Cyber threats have become more sophisticated. Hence, it is a good idea to utilize the expertise of public cloud providers to better manage assets against security threats. Cloud security is a collection of proactive measures to protect your cloud assets from internal and external threats. In this Refcard, we will walk through common cloud security challenges, continuous security for cloud infrastructure, and advanced strategies for securing cloud workloads.
Source de l’article sur DZONE
Articles
Vulnerabilities produce enormous reputational and financial risks. As a result, many companies are fascinated by security and desire to build a secure development life cycle (SSDLC). So, today we’re going to discuss SAST — one of the SSDLC components.
SAST (static application security testing) searches for security defects in application source code. SAST examines the code for potential vulnerabilities — possible SQL injections, XSS, SSRF, data encryption issues, etc. These vulnerabilities are included in OWASP Top 10, CWE Top 25, and other lists.
Chatbots Are Here To Stay
Security Risks, Threats, and Vulnerabilities
The words risk, threat, and vulnerability are often confused or used interchangeably when reading about computer security, so let’s first clarify the terminology:
-
Vulnerability refers to a weakness in your software (or hardware, or in your processes, or anything related). In other words, it’s a way hackers could find their way into and exploit your systems.
-
A threat exploits a vulnerability and can cause loss, damage, or destruction of an asset – threats exploit vulnerabilities.
-
Risk refers to the potential for lost, damaged, or destroyed assets – threats + vulnerability = risk!
Vulnerability 1: XSS – Cross-Site Scripting
A typical implementation of a chatbot user interface:
- There is a chat window with an input box.
- Everything the user enters in the input box is mirrored in the chat window.
- Chatbot response is shown in the chat window.
The XSS vulnerability is in the second step — when entering text including malicious Javascript code, the XSS attack is fulfilled when the web browser is running the injected code:
<script>alert(document.cookie)</script>
Possible Attack Vector
For exploiting an XSS vulnerability the attacker has to trick the victim to send malicious input text. It can be done through one of the following ways:
In this post, you will learn how to execute penetration tests with OWASP Zed Attack Proxy (ZAP). ZAP is a free web app scanner which can be used for security testing purposes.
1. Introduction
When you are developing an application, security must be addressed. It cannot be ignored anymore nowadays. Security must be taken into account starting from initial development and not thinking about it when you want to deploy to production for the first time. Often you will notice that adding security to your application at a later stage in development, will take a lot of time. It is better to take security into account from the beginning, this will save you from some painful headaches. You probably have some security experts inside of your company, so let them participate from the start when a new application needs to be developed. Nevertheless, you will also need to verify whether your developed application is secure. Penetration tests can help you with that. OWASP Zed Attack Proxy (ZAP) is a tool which can help you execute penetration tests for your application. In this post, you will learn how to setup ZAP and execute tests with the desktop client of ZAP. You will also need a preferably vulnerable application. For this purposes, Webgoat of OWASP will be used. In case you do not know what Webgoat is, you can read a previous post first. It might be a little bit outdated because Webgoat has been improved since then, but it will give you a good impression of what Webgoat is. It is advised to disconnect from the internet when using Webgoat because it may expose your machine to attacks.
This week, we take a look at API vulnerabilities in HashiCorp Vault, Azure App Services, and more. There is also an introductory video on finding information disclosure in JSON and XML API responses, and another cheat sheet and a webinar on OWASP API Security Top 10.
Vulnerability: HashiCorp Vault
Felix Wilhelm from Google’s Project Zero has written a very detailed write-up on an authentication bypass he found in the Amazon Web Services (AWS) and Google Cloud Platform (GCP) integration of HashiCorp Vault. As a central storage of credentials, Vault makes an attractive target for attackers, and therefore a vulnerability in it is also very bad news. Looking for the silver linings, this attack was definitely quite advanced, and thus not easily exploitable.