OCU C)SP D Week 02 Lesson 04 Discussion
- This topic has 25 replies, 12 voices, and was last updated 3 weeks, 2 days ago by
.
-
Posts
-
-
-
Welcome to Week 2. Below is this week’s Devotion and Schedule! Please email me with any questions. Have a great week. I’m praying for each of you. ~Kim Anthony
. . . ye might have life through his name.
—John 20:31
“Is life worth living?” To scores of people life has ceased to be worth living. To all of you I have good news. God did not create you to be a defeated, discouraged, frustrated, wandering soul, seeking in vain for peace of heart and peace of mind. He has bigger plans for you. He has a larger orb and a greater life for you.The answer to your problem, however great, is as near as your Bible, as simple as first-grade arithmetic, and as real as your heartbeat. Upon the authority of God’s Word, I tell you that Christ is the answer to every baffling perplexity which plagues mankind. In Him is found the cure for care, a balm for bereavement, a healing for our hurts, and a sufficiency for our insufficiency.
This is from Billy Graham’s devotions! I love his thoughts on everyday issues. He left behind great words as he now enjoys eternity. https://billygraham.org/devotion/life-worth-living/
Week Two
Preparation:
Read Chapters 4 and 5 in your E-book.
Watch Chapter 4 and 5 videos
Discuss:
Week Two Devotional
Week Two Discussion Questions
Submit your initial post to discussion forums by Day Four of the
week, midnight (Eastern Time). See the discussion forum rubric in
your syllabus as to requirements for posting, including replies to
fellow students.
As to the devotional, the initial post is due by Day 7. Replies to fellow
students encouraged but not required.
Submit:
Chapter 4 end of chapter exam
Chapter 5 end of chapter exam -
One of the Top 10 OWASP security principles is broken authentication and session management. This principle focuses on protecting user account and sessions from being hijacked or misused. If authentication processes are weak, like using default passwords, not enforcing strong password policies or even allowing sessions to stay active too long, attackers can easily gain authorized access. Once inside, they can steal data, impersonate users, or damage systems. Implementing proper controls such as multifactor authentication, secure password storage ( using hashing and salting), and automatic session timeouts is critical to prevent this. It’s also important to avoid exposing sensitive information in URLs or logs. This principle is vital because authentication is often the first defense line in any system. It it fails, all other protections can become useless. Ensuring strong and secure authentication helps maintain the confidentiality, integrity and trust of both users and the organization.
-
Carlos,
Great summary of broken authentication and session management, you hit the key fixes (MFA, hashing/salting, timeouts, and not exposing secrets in URLs). I agree that if auth fails, everything else can crumble.
Quick question: if a team has limited time and budget, which single control would you roll out first for the biggest impact, and why?
-
-
One important OWASP security principle is “Separation of Duties.” This means that important tasks should be divided among different people so that no one person has full control. For example, the person who makes a payment should not be the same person who approves it. By splitting up duties, it becomes much harder for someone to make a mistake or do something wrong without others noticing.
This principle is very important because it helps stop fraud, abuse, and accidents. If one person had all the power, they could easily misuse it or make a serious error. When work is shared, each person can check and confirm the other’s actions, which improves safety and honesty. It also helps keep people accountable for what they do. In simple terms, Separation of Duties keeps systems and data safe by making sure no single person can control every step of an important process.
-
Hi there,
I really like how you explained the idea of “Separation of Duties.” You made it easy to understand and showed why it’s such an important security principle. I agree that splitting tasks between different people helps prevent mistakes and keeps everything more honest. Your example about payments was a great way to show how this works in real life, it makes sense that no one person should be able to approve and send money on their own. I also like how you pointed out that this principle builds accountability. When people share responsibilities and double-check each other’s work, it creates a safer and more trustworthy system. You did a great job showing how this simple idea can make a big difference in keeping data and systems secure. -
I would only add that this concept is not just critical in fraud and error prevention but also adds overall organizational security and compliance. By allocating duties, organizations impose internal checks and balances that make malicious activity difficult and increase the likelihood of detecting errors early. Also, this principle supports auditing and monitoring procedures because it outlines clearly defined accountability for each activity in a workflow. In other words, Separation of Duties protects both the system and users because it ensures that trust is distributed and verified rather than bestowed in one individual.
-
-
Broken Access Control happens when an app fails to enforce “who can do what.” Attackers can change a URL, swap an ID in a request, or replay a method to view or edit another user’s data. In worse cases, they can act as an admin without proper rights. The impact is high because it lets someone read, change, or delete sensitive records with very little effort.
