Category: Java security
-
What is the difference between Encoding, Encryption and Hashing?
1. Overview The terms encryption and encoding are often mistakenly used interchangeably, and hashing is sometimes misrepresented as a form of encryption. These misconceptions can lead to significant errors in implementing security measures. To address this, let’s delve into a high-level overview of these concepts and clarify their distinct purposes and differences. Understanding the differences…
-
A10:2021 – Server-Side Request Forgery
1. Overview Server-Side Request Forgery (SSRF) is a vulnerability where an attacker manipulates a server to make unauthorized requests to other servers, internal networks, or external systems. This vulnerability occurs when an application accepts user input to fetch a resource without properly validating or sanitizing the input. 2. Description SSRF flaws occur whenever a web…
-
A09:2021 – Security Logging and Monitoring Failures
1. Overview Security Logging and Monitoring Failures occur when applications and systems do not log security-relevant events or fail to monitor them effectively. This weakness can delay or prevent the detection of attacks, allowing attackers to exploit vulnerabilities, steal sensitive data, or disrupt systems without being noticed. 2. Description This category is to help detect,…
-
A08:2021 – Software and Data Integrity Failures
1. Overview Software and Data Integrity Failures occur when applications fail to verify the integrity of software updates, critical data, or code libraries. This category highlights vulnerabilities introduced by using untrusted sources or insufficient mechanisms to ensure that data or software has not been tampered with. Such failures can lead to supply chain attacks, data…
-
A05:2021 – Security Misconfiguration
1. Overview Security Misconfiguration refers to improperly configured systems, services, or applications that leave systems vulnerable to attacks. It is one of the most common and often overlooked vulnerabilities in application security. Misconfigurations can occur at any layer of the application stack, including network, web server, database, API, or application frameworks. These errors are typically…
-
A04:2021 – Insecure Design
1. Overview A new category for 2021 focuses on risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures. As a community we need to move beyond “shift-left” in the coding space to pre-code activities that are critical for the principles of Secure…
-
A03:2021 – Injection
1. Overview Injection vulnerabilities occur when an attacker sends malicious input into an application, causing it to execute unintended commands or access unauthorized data. This type of vulnerability is one of the most severe and prevalent in web applications and other software systems. Injection attacks exploit the application’s failure to properly validate or sanitize user…
-
A01: 2021 – Broken Access Control
1. What is access control? Access control is a security mechanism that regulates and restricts who or what can view, access, or modify resources in a system or application. Its primary purpose is to ensure that only authorized users or entities have access to specific resources, while unauthorized access is prevented. Access control is a…
-
OWASP – An Introduction
1. What is OWASP? OWASP stands for Open Web Application Security Project. The Open Web Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security. The OWASP provides free and open resources. It is led by…
-
What is a PEM file?
1. Introduction Privacy-Enhanced Mail (PEM) is a widely used file format for storing and transmitting cryptographic keys, certificates, and related data. It originated from a set of 1993 IETF standards aimed at defining “privacy-enhanced mail” for secure email communication. While the original privacy-enhanced mail protocol is largely obsolete, the PEM file format has become a…