Summary Transcript Chat

2021 OWASP Top Ten: Insecure Design

Name: 2021 OWASP Top Ten: Insecure Design
Uploaded: 2022-01-25T19:14:03.000Z
Duration: 14 min 35 s

Insecure Design: Understanding Security Risk #4

Introduction to Insecure Design

John Wagner introduces the topic of insecure design as the fourth security risk in the 2021 OWASP Top 10 list, emphasizing its focus on design and architectural flaws.

The concept of "shift left" in security is discussed, highlighting the need to address security concerns even before coding begins.

Characteristics of Insecure Design

Insecure design differs from insecure implementation; a secure design can still lead to vulnerabilities if not implemented correctly.

An insecure design cannot be rectified by perfect implementation, indicating that foundational issues must be addressed at the design stage.

Practical Example: Movie Ticket Application

Wagner presents a scenario involving a movie theater's online ticket purchasing system, illustrating how an attacker could exploit an insecure design.

He explains how an attacker could reserve multiple tickets without payment due to flawed application logic, effectively blocking legitimate users from purchasing tickets.

Analogy: House Design Flaw

A house analogy is used to explain insecure design; having a locked front door is ineffective if there’s an open entryway elsewhere.

This analogy reinforces the idea that no amount of security measures can compensate for poor foundational designs.

Importance of Secure Development Practices

Secure software development requires a secure development life cycle and continuous evaluation of threats throughout the project.

Understanding Secure Design in Applications

Importance of Threat Modeling

Effective threat modeling is crucial for ensuring that all critical flows within an application are resistant to potential threats. It plays a significant role in secure design.

When discussing secure design, it’s essential to compile both use cases and misuse cases for every tier of the application to identify vulnerabilities.

Use Cases vs. Misuse Cases

Testing should not only confirm that the application functions correctly (e.g., selling tickets online) but also consider misuse scenarios where attackers might exploit weaknesses.

An example of a misuse case includes an attacker group purchasing just below the threshold required for making a deposit, highlighting the need for comprehensive testing strategies.

Security Risks in OAuth

The discussion emphasizes that insecure design is one of the top security risks identified in the OAuth Top 10 list, underscoring its significance in modern applications.

Playlists: 2021 OWASP Top Ten

Video description

Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design.” Insecure design is not the source for all other Top 10 risk categories. There is a difference between insecure design and insecure implementation. We differentiate between design flaws and implementation defects for a reason, they have different root causes and remediation. A secure design can still have implementation defects leading to vulnerabilities that may be exploited. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks. #OWASPTOP10 Video 5 / 11 ⬇️⬇️⬇️ JOIN THE COMMUNITY! ⬇️⬇️⬇️ DevCentral is an online community of technical peers dedicated to learning, exchanging ideas, and solving problems - together. Find all our platform links ⬇️ and follow our Community Evangelists! 👋 ➡️ DEVCENTRAL: https://community.f5.com ➡️ YOUTUBE: https://youtube.com/devcentral ➡️ LINKEDIN: https://www.linkedin.com/showcase/f5-devcentral/ ➡️ TWITTER: https://twitter.com/devcentral Your Community Evangelists: 👋 Jason Rahm: https://www.linkedin.com/in/jrahm/ | https://twitter.com/jasonrahm 👋 Buu Lam: https://www.linkedin.com/in/buulam/ | https://twitter.com/buulam 👋 Aubrey King: https://www.linkedin.com/in/aubreyking | https://twitter.com/aubreykingf5