Security Assessment


Assessment (Score: 20%)

OWASP

OWASP: Web Security 2021

Web

The OWASP Web Security 2021 Top 10 (2025 Coming Soon!!!) is a list of the most critical security risks to web applications.





To cover the most critical and prevalent security risks specific to the development and deployment of web applications.

OWASP Top Ten | OWASP Foundation

  1. Injection: Use parameterized queries, stored procedures, and input validation to prevent injection attacks.
  2. Broken Authentication: Implement multi-factor authentication, secure password storage, and session management.
  3. Sensitive Data Exposure: Encrypt sensitive data at rest and in transit, and use secure protocols.
  4. XML External Entities (XXE): Disable XML external entity processing and use less complex data formats like JSON.
  5. Broken Access Control: Enforce access control mechanisms, deny by default, and minimize CORS usage.
  6. Security Misconfiguration: Implement a repeatable hardening process and use automated tools to verify configurations.
  7. Cross-Site Scripting (XSS): Sanitize and validate all inputs, and use content security policies.
  8. Insecure Deserialization: Avoid deserialization of untrusted data and use integrity checks.
  9. Using Components with Known Vulnerabilities: Regularly update and patch components, and use software composition analysis tools.
  10. Insufficient Logging & Monitoring: Implement comprehensive logging and monitoring, and establish incident response procedures.


efacb457-8f91-4223-ab01-2ce1c9fdbb8c

Impacts
Impact Description Impact
Customer Customers sensitive information, such as personal details, financial data, and login credentials, can be exposed, leading to identity theft and financial fraud. Moderate
Legal Consequences Customers may face legal issues if their data is misused or if they are involved in fraudulent activities due to security vulnerabilities in the site. Moderate
Reputational Customers may associate the application and the organization with poor security practices, damaging the brand's reputation. Major
Financial Loss Customers may suffer financial losses due to fraudulent transactions or unauthorized access to their accounts. Moderate
Operational Security breaches can lead to service outages or disruptions, affecting customers' ability to use the application and access its features. Major

Risks
Risk Description Type Overall Risk
1 A01: Broken Access Control - improper enforcement of access controls can allow attackers to gain unauthorized access to resources and perform actions they shouldn't be able to. Threat Medium
Link
2 A02: Cryptographic Failures - weak or improperly implemented cryptographic mechanisms can lead to unauthorized access and data breaches. Threat Medium
Link
3 A03: Injection - attackers can exploit vulnerabilities in input handling to inject malicious code, such as SQL, NoSQL, OS commands, or LDAP queries. Threat Medium
Link
4 A04: Insecure Design - applications lacking secure design principles can have inherent security weaknesses that attackers can exploit. Threat Major
Link
5 A05: Security Misconfiguration - improper configuration of security settings can leave applications vulnerable to attacks. This can lead to unauthorized access, data breaches, and exposure of sensitive information. Threat Critical
Link
6 A06: Vulnerable and Outdated Components - outdated or unpatched components, such as libraries, frameworks, and other software modules, can have known vulnerabilities that attackers can exploit. Threat Medium
Link
7 A07: Identification and Authentication Failures - weaknesses in identification and authentication mechanisms can allow attackers to compromise passwords, keys, or session tokens, leading to unauthorized access. Threat Medium
Link
8 A08: Software and Data Integrity Failures - vulnerabilities in software updates, critical data, and CI/CD pipelines can be exploited by attackers to introduce malicious code or compromise data integrity. Threat Low
Link
9 A09: Security Logging and Monitoring Failures - inadequate logging and monitoring can prevent the detection of security breaches and other malicious activities. Threat Medium
Link
10 A10: Server-Side Request Forgery (SSRF) - attackers can exploit SSRF vulnerabilities to make unauthorized requests from the server, potentially accessing internal systems, sensitive data, and services. Threat Medium
Link

Severe
Major 5
Moderate 23710 1
Minor 8 69 4
Insignificant
Impact / Likelihood Rare (0 - 5%) Unlikely (5% - 15%) Possible (15% - 40%) Likely (40% - 90%) Certain (>90%)

Threats
Threat: Enterprise Internal External 3rd Party Technological Physical
Credential Access - The adversary is trying to steal account names and passwords.
Defense Evasion - The adversary is trying to avoid being detected.
Discovery - The adversary is trying to figure out your environment.
Execution - The adversary is trying to run malicious code.
Impact - The adversary is trying to manipulate, interrupt, or destroy your systems and data.
Reconnaissance - The adversary is trying to gather information they can use to plan future operations.
Resource Development - The adversary is trying to establish resources they can use to support operations.

Controls
Control Coverage: 0%
No Control Reference(s) XE found.
Control

:




None

No Threat(s) found.

No Control(s) found.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