Order ID 53563633773 Type Essay Writer Level Masters Style APA Sources/References 4 Perfect Number of Pages to Order 5-10 Pages Description/Paper Instructions
Reply needed 1
Input validation ensures that a website has the correct data and no harmful changes have been made. In other words, it prevents improperly formed data from entering a system. According to Whitehatsec input validation is, “The proper testing of any input supplied by a user or application. Input validation prevents improperly formed data from entering an information system”. Input validation should be performed on any external data. The most common areas of vulnerability are from data, query strings and cookies. Failing to do proper input inspection can lead to vulnerabilities like attacks and compromised systems.
Input validation minimizes 3 major attacks which are input validation attacks, cross -site scripting attacks and SQL injection attacks. SQL injections are the most common type of web application attacks. They consist of injecting malicious SQL code into a database to get a response and gain unauthorized access to data. Input validation minimizes this threat by detecting any malicious code coming from an external source. Input validation is only one method of protection against SQL injection attacks. It should be used in addition to other security methods like firewalls, regular system testing and access privileges.
References
Input Validation. (n.d.). Retrieved October 14, 2020, from https://www.whitehatsec.com/glossary/content/input-validation
Vonnegut, S. (2018, September 03). 3 Ways to Prevent XSS: Checkmarx Application Security. Retrieved October 14, 2020, from https://www.checkmarx.com/2017/10/09/3-ways-prevent-xss/Reply 2 Needed:
Practicing secure coding techniques is one of the most significant contributing factors that help produce software with fewer vulnerabilities. There are a number of coding standards available for developers to apply to their methodology depending upon which programming language they are using, however many of these standards are lacking the depth of focus on security matters. According to Robert Seacord from the Software Engineering Institute, many of the available coding standards pertain to style issues, like PEP 8 for Python, instead of practices that would help reduce vulnerabilities (2014).Seacord continues by highlighting a difference in what is provided by CERT stating, “CERT secure coding standards focus on identifying unsafe, unreliable, and insecure coding practices, such as those that resulted in the Heartbleed vulnerability” (2014). This is an important difference between style guides, where the primary concern is promoting readability between programmers and as a secondary benefit potentially helps avoid errors and secure coding guides that solely focus on avoiding introducing errors and vulnerabilities into the code.
One coding practice of particular importance when designing software and systems is access control. Access control finds itself not only on the OWASP secure coding checklist, but it is also among the Top 10 Secure Coding Practices provided by the Software Engineering Institute at Carnegie Mellon University. While some might not refer to it plainly as access control, it is nevertheless defined similarly across various coding guidelines and best practices. Deferring to OWASP first, access control (or Authorization) is the process by which resources are allocated accordingly based on permission levels associated with user identities (n.d.).This is typically determined through defined enforcement policies used to determine the level of action one can take on specific resources. One of the most common examples is the capabilities a user can take on a file. If one were to check the permission capabilities in the command line of Linux, they would likely see output indicating read, write, execute, create, and delete, or some combination thereof. Additionally, OWASP points out the following, “However, there are other operations that could be considered ‘meta-operations’ that are often overlooked — particularly reading and writing file attributes, setting file ownership, and establishing access control policy to any of these operations“ (n.d.). Access control comes down to establishing ways to govern how subjects are allowed to interact with objects. The subjects do not necessarily have to be users, they can also be devices or software processes themselves. What is important when attempting to practice sound coding techniques to reduce vulnerabilities is to identify who or what should have access to a resource and the level of access they should be granted.
Furthermore, when implementing access control within the code the common standard used across the industry is the Principle of Least Privilege. According to the number 6 secure coding practice provided by SEI, “Every process should execute with the least set of privileges necessary to complete the job. Any elevated permission should only be accessed for the least amount of time required to complete the privileged task” (Seacord, 2018). The goal of this principle is to reduce the likelihood of an attacker being able to exploit a vulnerability with elevated privileges on a system. Elevated privileges are often seen as a primary first step for an attacker to be able to proceed with accomplishing their ultimate objective, such as data exfiltration. To address problems like this, access control can be used under a few different models:
• Discretionary Access Control – access is based on identity and need-to-know privilege; can be passed on to other subjects.
• Mandatory Access Control – access is based on the sensitivity level of the resources; security settings and access are restricted from being passed to other subjects.
