Scribd
Upload
18 views

Exposeowasppptx

Uploaded by

Radhwan Khateeb
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
18 views

Exposeowasppptx

Uploaded by

Radhwan Khateeb
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 8

A4 – insecure design

Insecure design, a new category for


2021, focuses on design flaws and the
need for robust security controls
from the start. It's distinct from
insecure implementation, highlighting
the importance of threat modeling,
secure design patterns, and reference
architectures to mitigate
vulnerabilities early in development.
Lack of business risk profiling can lead
to insecure design, underscoring the
critical need for proactive security
measure.
A2- Cryptographic Failures
A2-Description
• The first thing is to determine the protection
needs of data in transit and at rest. For example,
passwords, credit card numbers, health records,
personal information, and business secrets
require extra protection, mainly if that data falls
under privacy laws, e.g., EU's General Data
Protection Regulation (GDPR), or regulations,
e.g., financial data protection such as PCI Data
Security Standard (PCI DSS).
Prevention Methods:
• Perform application data classification (for sensitive data /
non-sensitive)
• Do not store sensitive data unnecessarily - discard as soon
as possible (for PCI-DSS, use compliant tokenization or
truncation)
• Enforce HTTPS across the board
• Use trusted libraries for cryptography (Google Tink, etc.)
• Encrypt all sensitive data at-rest
• Do not automatically decrypt your data Use strong cypher
suites, algorithms, protocols and keys
• Make certain Key Management is in place
Exemples of attacks
Exemples of attacks
How can an attacker exploit a système
design flaws
A4 – to prevent design flaws

Secure design pattern


prioritize threat and reference
modeling architectures from the
start

Lack of business risk Compile use-cases and


profiling can lead to misue-cases for every tier
these flaws of the app

You might also like