Hello and welcome back. We're going to talk about OWASP Top 10 Proactive Controls and Vulnerabilities. Basically, we're going to do an overview of the OWASP Top 10 Proactive Controls. This is a list, basically a document that the OWASP group has created. It's a starting point for developing secure software. It has a focus on defensive mechanisms and controls. Then, we're going to talk about the OWASP Top 10 Project, which is a list of the Top 10 vulnerabilities for a particular year. It helps to identify the most serious security risks for web applications. Now, I'd like to note that the contents of this presentation are based on the OWASP Top 10. This work is under the Creative Commons Attribution-ShareAlike 3.0 License. After this lesson, you will be able to locate and examine existing best practices for web application security. Great. So let's get started. The next proactive control is control six which is to implement digital identity. What this means is to set up a proper authentication system, and we want to make sure we understand different levels of authentication. A good place to read about that is a NIST 800-63b, Authentication Assurance Level document. Effectively, in this document, there are three authentication levels. The first level is to secure data that is low sensitivity. You can get away with securing it with a password only authentication mechanism. But then, when you get to an authentication level of level two, so a slightly more sensitive type of data that you're trying to protect, you want to use multi-factor authentication. An example of this is setting up duo 2FA for your web application. When you get up to the highest type of sensitive data. So this is data for example, if this data was compromised could lead to a loss of life or some sort of very critical issue. You would want to use a crypto based authentication using hardware crypto modules. This control addresses the issues of broken authentication and session management. This is a topic that we will get into further in a later module. The next control is control seven, which is to enforce access controls. What this means is we want to manage the privilege of using a set of resources that a system provides. Note that access control is not the same as authentication. This is because authentication answers the question; who is it that can access the system? Are you really the person you say you are? Authorization answers the question; what are you allowed to access, now we know you as an authenticated entity? Various access control design methods exist. For example, discretionary access control, mandatory access control, role based access control, and attributed based access control. Now, in general, with this sort of proactive control, you want to keep in mind that idea of the principle of least privilege. What this means is to only allow just enough access and privilege to resources that a particular user type is allowed. You don't want to give more than what is required for the entity or person to perform their job. This proactive control addresses issues with broken access controls. The next control is control eight which is to protect data everywhere. In order to start protecting data everywhere, you need to be able to classify the kinds of data that you have. Once you classify your data based on how sensitive each kind is, then you're able to create strategies for implementing protections for that data. In general, we want to encrypt our sensitive data while in transit. So that means data going from one process to another and also encrypting our data at rest. We also want to keep application secrets secret. Things like private keys to repositories API keys, etc. You can do this by using, for example, a secrets vault like HashiCorp Vault. This proactive control protecting data everywhere addresses the issue of sensitive data exposure. The next proactive control is control nine, which is to implement security logging and monitoring. The idea here is to basically follow a common logging format and also to log just enough information for it to be useful for a particular scenario. Here, at least log the timestamp, user ID, the resulting output, but do not log any private or confidential data. Also, you want to make sure that the timestamps that you are logging are consistent across your systems. Make sure, for example, that all of your hosts are using UTC timestamps. Next, you want to be able to set up your logging systems such that you are forwarding your logs to a central service. This is in order to prevent any issues with log integrity and issues with data loss with your logs. This proactive control of security logging and monitoring addresses the needs that you would have or your team would have during an intrusion detection analysis and during security investigations. It also addresses the need that your team would have during regulatory compliance. Last but not least, we're going to talk about C10, the proactive control of handling all errors and exceptions. In general, what you want to do here is to make sure that the user displayed error messages that you have, don't leak any sensitive data. We also want to make sure that we're logging exceptions such that any analysts that are on your team or QA, for example, have enough information in order to understand particular issues related to the exception that you have logged. This proactive control of handling errors and exceptions addresses information leakage issues and potential denial of service issues. Now, that we've talked about the OWASP Top 10 Proactive Controls, I'm going to now talk about the OWASP Top 10 Project. Remember, how when we looked at the OWASP Top 10 Proactive Controls, it was a set of defense controls and recommendations to perform in order to address certain vulnerabilities or vulnerabilities and weaknesses in general. What the OWASP Top 10 Project gives us is a set of security weaknesses that the security community has seen and want to raise awareness on. This set of Top 10 Vulnerabilities can map back to our Top 10 Proactive Controls. This OWASP Top 10 Project which is a set of security weaknesses also talks about the recommendations for fixing these 10 security weaknesses. This information also gives us additional guidance for improving our application security. Now, with that said, OWASP Top 10 Application Security Risks that we have, there's 10 of them. Particularly, for 2017, the top three are injection, broken authentication, and sensitive data exposure. These top three are going to be the main focus that we will have for future lessons. I want to point out that I've included Cross-Site Scripting into our topic on injection vulnerabilities for this particular course. There are two reasons. The first reason is that Cross-Site Scripting is a type of injection vulnerability, as mentioned in the OWASP Project website. The second reason is that because we are focusing on the top three particular vulnerabilities from the OWASP Top 10 Application Security list in 2017. Cross-Site Scripting is number seven this year of 2017. However, it's also true that Cross-Site Scripting has been consistently in the top three since 2014. So from 2014 to 2016. It's good to be aware of Cross-Site Scripting even though it's not listed in 2017 as being in the top three. To wrap up, we've now covered the general information contained within the OWASP Top 10 Proactive Controls. This OWASP Top 10 Proactive Controls is a document that you can look up online in the OWASP group's website. The same goes for the OWASP Top 10 Project, which is a set of security weaknesses. That is also a document that you can look up online on the OWASP website. Now, the OWASP Top 10 Proactive Controls is a good starting point of controls and recommendations on improving the security in our software. We also introduced the general security weaknesses that we will be covering in the next several modules.