Part 4 Defenses

Video Activity

This lesson covers mitigations, countermeasures and defenses. There are several issues in the defenses category and each have their own mitigation techniques. This unit discusses the following mitigations: [5] CWE-306 Missing Authentication for Critical Function [10] CWE 807: Reliance on Untrusted Inputs in a Security Decision [11] CWE 250: Executi...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Description

This lesson covers mitigations, countermeasures and defenses. There are several issues in the defenses category and each have their own mitigation techniques. This unit discusses the following mitigations: [5] CWE-306 Missing Authentication for Critical Function [10] CWE 807: Reliance on Untrusted Inputs in a Security Decision [11] CWE 250: Execution with unnecessary privileges [15] CWE 863: incorrect authorization [17] CWE-732: Incorrect Permission Assignment for Critical Resource

Video Transcription
00:04
Hello and welcome to the cyber very secure coding course.
00:08
My name is anywhere in. This is CNN's Top 25 category. Porous defenses, mitigations, countermeasures and defenses.
00:18
Now the defense's overview.
00:20
Because we have so many different issues in this category, I'm going to address the mitigation techniques separately. Ranking of five c W e three of six missing authentication for critical resource.
00:37
So in the example in that we saw previously, we never want to leave any kind of default password settings or blank values for passwords for any of our accounts that we use in our application code.
00:55
Also, we want to make sure that we read any secure settings in documentation. If we have to be using any back end as a service cloud providers,
01:06
these cloud providers should provide ways to more securely handle
01:14
the keys and default settings that come with the operations whenever we have to synchronize with those back in systems.
01:26
And, of course, we want to ensure that we do not have any passwords that are hard coded into our application code. The next issue area is ranked 10 c w e eight of seven reliance on untrusted inputs in a security decision. Now the mitigations for this issue
01:45
are pretty clear.
01:46
Do not rely on any client side values such as last modified header or any include values for making any decisions until these values have been vetted on the service side First. Also do not rely on any job script validation
02:06
because we know that these checks can be easily bypassed.
02:10
Now, if you are checking the HTP requests, refer.
02:15
Make sure that you validate that. Refer through some sort of white list. Use input validation on your server side
02:24
before you, then act upon that information now continuing with the same issue area. I did go into H two p response splitting, and I explained what that is. Also, you'll be having a loud with this.
02:43
What you should do in regards to this to prevent http response. Splitting attacks
02:50
is to make sure that all input values from the client side are vetted against a white list,
02:58
and this would include checks, four carriage returns, lying feeds, etcetera,
03:06
going hand in hand. With that mitigation, you want to always perform your output in coding For all http responses,
03:15
and if you are unfamiliar or have forgotten about what this is. Please refer back to module three for the cross site scripting mitigations.
03:25
Now in regards to issue ranked 11 c W E. 250 execution with unnecessary privileges.
03:35
We know that here we want to employ the principle of least privilege.
03:39
This is to ensure that the execution of any scripts or programs are performed by a role that's powerful enough to perform that job, but no more.
03:53
The two examples that I gave explanations video included files that are uploaded by the user and the batch process user account. So make sure that you have accounts that are lower in privilege
04:11
and really only have enough grants to perform the duty or the task that's necessary
04:17
Now. Regarding issue ranked. 15 c W E 8 63 Incorrect authorization.
04:25
We want to make sure that we perform all of our authorization checks on the server side
04:30
and not to rely on any data that may be set on the client side without verifying that first
04:39
and realize that this includes if you have some sort of workflow or subsequent screen showing based on a previous action, so just make sure that you're actually validating those actions on your server side and not on the client side.
04:58
Ranking. 17 c W E 732. Incorrect permission Assignment for critical resource Here you want to explicitly set default permissions to be the most restrictive setting possible.
05:13
Now you can do this a lot of times at Program's startup bypassing in arguments to your program
05:19
could also be done, for example, in the instance of a file system
05:25
where the system administrator can lock down that system so that it's already set up to be secure. So if either of these air a viable choice, this is what I would recommend.
05:39
Either of these make reliance upon programmers remembering, too,
05:45
have the correct permission assignment
05:47
less so you would be relying less on programmers to remember and just be able to use a more locked down environment from the get go
Up Next