@@ -230,36 +230,98 @@ CodeIgniter provisions
230230A04:2021 Insecure Design
231231************************
232232
233- @TODO
233+ Insecure design is a broad category representing different weaknesses, expressed
234+ as “missing or ineffective control design.” Insecure design is not the source for
235+ all other Top 10 risk categories. There is a difference between insecure design
236+ and insecure implementation. We differentiate between design flaws and implementation
237+ defects for a reason, they have different root causes and remediation.
238+
239+ A secure design can still have implementation defects leading to vulnerabilities
240+ that may be exploited. An insecure design cannot be fixed by a perfect implementation
241+ as by definition, needed security controls were never created to defend against
242+ specific attacks. One of the factors that contribute to insecure design is the
243+ lack of business risk profiling inherent in the software or system being developed,
244+ and thus the failure to determine what level of security design is required.
234245
235246OWASP recommendations
236247=====================
237248
238- - @TODO
249+ - Establish and use a secure development lifecycle with AppSec professionals to
250+ help evaluate and design security and privacy-related controls
251+ - Establish and use a library of secure design patterns or paved road ready to
252+ use components
253+ - Use threat modeling for critical authentication, access control, business logic,
254+ and key flows
255+ - Integrate security language and controls into user stories
256+ - Integrate plausibility checks at each tier of your application (from frontend
257+ to backend)
258+ - Write unit and integration tests to validate that all critical flows are resistant
259+ to the threat model. Compile use-cases and misuse-cases for each tier of your
260+ application.
261+ - Segregate tier layers on the system and network layers depending on the exposure
262+ and protection needs
263+ - Segregate tenants robustly by design throughout all tiers
264+ - Limit resource consumption by user or service
239265
240266CodeIgniter provisions
241267======================
242268
243- - @TODO
269+ - :doc: `PHPUnit testing <../testing/overview >`
270+ - :doc: `../libraries/throttler ` for rate limit
271+ - An official authentication and authorization framework :ref: `CodeIgniter Shield <shield >`
244272
245273**********************************
246274A05:2021 Security Misconfiguration
247275**********************************
248276
249- Improper configuration of an application architecture can lead to mistakes
250- that might compromise the security of the whole architecture.
277+ The application might be vulnerable if the application is:
278+
279+ - Missing appropriate security hardening across any part of the application stack
280+ or improperly configured permissions on cloud services.
281+ - Unnecessary features are enabled or installed (e.g., unnecessary ports, services,
282+ pages, accounts, or privileges).
283+ - Default accounts and their passwords are still enabled and unchanged.
284+ - Error handling reveals stack traces or other overly informative error messages
285+ to users.
286+ - For upgraded systems, the latest security features are disabled or not configured
287+ securely.
288+ - The security settings in the application servers, application frameworks (e.g.,
289+ Struts, Spring, ASP.NET), libraries, databases, etc., are not set to secure values.
290+ - The server does not send security headers or directives, or they are not set to
291+ secure values.
292+ - The software is out of date or vulnerable (see A06:2021-Vulnerable and Outdated
293+ Components).
294+
295+ Without a concerted, repeatable application security configuration process,
296+ systems are at a higher risk.
251297
252298OWASP recommendations
253299=====================
254300
255- - Presentation: harden web and application servers; use HTTP strict transport security
256- - Controller: harden web and application servers; protect your XML stack
257- - Model: harden database servers
301+ Secure installation processes should be implemented, including:
302+
303+ - A repeatable hardening process makes it fast and easy to deploy another environment
304+ that is appropriately locked down. Development, QA, and production environments
305+ should all be configured identically, with different credentials used in each
306+ environment. This process should be automated to minimize the effort required
307+ to set up a new secure environment.
308+ - A minimal platform without any unnecessary features, components, documentation,
309+ and samples. Remove or do not install unused features and frameworks.
310+ - A task to review and update the configurations appropriate to all security notes,
311+ updates, and patches as part of the patch management process (see A06:2021-Vulnerable
312+ and Outdated Components). Review cloud storage permissions (e.g., S3 bucket permissions).
313+ - A segmented application architecture provides effective and secure separation
314+ between components or tenants, with segmentation, containerization, or cloud
315+ security groups (ACLs).
316+ - Sending security directives to clients, e.g., Security Headers.
317+ - An automated process to verify the effectiveness of the configurations and
318+ settings in all environments.
258319
259320CodeIgniter provisions
260321======================
261322
262- - Sanity checks during bootstrap
323+ - :ref: `Production mode <environment-constant >` by default
324+ - :ref: `secureheaders ` filter
263325
264326*******************************************
265327A06:2021 Vulnerable and Outdated Components
0 commit comments