Categories: Application Security

Top 7 Security Attack Questions While Analyzing Every Requirement

Following are top 5 security attack related questions that you could ask while analyzing the each requirement in hand, the answers to which could help you put better design in relation with security:

  • Security threats analysis related with data entering into/coming out of the system:
    1. How could an attacker inject SQL commands? (OWASP SQL Injection). Solution: Use parameterized SQL queries rather than building SQL statements dynamically using string concatenation
    2. How could an attacker perform a cross-site scripting attack? (OWASP Cross-Site Scripting – XSS). Solution: Use OWASP ESAPI to sanitize user input against scripts such as Javascript that could lead to XSS attacks.  This is more about doing input data validation as soon as data lands on to server.
    3. Are there any sensitive data being dealt as part of the requirement? If yes, where and how does your application store sensitive data? And, when and where is sensitive data passed across the network? (OWASP Sensitive Data Exposure). Solution: Design to encrypt sensitive data while storing in the database. Also, plan to use SSL protocol for moving data over the network. This secures data at rest and in transit.
    4. How could an attacker gain useful exception details which reveals information related with server, file paths, components and other configuration related information? (OWASP Security Misconfiguration) Solution: Design to have default error pages which can be displayed instead of raw exception messages (stacktraces). Alternatively, design to respond with exception message rather than the full exception stacktrace.
  • Security threats related with Repudiation
    1. Are the transactions important enough, such that repudiation attempts of which can lead to financial loss or any other kind of critical impact to business? Solution: Plan to store the data related to transactions such that it can be used for audit purpose.
  • Security threats from vulnerabilities found in components/libraries
    1. As part of requirements implementation, one or more third-party libraries can be used. Thus, it is important to make sure that those third-party libraries do not have any known vulnerabilities. This is because the hackers can exploit those known vulnerabilities to attack the system. (OWASP Using component with known vulnerabilities)
  • Security threats in relation with function level access control
    1. Are there any functions getting implemented as part of requirements, which needs an access control mechanism to only allow access to users with particular role? (OWASP Functiona level access control) Solution: Design to perform access control checks for functions having limited access.

 

Ajitesh Kumar

I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin. Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.

Share
Published by
Ajitesh Kumar

Recent Posts

Agentic Reasoning Design Patterns in AI: Examples

In recent years, artificial intelligence (AI) has evolved to include more sophisticated and capable agents,…

3 weeks ago

LLMs for Adaptive Learning & Personalized Education

Adaptive learning helps in tailoring learning experiences to fit the unique needs of each student.…

4 weeks ago

Sparse Mixture of Experts (MoE) Models: Examples

With the increasing demand for more powerful machine learning (ML) systems that can handle diverse…

1 month ago

Anxiety Disorder Detection & Machine Learning Techniques

Anxiety is a common mental health condition that affects millions of people around the world.…

1 month ago

Confounder Features & Machine Learning Models: Examples

In machine learning, confounder features or variables can significantly affect the accuracy and validity of…

1 month ago

Credit Card Fraud Detection & Machine Learning

Last updated: 26 Sept, 2024 Credit card fraud detection is a major concern for credit…

1 month ago