11th one that could be added to this?

[Author]

Posts