Following are top 5 security attack related questions that you could ask while analyzing the each requirement in hand, the answers to which could help you put better design in relation with security:
- Security threats analysis related with data entering into/coming out of the system:
- How could an attacker inject SQL commands? (OWASP SQL Injection). Solution: Use parameterized SQL queries rather than building SQL statements dynamically using string concatenation
- How could an attacker perform a cross-site scripting attack? (OWASP Cross-Site Scripting – XSS). Solution: Use OWASP ESAPI to sanitize user input against scripts such as Javascript that could lead to XSS attacks. This is more about doing input data validation as soon as data lands on to server.
- Are there any sensitive data being dealt as part of the requirement? If yes, where and how does your application store sensitive data? And, when and where is sensitive data passed across the network? (OWASP Sensitive Data Exposure). Solution: Design to encrypt sensitive data while storing in the database. Also, plan to use SSL protocol for moving data over the network. This secures data at rest and in transit.
- How could an attacker gain useful exception details which reveals information related with server, file paths, components and other configuration related information? (OWASP Security Misconfiguration) Solution: Design to have default error pages which can be displayed instead of raw exception messages (stacktraces). Alternatively, design to respond with exception message rather than the full exception stacktrace.
- Security threats related with Repudiation
- Are the transactions important enough, such that repudiation attempts of which can lead to financial loss or any other kind of critical impact to business? Solution: Plan to store the data related to transactions such that it can be used for audit purpose.
- Security threats from vulnerabilities found in components/libraries
- As part of requirements implementation, one or more third-party libraries can be used. Thus, it is important to make sure that those third-party libraries do not have any known vulnerabilities. This is because the hackers can exploit those known vulnerabilities to attack the system. (OWASP Using component with known vulnerabilities)
- Security threats in relation with function level access control
- Are there any functions getting implemented as part of requirements, which needs an access control mechanism to only allow access to users with particular role? (OWASP Functiona level access control) Solution: Design to perform access control checks for functions having limited access.
I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin.
Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.
Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.
Latest posts by Ajitesh Kumar (see all)
- Agentic Reasoning Design Patterns in AI: Examples - October 18, 2024
- LLMs for Adaptive Learning & Personalized Education - October 8, 2024
- Sparse Mixture of Experts (MoE) Models: Examples - October 6, 2024
I found it very helpful. However the differences are not too understandable for me