• Role-based Access Control (RBAC) – access is determined by the role or group a subject falls into based on the organizational mapping.
• Attribute-based Access Control (ABAC) – access is based on information attributes associated with the requesting subject, the resource requested, or the context of the request actions (OWASP, n.d.).Outside of the model being used, access control from a software development context needs to align with stakeholder requirements. The ongoing problem is that security is often an afterthought or not natively included in the specific programming language being used.
Lastly, digging deeper into some of the vulnerabilities access control mechanisms help solve, limiting web applications from running code outside the scope of what should be running in an environment is a major benefit. OWASP highlights that Java and .NET are notorious for running with permissions allowing elevated trust levels to run any code (n.d.). Access control mechanisms can be used specifically with code access security in mind to limit risk when untrusted code is introduced.Additionally, access control checks can help prevent instances of spoofing and identify abnormalities in systems access, such as long session times. Overall, the primary focus of access control is preventing instances of privilege escalation. Broken access control within the software can increase the likelihood of an attacker either horizontally or vertically elevating privileges. The impact of such a scenario, as provided by Packet Labs, “An adversary can steal information accessed by users of the application, manipulate data by performing actions that various user roles can perform within the application, and in certain circumstances compromise the web server” (n.d.). This can allow an attacker to escalate their attack further depending upon their goal. It is no wonder that access control is such an important secure coding technique and presented as 5th on the 2017 OWASP Top 10 rankings.
References
OWASP Foundation, Inc. (n.d.). Access Control. https://owasp.org/www-community/Access_Control.
OWASP Foundation, Inc. (2010, November). OWASP secure coding practices quick reference guide. https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf.
Packet Labs. (n.d.). Broken access control: Hidden Exposure for Sensitive Data. https://www.packetlabs.net/broken-access-control/.
Seacord, R. (2014, May 5). Secure coding to prevent vulnerabilities. Software Engineering Institute, Carnegie Mellon University. https://insights.sei.cmu.edu/sei_blog/2014/05/secure-coding-to-prevent-vulnerabilities.html.
Seacord, R. (2018). Top 10 secure coding practices. Software Engineering Institute, Carnegie Mellon University. https://wiki.sei.cmu.edu/confluence/display/seccode/Top+10+Secure+Coding+Practices.Reply 3 Needed
The OWASP Secure Coding Quick Reference Guide (2010) lists “cryptographic practices” on its checklist. Security-minded developers want to ensure their applications are keeping data secure while in transit to prevent unauthorized disclosure of information. Software developers need to design applications to decrypt data before processing it, re-encrypt the data before storing it, and flush any remnants of data from memory when finished (Gibson, 2017). Failure to properly encrypt data can leave it open to malicious actors to harvest. This can lead to sensitive data being stolen and personal identifiable information (PII) being leaked.
Certificates and code signing also can fall into proper “cryptographic practices” for secure coding practices. Certificates are commonly used for authenticating users and servers during Internet use, but they can also be used to validate software code (Gibson, 2017). Developers may purchase a certificate and associate it with the application in a process known as “code signing” (Gibson, 2017). Code signing provides a digital signature while the certificate proves a hash of the code (Gibson, 2017). The hash proves no modification has taken place. If any malware changes the code, the user will be alerted and can safely stop using the application.
