as we're moving through is we're learning more about cloud applications. I'm a big believer in the fact that you don't have to know everything right, but Jack know where to find everything and have a look for it. So what we have here is just a listing of some vulnerability databases. And resource is
Web application security project. Oh, lost the top 10. That is an invaluable resource. So awas puts out a lot of information on Web applications security particularly. But every few years they publish a top 10 list. We're gonna look at those in a few minutes,
but there are also other resource is out there. The CVI database, which is common vulnerability on exposures.
C w Any weakness in new Marais Shin Common weaknesses. Enumeration, Listing of vulnerabilities.
There's a national vulnerability database. Us, sir. You know they're a Brazilian. Resource is out there, right? So the bottom line is part of due diligence is for me
as part of the Cloud service his team is I have to be aware I have to be knowledgeable off the potential weaknesses and the threats don't have to know it all I have to be willing to learn after be willing to research. I have to be willing to dig. Let's take a look at a wasp.
All right. Oh, Wasps. So we said, Oh, waas was the open Web applications security project. And as I mentioned, they produce every couple years a top 10. Now, what will be focusing on is the one for 2017 again on the exam.
Don't expect what's number five on awas 2017 top 10. But I gotta tell you, you might see some test prep software out there. That actually does ask you,
you know, one of those questions
not on the exam. OK, that's just that's to detail. That's to memorization of 1/3 party Reese, or of another resource. Don't worry about that. But what I would be aware of is what a great resource of WASP is. It's certainly fair game to ask you about a wasp.
And then I would also have an idea about what some of these particular security issues are.
Okay, so, essentially, uh, what we've got is what we just see here.
I'm gonna try that again. Let's do that again. Shall we erase that I'm gonna do that gracefully.
Okay, so let's take a look at a wasp. So what? We said open Web Application Security Project. And we said that AWAS produces a top 10 list of most common vulnerabilities that are out there for Web applications. So their nonprofit organization,
it's a broad consensus on what the most common flaws are in security exploits the ideas. Let's raise awareness. The idea is, let's promote knowledge across the board toe all web application designers and administrators so that we can grow is a whole. Now I want to stress to you
on the C. C s P exam you're not going to see Hey, what's the third most
ah, common exploit. You might actually see a question like that on test prep here and there.
That is not the material. That's not what this test is about. Not about memorizing this list in that list. Another list. But it is relevant for the test and for life that you understand the purpose of a wasp,
understand the top 10 list, and then there are a couple of flaws on here or exports rather that you need to know about
not in relation to being on the Wasps top 10 list, but is being a real concern with Love application Security, right? So, for instance, the very first
on our list we have code injection will definitely want to talk about code injection, broken authentication, ideas, sensitive Dad exposure. So across these slides, I've just very quickly referenced the one through 10 list.
But what I've also gone is I've broken them out more. Across the next 10 slides. I've referenced the codes in more depth or a reference, the exploits and more death. Again,
they're not important test of Lee speaking in relation to what a WASP says. But just the fact that hey, you're an application developer. These are the things that you have got to mitigate. So the greatest threat to Web applications today is code injection,
and they might call it sequel injection. They might say XML injection. L dap injection code injection is code injection,
and the idea their meaning is that I am trying to input code malicious code into a form. You know, many times when we're working with Web applications, we need input from our users, right in her user name and password.
Well, if I don't provide input validation. If I'm not limiting what you can input into those fields, you can put anything in, and we're all familiar with the idea of garbage in garbage out. If you put garbage into my database, it will have an impact on the vacuum results.
Some types of inputs can actually damage my back in database.
You do not have to be a sequel expert, but when you think about a command like drop tables and the impact that would have a database, that's probably not good, right? So certainly a concern when you're so show you something really quick.