Cyber Security Process

The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks. The report is put together by a team of security experts from all over the world. OWASP refers to the Top 10 as an ‘awareness document’ and they recommend that all companies incorporate the report into their processes in order to minimize and/or mitigate security risks.

1. Injection

2. Broken Authentication

3. XXE: XML External entities

4. Sensitive data exposure

5. Security Misconfiguration

6. In-Secure deserialization

7. Broken Access control

8. Cross-site scripting

9. Insufficient Logging and monitoring

10. Using components with known vulnerabilities

1. Mission Critical Assets

2. Data Security

3. Application Security

4. End point Security

5. Network Security

6. Perimeter Security

7. Human Layer

1. Destruction (Data/Infrastructure)

2. Disturb service availability

3. Data exploits

4. Money stealing 

1. Fixation : It’s an attack that hacker can steal your session ID and use it in executing http requests 

2. XSS : Cross site scripting

3. CSRF: Cross-Site Request forgery is an attack where a malicious site sends a request to a vulnerable site where the user is currently logged in. 

4. Hijacking : To steal something from the client or the server 

5. Brute-Force: Attacker trying many passwords or passphrases with the hope of eventually guessing correctly. Can be resolved by delaying the repetitive trials and block the incoming IPs from IIS 

6. Tampering: Means attacker trails for changing the parameters values in order to do something 

7. Sniffing : It’s the act of monitoring traffic on the network for data such as plaintext passwords or configuration information. With a simple packet sniffer, an attacker can easily read all plaintext traffic. Also, attackers can crack packets encrypted by lightweight hashing algorithms and can decipher the payload that you considered to be safe. The sniffing of packets requires a packet sniffer in the path of the server/client communication. SSL is the key countermeasure. The attacker place packet-sniffing tool on the network to monitor the traffic.

1. SonarQube

2. Invicti

3. Acunetix

The core zero-trust principle is: "Never Trust, Always Verify."

In order to implement this principle, We should apply the following practices:

1. Integrate SAST tools at the pipeline, like SonarCloud

2. Automated Security Testing  (OWASP ZAP, Burp Suite )

3. WAF as the umbrella for your solution, which detects the following:

• XSS

• Rate limiting

• Anomaly detection

• Injections

• Block malicious payloads

4. Strong Authentication (OAuth 2.0, OpenID Connect, JWT) 

5. Enable CORS restrictions

6. Configure and implement CSRF tokens 

7. MFA: Multi-factor authentication, authentication at first login

8. Implement Role-Based Access Control (RBAC) to prevent access to improper services

9. Encrypt payload

10. Use secret keys

11. Auto-Rotate secret keys

12. Use a secret key for each channel

13. Never expose secret key in the front-end layer

14. Obfuscation of frontend

15. Add HSTS and XSS headers at the frontend

16. Add HSTS and XSS headers at the backend

17. Continuous authentication on core activities:

• Payment

• Asset transfer

18. Encrypt traffic

• SSL

• TLS 1.2 or higher

19. Prevent data crawling

20. Infrastructure security

21. API versioning deprecation model for old APIs