This control is critical because access checks must occur on every request. A single missed check creates a direct path to data exposure or account takeover. Strong defenses include deny-by-default rules, server-side authorization for each action, and mapping roles to least-privilege permissions. Avoid trusting anything from the client (IDs, roles, or UI state), centralize access checks in middleware, log decisions, and add automated tests for IDOR and method-bypass cases. Done right, access control limits the blast radius of any account and protects the whole system.-
You give a good explanation as to why this is such a critical control. It is scary how much a malicious person could do if given access to sensitive information. Being able to not just read or see peoples information, but to be also able to edit it is very dangerous and could lead to many problems. You gave a good amount of examples of preventative measures one should take so stuff like this does not happen.
-
-
One of the most important OWASP security principles is Defense in Depth. Basically, it means not putting all your trust in one security measure but using multiple layers of protection to keep systems safe. Think of it like locking your front door, setting an alarm, and having a security camera. It’s much harder for someone to break in. This principle matters because no single defense is perfect. If a hacker gets past one layer, the others are still there to stop them or at least slow them down. In a real-world example, even if a firewall fails, encryption and access controls can still protect sensitive data. Defense in Depth also pushes companies to stay alert, keep systems updated, and watch for new threats. It’s a smart and proactive way to handle security and helps keep information secure, available, and reliable in a world full of cyber risks.
-
Good explanation Caleb,
Defense in depth means using several layers of protection instead of relying on one. Like locking your doors, setting alarm, and having cameras-it makes it difficult for hackers to access in the general aspect. Even if one layer fails, others like encryption or access control keeps data safe and systems secure.
-
-
Among the top 10 OWASP security principles that are significant controls is “**Least Privilege.**” This control avoids users, systems, and programs from having more than they need in order to perform their tasks. Limiting privileges reduces the likelihood of unauthorized access, accidental usage, and exploitation by attackers. For instance, if an attacker takes over a low-level user account, the impact will be low because the account is not an admin account. If there is no such principle governing, one vulnerability might expose a whole system. Least privilege usage also imposes responsibility and enhances overall security posture. Least privilege is a key control that not only safeguards against internal and external attacks but also helps comply with data protection law.
-
-
One of the top 10 OWASP security principles is called “Fail Securely.” This means that when a system or website has an error or something goes wrong, it should still stay safe and protect important information. Even if something breaks, the system should not let hackers in or show private details about how it works. This is very important because many security problems happen when errors give away too much information. For example, if a website shows a long error message to a user, it might tell them details about the server or database that a hacker could use to attack the system. Instead, websites should show a simple message like “Something went wrong” and keep the real error details hidden for the system administrator to see later. Failing securely also means that if a system crashes, it should deny access instead of letting anyone in by mistake. This helps protect sensitive information and keeps people’s data safe. Overall, “Fail Securely” is a very important OWASP rule because no system is perfect, mistakes and errors will always happen. What matters is that the system is designed to handle those errors safely so that hackers cannot use them to cause bigger problems.
-
That is a good definition of the “Fail Securely” principle. I agree that the way an error is processed by a system can be the difference between staying secure and leaking sensitive data. Your example of a detailed error message is just correct—revealing technical details gives attackers exactly what they need to mount an attack. Designing systems to deny access and protect data in case of failure keeps even unwanted issues from generating security intrusions. It’s a simple but efficient principle that reiterates the importance of anticipating failure in all secure system design.
-
-
One of the top OWASP security principles is Identification and Authentication Failures. Strong authentication and good session management are very important for keeping web applications safe. They help make sure that only the right people can access private information and features, and that users stay protected while using the app. Authentication is how users prove who they are. If this process is weak like using easy passwords, not blocking accounts after too many failed logins, or having unsafe ways to reset passwords attackers can break in by guessing passwords, using stolen login details, or tricking users. To prevent these problems, organizations should use multi-factor authentication, which asks for two or more types of proof, making it much harder for attackers to get in. They should also require strong passwords and block accounts for a while after several failed login attempts to stop people from guessing passwords.
After a user logs in, session management keeps their account secure. If session management is weak, attackers can steal session tokens and pretend to be users. To stop this, it’s important to use tokens that are random and hard to guess, send them only over secure connections, make sessions expire after some time or inactivity, and cancel tokens right after logout or password changes. Protecting against cross-site scripting is also important, because attackers can use malicious code to steal session tokens.
