The document discusses cybersecurity risks and provides advice on how to protect against threats. It notes that 5 out of 6 advanced attacks target large companies, while 60% target small and medium businesses. The STRIDE model is described as a framework for categorizing different types of threats. Input validation, authentication, authorization, and applying defense in depth are recommended strategies. The document emphasizes that no software is 100% secure and the goal should be to minimize vulnerabilities and reduce the chances of successful attacks.
5. هاكرزلا لغة..
We have a valuable “asset” (A resource of value such as the
data in a database or on the file system, or a system resource)
that we want to protect.
... That asset has a weakness point (vulnerability)
… that raise a “threat تخوف ”
… that a “malicious ”خبيث user can “penetrate يخترق or hack
يخترق or attackيهاجم or exploitيستغل or compromise يهدد,يضر
بـ this vulnerability
… and harm (cause bad things, like retrieve or damage) that
asset.
… We need countermeasures وقائية تدابير
… to counter نقاوم or address نعالج this threat
… and mitigate آثار من تخفيف this risk.
6. يه؟ا نامن عاوزة دي ناسلا!!!STRIDE Model
•بيثة؟خلا عاملال هذه ملثل قنيرتاخمل افعود يه مامايكروسوفت لاسأ...
• STRIDE Model
• Spoofing نتحالا: use false identity (credentials, IP, …)
• Tampering تالعب,تزوير : unauthorized modification of data
• Repudiation ناكرا
• تهزجنا يف مييش و القتيل يقتل
• Information disclosure عن فصاحال/فشاءااملعلومات
• الفضاحي من كرت احير اي
• Denial of Service جحباخلدمة
• Elevation of privilege الصالحيات يعتوس
• الطبيب الزعمي املشري يقرالف...
7. احلاجاتليلاتغلطب ناسلااريثك ميهناتأ يف...Threats categories
1. Input validation: How do you know that the input your application receives is
valid and safe?
2. Authentication: Who are you?
3. Authorization: What can you do?
4. Configuration management: How your application manage its settings?
5. Sensitive data: how your application handles any data that must be protected
either in memory, over the network or in persistent stores.
6. Session management: A session refers to a series of related interactions
between a user and your Web application.
7. Cryptography: Cryptography refers to how your application enforces
confidentiality (privacy) and integrity (tamper-proofing تزويرها ميكن ل).
8. Parameter manipulation: Query string parameters; form fields; cookies; HTTP
headers
9. Exception management: When your application fails, Do you return friendly
error information to end users? Do you pass valuable exception information
back to the caller?
10. Auditing and logging: Who did what and when?
12. 4-تصدقها حاجة كل يقول حد يأ مشInput Validation
• Input is evil, unless proven otherwise
• Do not trust input including form fields, cookies, query strings, HTTP headers
• Do not rely on client-side validation
• Constrain, reject and sanitize input
• Validate for type, length, format and range
22. مهأ10اترثغOWASP top 101. Injection: any data that will pass to a parser/interpreter is susceptible to this
threat, SQL, LDAP, XML, …
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS): inject script in web page
1. The most popular security flaw
4. Insecure Direct Object References: ability to access protected resources will id
in url without authorization
5. Security Misconfiguration: default settings are insecure, unused services, over-
privileged accounts, …
6. Sensitive Data Exposure: no or weak encryption
7. Missing Function Level Access Control: Anonymous users could access private
functions that aren’t protected by simply change the URL
8. Cross-Site Request Forgery (CSRF): use hijacked cookies to send forget مزور
requests to the application
9. Using Components with Known Vulnerabilities: obsolete Adobe Flash version?
10. Unvalidated Redirects and Forwards: Attacker links to unvalidated redirect and
tricks victims into clicking it. Victims are more likely to click on it, since the
link is to a valid site. Attacker targets unsafe forward to bypass security checks.