The theme of this module is top 10 security risks. What are our security priorities? Well, data security despite all the talk about well compliance is not the same as security, that was still a high priority with respect to how we consider data security. Compliance with laws and standards were a major driver of what we did. In application security, the attack surface is so large that we really don't have an easy set of standards to follow. Instead, we'll focus on the highest priority risks. How do we figure out that highest priority risks? Well, there are a lot of vendors and think tanks who love to print lists of what the top 10 are. Sometimes its marketing, sometimes it's wild guesses, sometimes it's stuff they've been talking about in conversation. Whatever the reason is, that's what they're choosing. But that's not necessarily an analytical way of coming up with what's the biggest threat or risk. Mitre puts together what we call the Common Weakness Enumeration and in particular The Top 25 CWE is. Mitre being a government-funded research center, is a bit more inclined to want to be objective about those measures. OWASP which is the open wasp. I'm sorry. It's the Open Web Application Security Project also has top 10 lists of risks. Now, in particular, the top 10 web application risks were first written up starting in 2003. The way they do it is they would have developers report the incidents of various risks, and then they would rate the most common ones highest. Over the years they've merged some and added others. For our purposes, a web application is pretty much the same threatened environment as a Cloud application. Although in our case, we'll focus on the server side. Now, we talked about the Common Vulnerability and Exposures. We've talked about the National Vulnerability Database. They are very specific they either identify a particular flow in a particular application that has a security implication. The Common Weakness Enumeration, the CWE is a bit more general. CVE will refer to a common weakness, but a common weakness will probably apply to numerous CVEs. It's more general. OWASP is more general yet because the point of OWASP is to provide more general guidance to web developers. Often refers to one or more CWE is as examples, though not always. OWASP has actually produced a number of top 10s at this point. Here's a list of them. Not all of these are really that actively maintained. The one at the bottom, the API top 10 is actually more Cloud application related. In that, APIs are essentially the building block of modern web applications, even if you're talking in a mobile environment. Here's our Cloud top 10 lists. This is very similar to the web application list. But you don't have to memorize them right this minute. We'll be going over them in detail. Where does this list of top 10 come from? We started out with a web application Top 10, but Number 4 in the web application top 10 is actually passing problem that I think merges very nicely with Number 8. From my list of top 10, I picked Number 4 from the API top 10, which is resources and rate limiting, and use that as the Number 4 in our list. I don't know if that makes sense, but it's just to point out for full disclosure, that this isn't their top 10 list, this is a slight modification. Now, we'll look at the risks individually will start with injections. Now, we've looked at injection before, user taxed combined to construct some command OS, SQL backend, something that then is interpreted as a different command within the context of that other piece of software, a very common error that strikes terror in most Cloud developers. Now, we've looked at this before, here the classic example again of entering a password and then using the injection attack in order to trick the password validation into thinking that you've actually found the right match the password. Here's much more recent example. 2020 here's the CVE for it. A zero-day found in the Postgres database implementation used in the Sophos XG Firewall. It was used then in attacks that were called Asnarok. Essentially those attacks would insert Trojans, sniff firewall information and distribute ransomware. SQL Injection is still alive and well and probably will be for quite a while. That was Number 1. As I said, we've talked a lot about the risks of injection over the past few courses. Now, for Number 2-10, we'll go ahead and provide a similar presentation or a similar summary of what the risk is, how it arises, it's setting and examples of the attacks, typically recent ones. The 4th course, the one following this, will actually examine defenses for those. These top 10 is the rest of this module, but not the rest of the course. The last three parts of the course are going to talk about, as I said before, authentication, a little bit about restful architecture, or a bit more about sessions and about cross-site scripting risks. [MUSIC]
