Hi, everyone. Welcome back to the course. So in the last video, we talked about who I am. Is your instructor again? My name is Ken Underhill. I'll be teaching this course. We also talked about the core structure overall and some of our objectives. Which one of those was understanding the differences between the OAS top 10 2013 list and the 2017 list?
So in this video, we're gonna actually talk about those differences.
So a quick pre assessment question here Jennifer works a cyber security engineer, and she's been tasked with presenting an overview of the Iowa Stop 10 2017 to the vice president of technology.
She knows that which of the following is not on the 2017 0 lost top 10 list.
So which one of those is that
***? If you guessed answer, be cross site request forgery. That one is no longer on the list that was removed. Often we'll talk about that in this particular video and then, of course, injection XXII and cross site scripting. We've already talked about those being on the list and we'll talk about those as well.
So are learning objectives for this particular video. We're gonna talk about what? Well, WASP is and have a better understanding of that. And then, as I mentioned, will list out the 2017 objectives for the loss Top 10. And then we'll talk about the differences between the two.
So what is a loss? What is it's all about? Is it actually a type of beer or something like that? The interest? No, it's It stands for the open Web Application Security project. So the on Los Foundation was founded in the early two thousands on the whole premise of the whole goal here is to improve Web applications security. So it's basically fostering and community
off. You know, security professionals, regular individuals, organizations, you know, cos
toe all come together to try to make Web applications more secure. It's been very successful, and that's why I lost keeps coming out with the top 10 list to help organizations stay more secure. And, of course, you'll always have some company that doesn't want to follow along with things and do things the right way. But overall, at least here in United States, most organizations tryingto keep the best practices in place.
Sorry, we lost top 10 for 2017. And again, these are just the modules that we're covering in this course. But this is a specific listing from Hola. So we've got a one which is injection a two broken authentication, a three sensitive data exposure a four XML external entities, or as I mentioned before, commonly called XXII
a five broken access control a six security Miss Configuration A seven is our cross site scripting or X s s, which you commonly will see it listed as eight is insecure D serialization. We'll talk about what that actually means.
A nine using components with known vulnerabilities and then finally instance, a 10. So what are the differences? Well, what has changed between 2013 in 2017? Besides the fact that I got four years older in that time period, we've had some different changes. So
we eso with what a lost there is a basically, um,
retired, as I mentioned before the cross site request forgery one. So that was removed, basically because a lot of frameworks not used in nowadays include defenses against that particular attack. And so now it's not really found a lot I think the number from a WASP was around 5% or so that they were finding it in about 5% of applications. So again, not something
extremely relevant. Still a risk, right, but not extremely relevant to the grand scheme of things.
Also, they merged the previous it was 84 2013 and then also a 7 2013 So they merged insecure direct object references as well as missing function level access control. They merged both of those anti the broken access control or the A five.
And then they also removed the UN validated redirection forwards, which was back back in 2013. That was a 10 in there and again there was another one like cross site request forgery that was found in a vory minuscule amount. So basically about 8% or so of applications.
Um, so it was It was still somewhat relevant, but it was slightly edged out with the XXI, which has been added in
so as I mentioned, XXI has been added in or the XML external entity. So the 84 that's a new category here in 2007 for the 2017 also a 80 insecurity serialization that was added as well as the Aten, the insufficient logging in monitoring again. That's something that we want to make sure we address with organizations
is insufficient longing of monitoring because you couldn't look at stuff all day long. You can log stuff all day long,
but you're not monitoring. If you don't have alerts in place, is kind of irrelevant to even do that right now. We'll talk about all that when we get to those individual modules.
So just one quick post assessment question here, hopefully to test your knowledge. If you were paying attention, where does injection fall on the old boss Top 10 from 2017?
What if he guessed answers? See, Number one, you are correct. So again, a one, as is what they call it. Or number one. That's the top one on the particular list for the top 10 of 2017. Again, injection attacks are very, very common, especially sequel injection attacks. You'll see those a lot.
Um, if you look around, if you're in cyber security at all, or if you're even just looking at the media, you'll see every so often
they'll come out with a story about how some attacker used a sequel injection attack to cause chaos.
Or so in this video. We just talked about the differences between the old lost 2013 top 10 list and the 2017 couple of 10 list
in the next video, we're gonna jump into module to which is going to be talking all about our injection vulnerabilities and attacks.