Security Fundamentals

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
1 hour 43 minutes
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:01
Hey, everyone, welcome back to the core. So in the last video we talked about why a p I security is important again. We went over a couple of examples in the real world of things like the Facebook AP issues and other security issues. Aziz Well, assay USPS and this video, where to go over some basic
00:17
security concepts. We're just going to talk about a couple of those. We're gonna talk about the CIA tree odd
00:22
in relation to a P eyes as well as Triple A in relation to a P ice.
00:27
So let's talk about the CIA CIA triaged first. Now, if you're not familiar with this, it has nothing to do with the actual three letter agency. But the CIA. Triage is confidentiality, integrity and availability of your data.
00:40
So with confidentiality,
00:42
it just basically means the right data is going to the right users. Right? So basically, we want to think through who has access to the data or who should have access to the data. And then what data is important to them, like what data they do they actually need access to
00:55
for integrity. We want to make sure that we're actually getting good data from our trusted sources, we will make sure it's actually good data.
01:02
And then when we think about in the concept of a P eyes, we need to also think through.
01:07
Is this data actually trustworthy to begin with, right. So have we validated that the data is from a trusted source, and then with that, as part of that, while the data is being transmitted or at rest, we need to make sure that data secured so it can't be altered in it because we don't want the integrity
01:26
ultra of that data.
01:27
And then finally the availability, right?
01:30
Uh, we're just making sure that the right people can access the right data at the right time. So
01:34
when we're thinking through,
01:37
see a tree, odd is faras ap eyes.
01:40
We want to think through some questions. So things like can the business actually trusted stated to be valid
01:47
because we needed to be accessible for making critical decisions. So if it's not,
01:51
and if it's not good data and we make decisions that's gonna affect the organization
01:56
now, a downside of the CIA triage traditionally is that it just focuses on the data. So some of the things you want to think through our can. The application your building handle? Ah, hire a volume of traffic than that it might be used to or designed for. So as you're building that out, you want to think through Well, what happens if Scenario X occurs
02:15
right? You also want to think through okay, Have we found any bugs as we're ah going through and debugging this software? And if so, how could those bugs impact later down the line and also thinking through for our organization or kind of security best practices,
02:31
our industry best practices, water, our security requirements? What kinds of things are we making sure that we do? Or that we have to be mindful of as we're going through and analyzing while we're building the software?
02:44
And then we've got a Triple A so traditionally Triple A's the authentication authorization and then you'll see it listed as accounting Or sometimes auditing slash accounting depends on the source you're looking at.
02:54
But when we're talking about a P eyes,
02:58
we're kind of focused on a couple of major areas. So number one being authorization number two being the authentication. So the authorization is actually a part of the OSS top 10 for a P I security. It's the 1st 1 listed. It's called Broken Object Level Authorization.
03:16
So we'll talk about that a little more in depth when we get to the law section of this course
03:21
Now with the authentication part
03:24
the way. And if you're not familiar again, I'm assuming this is the census is a fundamental course. I'm assuming that some people may not have any development back around watching this. So basically a P I keys are are used often times and checked against user profile to basically ensure that the call that these Air profile is making or the request
03:44
that is making is actually authorized for that user
03:46
and many a P. I also used what I mentioned earlier rate limiting right, and that limits the number of calls that a specific I p address or quote unquote user kid making a specific time period.
04:00
One issue, though, is that
04:03
because of that rate limiting and because of a P, as in general, a P S could be taxing on your authentication infrastructure because number one have to verify like, hey, this person or this user or this entity, you know, are the authorized to view this stuff, so they have to verify that you are on because of that authorization process A
04:24
and also applying, like rate limiting
04:26
it can become very taxing on the application. So you really need to think through when you're designing your software
04:34
and looking at the A P I. C. Also, you need to think through what is the impact of all of these extra calls on the capacity? Right. So an example is the Pokemon go game
04:46
that many people, I think people still play it. But a few years back remember that some people were having trouble logging into it,
04:53
um,
04:54
directly through the APP and other people that reason, like their Google log in tow access said they didn't have any trouble. Um, and I believe the reason for that if I, if I recall correctly, was because the way people were accessing it, the application had to authenticate them directly. Right? So I had to go through that entire cycle of who are you? Let me make sure you're
05:14
you should be accessing this.
05:15
And it was really taxing the a p I. Whereas the people going through their Google account right? That was operating through Google's authentication to that authenticate to the APP. So that was the issue with that. And that's why we want to be mindful of these things as were
05:30
working on our software. We have to be mindful of AP eyes and what is actually gonna happen if these various scenarios transpire.
05:40
So just a quick quiz question. Which feature of Triple A? Did I mention that's in the number one spot for the OAS FBI Security Top 10 Again We'll talk a little bit more about the US top 10 list in just a little bit
05:51
are. So If you guessed
05:54
a one which is broken object level authorization, you're correct. So authorization on that list of question answers was the correct response
06:02
in this video. We just talked about the CIA triage in its relation to AP eyes. We also talked about Triple A and its relation to a P I. So again, the CIA triage stands for a confidentiality. So again, the right data going to the right users integrity, which is just making sure that we are getting that data from trusted sources. And
06:20
that is not being manipulated in transit or at rest
06:24
and then availability, which is just making sure that the right people can access the right data at the right time. And then we also talked about the Triple A, which again traditionally speaking, stands for authentication authorization, and sometimes you'll see it as auditing slash accounting. But normally it's seen as just a county,
06:41
and then we can also tie in AP authentication in there as part of the authentication part of Triple A.
Up Next
Introduction to the OWASP API Security Top 10

The Introduction to the OWASP API Security Top 10 course will teach students why API security is needed. Students will get a brief refresher on the CIA triad and AAA, then move into learning about the OWASP Top 10 from an API security perspective.

Instructed By