Exploring the Latest Threats in IT & Mitigating OWASP's Top 10 Vulnerabilities

You work for a company called, Anglia DevSecOps Solutions. They have contacted you to research the latest threats in IT and specifically, are interested in, the OWASP Top 10 vulnerabilities.

Your job, is to test for and document, THREE of the the following vulnerabilities:

• A1 Injection
• A2 Broken Authentication
• A3 Sensitive Data Exposure
• A4 XML External Entities (XXE)
• A5 Broken Access Control
• A6 Security Misconfiguration
• A7 Cross-Site Scripting (XSS)
• A8 Insecure Deserialization
• A9 Using Components with Known Vulnerabilities
• A10 Insufficient Logging & Monitoring

Explain the Vulnerabilities and Mitigation

Explain to the business executives, why these vulnerabilities matter, including the potential risk to the business. You should link these vulnerabilities into the OWASP TOP 10 2017. You are expected to provide real world examples for each vulnerability discussed and code that has issues, with then the student correcting it/suggesting better alternatives. The report is specifically for higher ups in the business and needs to be readable by laymen (non-technical person). Please explain things in this technical report carefully.

You should explain how you have tested for each vulnerability, and how you exploited each vulnerability. You should also explain why the vulnerability exists, and what is needed to mitigate it. Provide fully annotated example code to support your mitigation argument. The report should outline your test environment, such as an annotate network diagram, and justify the tools selected for testing.

The report should include the following sections. Failure to follow the headings (as a minimum) will result in a lose of marks.

• OWASP Vulnerability one

oVulnerability

oMitigation

• OWASP Vulnerability Two

oVulnerability

oMitigation

• OWASP Vulnerability Three

oVulnerability

oMitigation

All you work should be supported with full in-text Harvard referencing. Please create sub-headings under these so your work is easier to read for an executive or laymen (legal term for someone a person without professional or specialized knowledge in a particular subject specific area.)

Marking Scheme

Explain the first vulnerability of choice in the OWASP Top 10.

(such as pick an OWASP Top 10 vulnerability, Then why it exists, how it works and what code it effects) good marks will be awarded for correct identification of code that has been explained and annotated correctly as well as referenced, using Harvard referencing.

Using real world code that you have researched or developed, mitigate the issue selected

(such as linking the code from the first part of this question) Show your test environment, fixing the code and show threats have been mitigated correctly. Annotations are also required for the code as well as referenced using Harvard referencing.

Explain the second vulnerability of choice in the OWASP Top 10.

(such as pick an OWASP Top 10 vulnerability, Then why it exists, how it works and what code it effects) good marks will be awarded for correct identification of code that has been explained and annotated correctly as well as referenced, using Harvard referencing.

Using real world code that you have researched or developed, mitigate the issue selected

(such as linking the code from the first part of this question) Show your test environment, fixing the code and show threats have been mitigated correctly. Annotations are also required for the code as well as referenced using Harvard referencing.

Explain the third vulnerability of choice in the OWASP Top 10.

(such as pick an OWASP Top 10 vulnerability, Then why it exists, how it works and what code it effects) good marks will be awarded for correct identification of code that has been explained and annotated correctly as well as referenced, using Harvard referencing.

Using real world code that you have researched or developed, mitigate the issue selected

(such as linking the code from the first part of this question) Show your test environment, fixing the code and show threats have been mitigated correctly. Annotations are also required for the code as well as referenced using Harvard referencing.

Report presentation Must be in the form of a technical format, written in ONLY 3rd PERSON with headings, sub-headings and diagrams/tables/code labeled correctly. The work must be written in English and be spelling + grammar checked before submission. This report must be written so that a laymen can understand it (non-technical person) if they can not, lower marks will be awarded. Work also needs to follow the headings above as a minimum, which students can add to.