Top 10 OWASP application security best recommendations

There are many bugs, flaws, vulnerabilities and more when it comes to cyber security challenges and philosophies.

Below are the OWASP top 10 :

1> Injection:

– Injection flaws include SQL, QS, and LDAP

– injections occur when untrusted data is sent to an interpreter as part of a command or query

– The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization

2> Broken Authentication and Session Management:

– Application functions related to authentication and session management are often because they are not always implemented correctly, thus allowing an attacker to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities

3> Cross-Site Scripting (XSS):

– XSS flaws occur when an application takes untrusted data and sends it to a web browser without proper validation or escaping

– XSS allows attackers to execute scripts in the victim’s browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites

4> Insecure Direct Object Reference:

– direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key

– Without an access control check or other protection, attackers can manipulate these references to access unauthorized data

5> Security Misconfiguration:

– Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform

– Secure settings should be defined, implemented, and maintained, as defaults are often insecure

– software should be kept up to date

6> Sensitive Data Exposure:

– Some web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Think PII and more.

– Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes

– Sensitive data deserves extra protection such as encryption at rest or in transit

– special precautions should be configured when exchanged with the browser

7> Missing Function Level Access Control:

– Most web applications verify function-level access rights before making that functionality visible in the UI

– applications need to perform the same access control checks on the server when each function is accessed

– If requests are not verified attackers will be able to forge requests in order to access functionality without proper authorization

8> Cross-Site Request Forgery (CSRF):

– A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application

– allows the attacker to force the victim’s browser to generate requests the vulnerable application things are legitimate requests from the victim

9> Using Components with Known Vulnerabilities

– Components, such as libraries, frameworks and other software modules, almost run with full privileges

– If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover

– Application components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts

10> Unvalidated Redirects and Forwards

– Web applications frequently redirect and forward users to other pages and websites, and uses untrusted data to determine the destination pages

– Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages

Bluetooth is bad.

Bluetooth makes life easier. It’s the IOT connectivity easy button. It made your life quick and easy to be able to connect your iPhone or Android , smart earbuds , smart speakers, cars radios , smart lightbulbs and smart fridges and even smart toaster ovens. But blue tooth and Blue tooth low energy is very problematic for reasons more serious than pairing issues.

Bluetooth has been proven time and time again to be a security and privacy nightmare. Security professionals and hackers think of it as a bad word. Or awesome tech if they are capitalizing on the vulnerabilities.

The Def Con hacker conference, in Las Vegas, just finished up and one of the recommendations given to attendees is to make sure Bluetooth is disabled on their phones. Yes, don’t turn on Bluetooth or turn it off is the advice given for this conference.

Think about that the next time you want to leave Bluetooth enabled.

Is this all just more click bait fake news fear mongering like Elon Musk loving to hear himself speak about the end of the world scare tactics ? Not exactly.

This isn’t nuking Mars or Asteroid destroying earth or AI robots turning into sky net scare tactics here. Blue tooth is really poorly designed and built when it comes to security.

It’s been shown at various conferences and events, in blog posts and on YouTube videos that hackers and security professionals can use Bluetooth to identify vulnerable medical devices , digital speakers, and hack into your now always connected car. Hackers or bored tech savvy intelligent thirteen year olds could take control of these devices and force them to play dangerous sounds or mess with heartbeat monitoring devices or turn a car off or lead them astray. The nation state or ransom ware bad guy hackers are one thing , but some script kiddie just learning isn’t even out to really harm anybody. Except they accidentally would in some of these instances.

Earlier this year researchers announced a flaw that could allow hackers to both intercept and alter data sent over Bluetooth. Talk about data security and privacy concerns. A attacker is able to listen in on, or change the content of, nearby Bluetooth communication, even between devices that have previously been successfully paired.

There are other stories and media reports where many stores like Walmart or Target or a grocery store now use Bluetooth beacons to track the location of individual shoppers down to the inch. That information is collected, analyzed and often sold or given to advertisers, who then use it to build data profiles on unwitting people just trying to buy some shampoo or socks or a bottle of water.

