[MUSIC] Welcome back, in this module, we talked about three different kinds of injection issues. SQL injection, cross-site scripting injection and command injection. We also discussed, in the first module, the OWASP proactive controls. Now we're going to talk about the OWASP proactive controls as they are related to mitigating these injection issues. After this lesson, you will be able to review OWASP proactive controls related to mitigating injection issues. The first proactive control that we want to make sure to keep in mind is to define our security requirements. Now this is fundamental to addressing many kinds of vulnerabilities, specifically for injection issues as an example. If we have a solid definition of our security requirements, now we can hone in parts of the application that require special attention such as where we should be encoding and escaping untrusted user input. The next OWASP proactive control that I want to highlight in light of these injection issues is a control of leveraging security frameworks and libraries. Now we want to use security encoding libraries in order to process our date input data so that we can prevent, for example, cross site scripting. In addition, we want to make sure to remember to use a loss positive prevention model. Next, we want to keep in mind to make sure to have setup for ourselves, database access that is secure. So this means setting up your database with secure configurations because they don't come secure by default right out of the box. We want to also set up secure authentication and secure communication between the database and the server side application. But more specifically, we want to use queries to that database securely. So this means not trusting queries that have user input in it. For furthermore, we want to use prepared statements with parameterization when performing our queries. This is so that we can prevent SQL injection vulnerabilities. The next control that I want to mention is to encode and escape data. This is our defensive technique for preventing injection attacks. The next proactive control that I want to mention is to make sure to validate all of our user data inputs. We want to make sure that only properly formatted data can be processed further. Keep in mind that validating input data has to be used with additional defenses like query parameterization and escaping. The last OWASP proactive control that I want to mention that is related to mitigating injection issues is to implement security logging and monitoring. Security logging is especially important when we want to collect information during intrusion detection, specifically when we'd like to know if there has been unusual input data entered by attackers, in order to try to take advantage of an injection vulnerability, especially one that we may not have even realized that we have in our application. This information can be used to get a larger picture when dealing with intrusion detection incident analysis. So, to summarize the mitigations that we have mention in Module 2, for SQL injection we want to use prepared statements with parameterization. For cross-Site scripting injection we want to make sure to keep in mind to use OWASP's positive prevention model, were the prevention model is to only allow modifiable data in specific document object model locations. We also want to use security and encoding libraries. For command injection, we want to avoid placing user controlled data into commands that will eventually be processed by a shell. But if you cannot avoid that, use white listing and validation of user input data to ensure that there are no improper strings. For example, no shell control flow characters like pipe and ampersand. And that's it for now. Thanks for listening.