References:
Gibson, D. (2017). CompTIA Security : Get certified get ahead: SY0-501 study guide. Virginia Beach, VA: YCDA, LLC
OWASP secure coding practices quick reference guide. (2010, November). Retrieved from https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf
RUBRIC
QUALITY OF RESPONSE NO RESPONSE POOR / UNSATISFACTORY SATISFACTORY GOOD EXCELLENT Content (worth a maximum of 50% of the total points) Zero points: Student failed to submit the final paper. 20 points out of 50: The essay illustrates poor understanding of the relevant material by failing to address or incorrectly addressing the relevant content; failing to identify or inaccurately explaining/defining key concepts/ideas; ignoring or incorrectly explaining key points/claims and the reasoning behind them; and/or incorrectly or inappropriately using terminology; and elements of the response are lacking. 30 points out of 50: The essay illustrates a rudimentary understanding of the relevant material by mentioning but not full explaining the relevant content; identifying some of the key concepts/ideas though failing to fully or accurately explain many of them; using terminology, though sometimes inaccurately or inappropriately; and/or incorporating some key claims/points but failing to explain the reasoning behind them or doing so inaccurately. Elements of the required response may also be lacking. 40 points out of 50: The essay illustrates solid understanding of the relevant material by correctly addressing most of the relevant content; identifying and explaining most of the key concepts/ideas; using correct terminology; explaining the reasoning behind most of the key points/claims; and/or where necessary or useful, substantiating some points with accurate examples. The answer is complete. 50 points: The essay illustrates exemplary understanding of the relevant material by thoroughly and correctly addressing the relevant content; identifying and explaining all of the key concepts/ideas; using correct terminology explaining the reasoning behind key points/claims and substantiating, as necessary/useful, points with several accurate and illuminating examples. No aspects of the required answer are missing. Use of Sources (worth a maximum of 20% of the total points). Zero points: Student failed to include citations and/or references. Or the student failed to submit a final paper. 5 out 20 points: Sources are seldom cited to support statements and/or format of citations are not recognizable as APA 6th Edition format. There are major errors in the formation of the references and citations. And/or there is a major reliance on highly questionable. The Student fails to provide an adequate synthesis of research collected for the paper. 10 out 20 points: References to scholarly sources are occasionally given; many statements seem unsubstantiated. Frequent errors in APA 6th Edition format, leaving the reader confused about the source of the information. There are significant errors of the formation in the references and citations. And/or there is a significant use of highly questionable sources. 15 out 20 points: Credible Scholarly sources are used effectively support claims and are, for the most part, clear and fairly represented. APA 6th Edition is used with only a few minor errors. There are minor errors in reference and/or citations. And/or there is some use of questionable sources. 20 points: Credible scholarly sources are used to give compelling evidence to support claims and are clearly and fairly represented. APA 6th Edition format is used accurately and consistently. The student uses above the maximum required references in the development of the assignment. Grammar (worth maximum of 20% of total points) Zero points: Student failed to submit the final paper. 5 points out of 20: The paper does not communicate ideas/points clearly due to inappropriate use of terminology and vague language; thoughts and sentences are disjointed or incomprehensible; organization lacking; and/or numerous grammatical, spelling/punctuation errors 10 points out 20: The paper is often unclear and difficult to follow due to some inappropriate terminology and/or vague language; ideas may be fragmented, wandering and/or repetitive; poor organization; and/or some grammatical, spelling, punctuation errors 15 points out of 20: The paper is mostly clear as a result of appropriate use of terminology and minimal vagueness; no tangents and no repetition; fairly good organization; almost perfect grammar, spelling, punctuation, and word usage. 20 points: The paper is clear, concise, and a pleasure to read as a result of appropriate and precise use of terminology; total coherence of thoughts and presentation and logical organization; and the essay is error free. Structure of the Paper (worth 10% of total points) Zero points: Student failed to submit the final paper. 3 points out of 10: Student needs to develop better formatting skills. The paper omits significant structural elements required for and APA 6th edition paper. Formatting of the paper has major flaws. The paper does not conform to APA 6th edition requirements whatsoever. 5 points out of 10: Appearance of final paper demonstrates the student’s limited ability to format the paper. There are significant errors in formatting and/or the total omission of major components of an APA 6th edition paper. They can include the omission of the cover page, abstract, and page numbers. Additionally the page has major formatting issues with spacing or paragraph formation. Font size might not conform to size requirements. The student also significantly writes too large or too short of and paper 7 points out of 10: Research paper presents an above-average use of formatting skills. The paper has slight errors within the paper. This can include small errors or omissions with the cover page, abstract, page number, and headers. There could be also slight formatting issues with the document spacing or the font Additionally the paper might slightly exceed or undershoot the specific number of required written pages for the assignment. 10 points: Student provides a high-caliber, formatted paper. This includes an APA 6th edition cover page, abstract, page number, headers and is double spaced in 12’ Times Roman Font. Additionally, the paper conforms to the specific number of required written pages and neither goes over or under the specified length of the paper. GET THIS PROJECT NOW BY CLICKING ON THIS LINK TO PLACE THE ORDER
CLICK ON THE LINK HERE: https://www.perfectacademic.com/orders/ordernow
Do You Have Any Other Essay/Assignment/Class Project/Homework Related to this? Click Here Now [CLICK ME]and Have It Done by Our PhD Qualified Writers!!