Many people keep Bluetooth enabled all the time. It makes life easier to pair and connect. Who wants to go to their phone settings or home security settings and enable Bluetooth and then pair it with the other Device every time you want to use your headphones or get into a car. But by having Bluetooth always on and always connected , you open yourself up to these potential hacks, abuses, and privacy violations.

What’s the solution to fix these Bluetooth vulnerabilities and challenges ?

Well that’s simple. You just have to turn Bluetooth off. Use it when you must , disable it or turn it off the rest of the time. Problem solved. It’s not exactly comforting, but it is what it is for now.

Why the Internet of Life Saving Things (IoLST) is the future

Another day and another internet of everything talk or article or conversation. Yet helping save lives and cleaning up the environment and improving our communities is not only key for a better tomorrow, but any tomorrow.

What is this Internet of Life Saving Things (IoLST) anyway ?

It falls under the umbrella of the Internet of Things, also known as IOT, but geared toward solutions for the public safety and first responders sector.

IoLST is all about helping save lives and improving communities through digital transformative processes and automation. It may include emerging technologies like blockchain, AI, IOT, LoraWAN, software defined radio , quantum computing, digital twins , augmented and virtual reality, smart sensors and devices, the cloud, mesh networking, as well as 3d printing. But it’s not just about technology and normal city government and business processes.

It’s all about the people and their communities. Digital transformation doesn’t work without the people. And the Internet of Life Saving Things helps save lives and improve communities by making sure the first responders, healthcare professionals, and city and community officials can protect the people and their property. The technology aspect helps make their jobs a little less chaotic and more efficient.

It’s enabling communities to be better prepared for natural and man made disasters and normal everyday occurrences.

IoLST and smarter communities is all about living and breathing the ideals and philosophies of a better, healthier, and safer today and tomorrow. Every neighborhood can be a safer, cleaner and self-Sufficient thriving community.

IoLST products and solutions could improve police officers’ ability to gather evidence and solve crimes. IoLST solutions can help accelerate the response of EMS personnel to motor vehicle collisions.

The digital transformation aspect helps protect firefighters from harm, or even alert healthcare professionals to dangerous changes to the vital signs of their patients recovering from an emergency while at home. 

IoLST products and solutions expand upon normal tech , IOT tech and everyday city wide daily processes. Smarter connected street lamps and traffic lights. CCTV, tiny cameras , wearables like fitbits and Apple watches, and drones all help transform a community.

Going even further, the Deep Edge IoLST products, solutions and applications may use mesh networking, 5G, as well as small, processing- and power-constrained edge devices that are deeply embedded in assets that will monitor a police officer’s heartbeat, cities automobile and foot traffic , and help paramedics measure vital signs.

Sensors and actuators that can detect a vehicle collision at a busy intersection, and automatically propose detours.

The Internet of Life Saving Things is here. It’s coming. It’s Tomorrow already today.

Skills gap for blockchain, AI, & IOT

“Most of the …

IOT | AI | blockchain |

Digital transformation

projects fail

Years ago when I was doing data warehousing and business intelligence you heard this failure story. You heard about excel spread-marts. You heard about most master data management projects failing. Then it became big data , Hadoop and data lakes that didn’t work out . Now you hear it for blockchain and IOT and AI and RPA and digital transformation projects.

It comes down to people, processes and technology. And understanding what works and what doesn’t work. And having executive sponsors buy in to these transformations. But we also need to have a real honest assessment of your organizations strengths , weaknesses , challenges , plans and goals.

People hated IT and IT operations for years cause nobody understood what they did and everything took so long. AWS and the cloud made things simple by point and click and ignore IT. Ignore security or how most of these thing work or what they really cost too.

And hey , Here comes agile and scrum and Kanban and be gone with legacy waterfall minders. But many companies introduced some faux agile methodology or never bought into it at all. It just sounded better to have developers do 2 week sprints.

