Have you heard of OWASP Top 10 but aren’t familiar with it?
Or maybe you knew the 2017 list but not the updated list from 2021?
Let’s talk about it! 🧵 ⬇️
What is the OWASP Top 10?
It outlines the most pertinent risks to web security. The most updated list was released in 2021. 7/10 from the 2017 list were kept (but moved around in rankings), and 3 new risks were added.
This graphic shows how the 2017 Top 10 and the 2021 Top 10 compare.
You’ll notice that there have been rewordings of some, which keep the naming more consistent. Each is named by the problem at hand.
Additionally, some were renamed to better define what’s being pinpointed.
#1 Broken Access Control
Giving access and permissions to unauthorized users.
This can occur through things like lack of least privilege implementation, metadata misconfigurations, CORS misconfigurations, and API request modifications and access.
#2 Cryptographic Failures
Encryption can fail in many ways, including when keys aren’t created and shared securely, use of outdated and insecure protocols (FTP, SMTP), unenforced encryption, and incomplete trust chains.
Data should be properly protected at rest and in transfer.
#3 Injection
Attackers can take advantage of systems accepting input without input validation.
When an attacker can get your system to accept unexpected and malicious input, memory can be overwritten and the system may be given unauthorized instructions.
#4 Insecure Design
I like to think of this one as your lack of implementing buzzwords. Segmentation, pushing left, zero trust-
How are you maintaining authentication throughout your system and preventing malicious actions from moving through the system and being allowed?
#5 Security Misconfiguration
This includes things like improper permission configurations, unnecessary enabled access, default credential use, exposing error messages to users, and out-of-date software.
Every piece of a system needs to be configured and implemented properly.
#6 Vulnerable and Outdated Components
You need to know your assets. Every part of your system needs to be kept up to date, & it’s important to be aware of CVEs released regarding HW and SW you use. Components must be configured properly and tested to ensure system compatibility.
#7 Identification and Authentication Failures
When user identification and authorization fails due to things like credential stuffing, brute forcing weak and expected passwords, exposed (unencrypted or weakly hashed) passwords, lack of MFA, and reused session identifiers.
#8 Software and Data Integrity Failures
When software or pipelines are compromised by code & data. Using external sources (e.g. libraries) or updates without integrity validation, and failing to protect stored data will give attackers access to information &/or code execution.
#9 Security Logging and Monitoring Failures
Logs are not kept, logs don’t raise alerts when necessary, logs don’t provide actionable information; failure to detect abnormal or suspicious activity given vague or non-existent logs, and/or failure to respond with given information.
#10 Server-Side Request Forgery (SSRF)
When a web app permits an attacker to forge requests due to unvalidated remote resource fetching, an unauthorized destination can be accessed.
And that’s the OWASP Top 10! While they’re focused on web applications, most are relevant to all types of systems and is a useful resource for keeping up with common attack vectors.
If you’d be interested in me writing a more comprehensive blog post about this, let me know! We could get into mitigations and more extensive explanations.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Things not normally taught in computer science curriculums that should be included 🧵
This will be a part 2, since I did one of these a little while ago. I recently thought of more things so wanted to do a follow on. If you wanna check out the first one, here it is:
I've spent a lot of time wondering how I didn't spend more time deep diving into fundamentals of my comp sci classes and doing extra projects on the side to better understand what I was learning.
Did I not care? Was I not interested? Did I pick the wrong major?
After many years, I've had a realization.
Consider times when you've thought you weren't good enough to do something. In those moments, were you actively accomplishing other things at the same time?
I'm going to guess no.
The amount of time I spent during college second guessing my intelligence, whether I belonged, if I could succeed, if I should keep trying, whether or not I'd actually get a job in the field-
This will be an evolving 🧵 of commands I learn about today and the resources used ⬇️
1. awk
awk is used for text manipulation within the command line.
A common use is specifying what kind of information you want to pull from a file or command output.
Example:
The who command returns currently logged in users of the system, as well as other information. What if we only wanted to see the users, without extra information? We could use awk like this, knowing the user is the first parameter in who output:
Interview advice for people getting into tech 🧵 ⬇️
1. Know main points about the company.
When interviewing all around, this can be hard. But know the main things. Does it make a product? Know what the product is and does. Does the company have a specialty expertise? Know what it is. This is a simple first hurdle to prepare for.
2. Know how to sell yourself.
Interviews often start with “tell me about yourself”. Know your strengths. Know your accomplishments. Know your passions. Know what you’re interested in (multiple things is okay, esp when you’re earlier career!). Be able to be concise & to expand.