GitHub/quartz
1
0
Fork 2
mirror of https://github.com/jackyzha0/quartz.git synced 2025-12-26 22:34:06 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

vault backup: 2022-08-18 13:34:21

Browse Source
This commit is contained in:
Jet Hughes 2022-08-18 13:34:21 +12:00
parent f55801c7dd
commit b91c88de6e
1 changed files with 55 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
content/notes/8-application-security-1.md
View File

@ -65,7 +65,6 @@ SANS - (SysAdmin, Audit, Network, Security) Institute. A research and education
MITRE - A not-for-profit research organisation that works with the US government. MITRE - A not-for-profit research organisation that works with the US government.
## Top 25 errors ## Top 25 errors
1. Out-of-bounds Write ** 1. Out-of-bounds Write **
2. Cross-site Scripting (XSS) ** 2. Cross-site Scripting (XSS) **
3. Out-of-bounds Read ** 3. Out-of-bounds Read **
@ -96,14 +95,58 @@ MITRE - A not-for-profit research organisation that works with the US government
**. covered in this lecture **. covered in this lecture
*. Covered in other lectures *. Covered in other lectures
1 ## OWASP top 10 errors
Injection 2 1. Injection
Broken Authentication 3 2. Broken Authentication
Sensitive Data Exposure 4 3. Sensitive Data Exposure
XML External Entities (XXE) 5 4. XML External Entities (XXE)
Broken Access Control 6 5. Broken Access Control
Security Misconfiguration 7 6. Security Misconfiguration
Cross-Site Scripting (XSS) 8 7. Cross-Site Scripting (XSS)
Insecure Deserialization 9 8. Insecure Deserialization
Using Components with Known Vulnerabilities 10 9. Using Components with Known Vulnerabilities 1
Insufficient Logging & Monitoring 0. Insufficient Logging & Monitoring
# Software development is not a core competency
- A core competency is an area that an organisation has extensive skill and experience in.
- Usually something that contributes directly to the organisations revenue stream, and that they consider to be a competitive advantage.
- Unless the organisation is actually a software development business (or similar) then they probably lack the necessary skills and experience to manage a development project.
- Often massively underestimating the costs and complexity.
- Ideally they will contract the development to a reputable software development company.
- Too often this is not the case.
# Layers of abstraction
1. Transistors
2. Logic gates
3. Arithmetic circuits
4. Arithmetic logic units (ALU)
5. Instruction set architectures (ISA)
6. Machine code
7. Compilers
8. Programming languages
9. OS kernels and drivers
10. System APIs
11. Programming language APIs
12. Library APIs
13. Application APIs
14. Applications
It is very likely that there are security flaws in lower layers before we even start writing code
# Deficiencies in programming languages
some of these flaws are due to issue with programming languages. e.g.,
- buffer overflow (1, 3, 17)
- use after free (7)
Ideally the compiler or runtime should be able to detect these and throw an error. Some languages, like C and C++ dont. This is why some experts reccomend that they shuold no longer be used for systems and server programming
# Injection flaws
## SQL injection
- a user provides malicious data which gets executed due to poorly constructed code.
- fix by using prepared statements(java) or equivalent
- use input sanitation libraries
## command injection
## cross site scripting