Security Principles
Minimize the Attack Surface Area
What is the security principle that aims to reduce the number of ways an attacker can potentially exploit a system or application?
1. Broken Access Control
When an application does not properly enforce restrictions on what authenticated users can do, allowing unauthorized actions?
6. Vulnerable and Outdated Components
What are software libraries or frameworks with known security vulnerabilities that are included in an application?
Input Validation
What ensures that all user-supplied data is checked and sanitized before being processed by the application to prevent malicious inputs?
Authentication and Password Management
What ensures that only authorized users can access sensitive areas of an application?
Principle of Least Privilege
What is the principle that users, processes, and systems should be granted the minimum level of access or permissions necessary to perform their legitimate tasks or functions, and no more?
2. Cryptographic Failures
What are weaknesses in the cryptographic mechanisms used to protect sensitive data, leading to exposure or unauthorized access?
7. Identification and Authentication Failures
What occurs when an application does not adequately verify the identity of users, allowing unauthorized access?
Access Control
What is ensuring access control mechanisms restrict user permissions to only those necessary for their role within the application?
Secure Cryptographic Practices
What is protecting sensitive data through encryption and secure key management?
Separation of Duties
What is the security principle that ensures tasks or functions are divided among multiple people or systems to prevent any single entity from having complete control over the entire process?
3. Injection
When untrusted data is sent to an interpreter as part of a command or query, leading to unintended command execution?
8. Software and Data Integrity Failures
When software updates, critical data, or the code are not protected against unauthorized modification?
Error Handling and Logging
What mechanisms help identify and mitigate issues without revealing sensitive information?
Secure Configuration
What help prevent vulnerabilities due to misconfigured software or systems?
Defense in Depth
What is a security strategy that employs multiple layers of defense to protect systems and data, so that if one layer fails, others will still provide protection?
4. Insecure Design
What is a lack of security considerations in the design of an application, leading to inherent vulnerabilities?
9. Security Logging and Monitoring Failures
When applications fail to log security-related events adequately or monitor for anomalies, leading to undetected breaches?
Validate the origin of requests
What prevents unauthorized actions from being executed on behalf of authenticated users?
Secure Testing and Code Review
What helps identify vulnerabilities and ensure compliance with secure coding practices?
Open Design
What is a security principle that asserts that the security of a system should not rely on the secrecy of its design or implementation?
5. Security Misconfiguration
What are improper settings or configurations in an application or server that expose it to potential vulnerabilities?
10. Server-Side Request Forgery (SSRF)
What allows an attacker to send crafted requests from the server to internal or external resources?
Monitoring and Response
What helps detect and mitigate security incidents in real time?
Secure API Development
What protects against vulnerabilities that could expose sensitive data or allow unauthorized access?