1. Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN 6710 - Section A – TR 9:30-10:45 CRN 10570 – Section B – TR 5:30-6:45

2. OWASP Top 10 – Data Exposure Sensitive Data Exposure Stored in clear text (especially in backups) Transmitted in clear text (including internally) Old/Weak Algorithms

3. OWASP Top 10 – Access Control Missing Function Level Access Control UI contain links to unauthorized functions Authentication checks missing Server only using information provided by the client for checks

4. OWASP Top 10 - CSRF Cross-Site Request Forgery State changing functions are a focus of this kind of attack This is where an attacker can send a fake page request, with given, predictable, variables to do something the user may not have wanted to Think about someone logged into their bank on one tab, browsing the internet on another tab, they click on a malicious link that causes them to transfer funds with their bank account

5. OWASP Top 10 – Vulnerabilities Using Components with Known Vulnerabilities Generally speaking, keeping your software up to date can prevent this Sometimes a security patch is released, but it is not overly specific as to which versions of the software it needs to be applied to, and you may not realize you need it It can be especially difficult with open source software that does not maintain a clear and readable list of patches and versions they should be applied to

6. OWASP Top 10 – Redirects Unvalidated Redirects and Forwards If your code performs a redirect, ensure you have hard coded where the redirect will go If you must make a decision based on user input, make sure you properly validate the information provided If the user can pass the page they want to be redirected to, ensure you maintain a whitelist of allowed pages to redirect to

7. OWASP Top 10 Many of the top 10 vulnerabilities to watch out for are fairly bad on their own, but significantly worse when combined with others Having a series of these issues in your application can cause major issues over time, as they are discovered by attackers

8. Security Implications Having vulnerabilities in your system can have several different resulting issues System outage (due to data destruction/etc) User issues with using the system Reputation of the parent company System vandalism (injected advertisements for competitors, etc) Theft of data (sensitive or otherwise) Loss of revenue

9. Lab 8 – Web Security Create two (2) web pages Page 1 should contain an example of a form vulnerable to SQL Injection Page 2 should contain the exact same form with the vulnerability prevented Include the links to both pages and an example of what to enter to see a safe SQL Injection Ensure that I can see how the SQL Injection succeeds/fails

10. Next Week Thu Nov 19 Lab/Term Project working day Reminders: Lab 8 – Web Security due on Dec 3 rd Term Project is due on Dec 10 th If you want to get partial credit for any assignments, the last day they will be accepted is Dec 3 rd at Midnight D2L will lock out submissions at that time