Security should cover everything users do, not just log in. This means protecting password resets, account recovery, and any actions that change what users can do or see. Organizations should make sure password resets require strong proof and don’t reveal private information, use role-based access control so users only get access to what they need, and keep logs to spot suspicious activity.-
Great post, Misty! You are absolutely right; authentication and session management are foundational to security. I especially agree that multi-factor authentication and strong password policies are non-negotiable. I have seen firsthand in my career how easy it is to become a target without layered controls. Security isn’t just about login – it’s about protecting every action users take.
-
Hi Misty,
I really like how you explained the OWASP principle about Identification and Authentication Failures. You did a great job showing why strong authentication and good session management are so important for keeping systems safe. I agree that weak passwords and poor login controls can make it easy for attackers to break in, which is why using multi factor authentication is such a smart idea. It is great that you also mentioned account lockouts after several failed attempts because that is a simple but powerful way to stop password guessing.
-
-
Although all the OWASP security principles are important, the one that stands out to me is Defense in Depth. It’s the idea that no single control is enough. Instead, we need multiple, overlapping layers of protection—firewalls, authentication, encryption, monitoring, and user education—all working together. This principle is critical as threats continue to evolve. If one layer fails or is bypassed, others are still in place to catch the breach. Each layer plays a role in reducing risk.
At my workplace, we implement several lines of defense. One practice that’s always fascinated me is our partnership with a team of ethical hackers who regularly test our systems for vulnerabilities. We also conduct ongoing employee training to help staff recognize how easily we could become access points if we’re not careful.
Defense in Depth isn’t just a best practice—it’s resilience in action. It reflects a mindset that anticipates failure and builds with redundancy, which is exactly what secure systems need to thrive.-
I agree with your point about defense in depth. Implementing multiple layers of security is a smart strategy, as no system is perfect. I appreciate that your workplace employs ethical hackers and invests in employee training. This demonstrates how teamwork and awareness contribute to keeping systems secure, even as threats continue to evolve.
-
Hi Teisha,
You make a strong case for Defense in Depth as an important OWASP principle, especially with how quickly threats can change. The idea of using several layers of protection: like technology, processes, and people, shows that relying on just one method isn’t enough. Your company’s use of ethical hackers is a smart way to stay ahead of problems by finding and fixing weaknesses before they’re used against you. When combined with regular staff training, it helps build a culture where everyone plays a part in keeping systems secure. -
Hi, Teisha. I agree that Defense in Depth is an important concept with security, and I like that you described it as a mindset. There are many benefits to using certain security measures or protocols, but there is not going to be one perfect solution for securing a system. Rather, using a combination can help protect a system from different types of attacks. Great work on your post.
-
-
One of the OWASP security principles is Cryptographic failures. This is critical as to protect sensitive data when in rest and in transit. Information such as passwords, credit card numbers, health records, personal information, and business secrets all require more protection and failure to apply the necessary protection may lead to these crucial pieces of information to be seen. There are a number of ways to prevent this data being stolen such as not storing sensitive data for longer than need because data that is not stored cannot be stolen. Another step that you can take is simply encrypting the data when at rest and when in transit this way the data does not appear in clear text making it harder to steal the information. Automatic decryption when retrieving information or data can also lead to problems and a possible attack that would leave the sensitive information in clear text.
-
Hi Willy,
I enjoyed reading your post. You did a great job explaining cryptographic failures and why they matter. I like how you emphasized protecting data both in rest and in transit. Your point about not storing unnecessary data and avoiding automatic decryption was solid, since those small mistakes can easily expose sensitive information to attackers.
-
Hi, Willy. After reading your post, I definitely see the importance of preventing cryptographic failure is. This relates to the OWASP security principle of sensitive data exposure. Creating controls for the encryption and storage of data can help prevent cryptographic failure and thus the leaking of sensitive data. Nice work on your discussion post.
-
-
One main OWASP security principle is broken authentication. Authentication can be vulnerable when the design of the authentication is flawed, or it could be that the way it was used or configured was flawed. Whatever the reason may be, authentication in this state allows attackers to use automated tools to eventually hack in. To threaten an entire system, the attacker may need to only get access to a certain number of accounts or to the administrative account.
Once the attacker gets into the system, this actually leads to a second OWASP principle: sensitive data exposure. A hacked system that has valuable information can affect not only the platform but also its users and their information. As a result, taking measures to prevent these types of attacks is important for securing the whole system. Ensuring trusted authentication design and configuration, as well as using strong authentication like multi-factor authentication, can help maintain more security on a system.
-
- You must be logged in to reply to this topic.