Blockchain, AI, IoT and digital transformation projects have many other challenges on top of the normal IT and emerging tech challenges. A global study found the majority (56%) of unsuccessful digital transformation and IOT projects were considered a failure within a few months. That’s a few months.

Can you determine real success rates in a month or two ?

Especially when trying to transform a business or introduce edge IOT smart computing that helps change a way a business does things ? Probably not.

But pilots and POCs need to disrupt something in a couple of two week sprints or it’s deemed useless. Oh and business requirements, who really cares about them. Just disrupt something. Or stop us from being disrupted.

Why the rush and how to fix it ?

Well, a major challenge has always been Finding the right people with the right skills and right costs to implement some emerging tech. That’s no different for these digital transformation projects.

Good people Cost too much. Offshore the work to people and firms who are cheaper, but they claim they have all the experts in everything, yet somehow try and implement AI using Java enterprise edition. And then deliver a rules engine with no artificial intelligence. So you hire another cheap offshore firm. They use python and AWS. But they don’t care about your business or data and the AI results stink. And it’s useless. Try again. That process is not going to be successful.

Security and data privacy are huge concerns now. Especially with vulnerable IOT devices. Costs are always a factor. But hiring the right employees or contractors to implement a successful digital transformation project is a huge challenge.

Train up people ? Outsource more ? Get the right business leaders to participate and buy in. These days you can’t just throw it all to “IT” and then blame them when half these processes don’t work while business leaders just punt.

At Pagarba we know many government organizations, hospitals, manufacturers and businesses are serious about digital transformation with blockchain, AI, IoT and the cloud.

We get things done. And done right.

What do you need security APIs for ?

This, That and the other thing what are Security APIs really good for ?

For one, Detecting and cleaning malware and viruses. Many malware API services are useful for detecting types of malicious files and code injections in web applications.

Get notifications and alerts quickly when a new application is infected with some 3rd party illegal code.

The Second useful thing of security APis are Being able to explore surface attack areas.

Certain Security APIs allow you to explore and audit DNS records, IP addresses and domain names.

This In turn, enables you to find abnormal changes to your DNS infrastructure and possibly prevent harmful activities such as domain hijacking. Other possibilities may include finding stale DNS records, reviewing SSL certificate information, etc.

Third on our list is being able to Explore the reputation of a website.

This type of security API is useful for detecting phishing domains or discovering pages that are related to uncommon downloads, infected networks, etc.

Fourth on our list is related to information fraud Investigations.

If you work for a public or private security agency, using security APIs will enable you to research for various fraudulent activities and help track down the culprits behind it. Integrate some text analytics, NLP and machine learning functions to help find and discover outliers.

Fifth is monitoring your brand and reputation.

Plenty of big time and smaller Influencers care about this. Small, medium and large Commercial enterprises worry about Brand reputation in various ways. Especially with social media outbursts by employees , founders and executives. Fake news and deep fake videos. So monitoring and keeping an inventory of your brands reputation is paramount.

In an era where everyone wants to be a thought leader and life coach or instagram influencer Is someone using your name illegally? Better to Find and report illegal usage of any brand name or trademark registered by you or your company within seconds. Vs a

Week later.

Sixth can be something like finding and researching Copyright violations.

Quick search and analysis from 3rd party websites that are using your copyrighted materials is helpful. Maybe locating the IP addresses, Internet archives, domain names and historical web hosting checking features to find the real people behind these illegal operations.

We all know the seventh use case , bug and bounty programs and rewards ,

has been a popular thing in crypto and blockchain. Developers and hackers participate in these bug and bounty programs to show their skills and possibly earn money or a job with their knowledge and skills. Security APIs are the perfect tool for these white hat hackers seeking valuable reconnaissance information about their targets. Even capture the flag like events can be fun and interesting.

So there you go , security APIs and what they can be used for. Pagarba does IOT and hospital security audits , medical device and IOT penetration testing as well as facility security risk assessments.