# What you'll learn

After watching this video, you will be able to: 
* Describe identification and authentication failures and prevention.
* Identify software and data integrity failures and how to prevent them.
* Recognize security logging and monitoring failures and prevention steps.
* Discuss server-side request forgeries (SSRF) and prevention.

# Identification and authentication failures

![image.png](attachment:17081388-8a2f-4701-955b-eff7f2468002.png)

* Identification and authentication failures occurs when your app allows: Credential stuffing, brute force, and other automated attacks.
* Credential stuffing occurs when an attacker has a list of legitimate usernames and passwords.
* The attacker employs automation to use those passwords in an attack.
* Revealing session identifier (ID) information in URLs.
* Anyone with your session ID can impersonate you by tricking the website into believing that it’s really you, on your own computer.
* This gives attackers full-on access to the account you were previously logged into.
* A session is created when you log in with a username and password.
* Session timeouts automatically log you off after a period of inactivity but are often overlooked during application development.
* If your app doesn’t provide this feature, logged-in users stepping away from their computers invite unauthorized access and the risk of a data breach.

# Failure prevention

![image.png](attachment:245a546d-57a8-499f-87eb-35449c5a6704.png)

* To prevent identification and authentication failures, start with the software supply chain.
* The software supply chain includes everything that touches your application or plays a part in its development throughout its lifecycle.
* Software supply chain security tools scan your application components to ensure they are free from known vulnerabilities.
* Performing regular checks and reviews on configuration changes made reduces the risk of your software pipeline being attacked.
* Avoid transmitting unencrypted sensitive data to untrusted sources.
* You can use digital signatures or other types of integrity checks to ensure data security and prevent tampering.
* Use multifactor authentication to prevent credential stuffing, brute force, and other automated attacks, and avoid deploying your application with default credentials enabled.
* Implement a server-side session manager to generate new, random session IDs and ensure that the session identifiers don’t appear in URLs.
* Store them securely and make sure they’re invalidated after logging out from idle and absolute timeouts.

# Software and data integrity failures

![image.png](attachment:a6b353ae-615e-4750-a3ae-deb3ac25e2a9.png)

* Software and data integrity failures are caused by code and infrastructure that don’t protect against them.
* Components relied upon by applications could introduce vulnerabilities if they come from untrusted sources.
* Many of today’s apps with automatic update capabilities download and install their updates to a previously trusted application without sufficient integrity verification.
* It’s possible that attackers could upload malicious updates to an insecure CI/CD pipeline for distribution and apply them to all installations.
* This could lead to data breaches or other types of attacks.

# Failure preventions

![image.png](attachment:fde6a444-eda3-4def-ab84-641c9bf23287.png)

* You can prevent software and data integrity failures by Segregating your CI/CD pipeline.
* Make sure it’s properly configured, and access control is accurate and complete.
* This helps to ensure the integrity of your code as it moves through the build and deploy process.
* Use a software supply chain security tool to scan your app’s components for known vulnerabilities.
* Don’t send any unsigned, unencrypted, or serialized data to untrusted clients without some type of digital signature or integrity check.
* Using digital signatures and other types of integrity checks helps verify that data or code came from a legitimate source and wasn’t tampered with.

# Security logging and monitoring failures

![image.png](attachment:97485078-ff7f-4faf-bea0-5f93c8fd9248.png)

* Logging and monitoring are critical for detecting and responding to breaches.
* Inadequate logging and monitoring can mask serious issues.
* Logs with missing, weak, or confusing entries impair the troubleshooting process.
* Apps that don’t log auditable events such as intrusion attempts, logins, and failed logins do more harm than good.
* It’s essential to capture these details in the log in the event of a breach or other cyberattack.
* Logs overwritten too quickly negatively impact delayed forensic analysis.
* If a breach occurred months ago and your logs are overwritten too quickly, you may never find out when or how it happened - and whether it happened again.
* The lack of a monitoring system keeps everyone in the dark about what’s going on in their infrastructure.
* A sound monitoring system detects and alerts on issues, trends, and other problems.
* Without solid security logging and monitoring in place, attackers can remain in your org for a long time without anyone realizing it - until it’s too late.

# Failure preventions

![image.png](attachment:40e9fcff-89c1-4227-a9ad-cf6744b582ad.png)

* You can prevent logging and monitoring failures by ensuring that your application is logging the correct information in the proper format – at the right time.
* Centralize all logging and make regular backups of raw log files--or better yet, stream your logs to a log collector like logstash that stores them in a database like elasticsearch so they can be visualized with a tool like Kibana and kept for long periods. Most cloud-native systems like Kubernetes allow you to do this quite easily.
* The format matters if you plan to use log analysis tools.
* Include auditable events such as logins, access control, and server-side input validation.
* Provide sufficient context for identifying suspicious or malicious accounts and make sure the data resides in the logs long enough for delayed forensic analysis.
* Implement a sound monitoring system, with thresholds, dashboards, and alerting - so any suspicious activities can be detected and responded to quickly.
* Audit your logs periodically to look for evidence of tampering or logfile manipulation attempts by attackers.
* You may have to scrub through a lot of log entries.

# Server-side request forgery (SSRF)

![image.png](attachment:4914846f-ddb9-4a0e-8c47-9566d89af3b9.png)

A Server-side request forgery (SSRF) allows external attackers to create or control malicious requests to other internal systems.

Here’s how it works: 
* A hacker tries to gain direct access to an internal server and a firewall blocks the connection attempt.
* The hacker is lucky and discovers a web server that’s vulnerable to an SSRF attack and exploits it.
* SSRF attacks do this by abusing the trust relationship between internal systems.
* SSRF attacks also bypass firewalls, VPNs, and Access Control Lists (ACLs).
* Now, the affected server becomes an instrument for further attacks and probes.

Attackers can use the affected server to:
* Scan for open ports on local or external networks, 
* access local files, 
* discover other IP addresses, and 
* obtain remote code execution (or RCE).

SSRF attacks are dangerous. They allow attackers to enter and manipulate internal systems that were never meant to be accessed externally.

# Types of server-side request forgeries

![image.png](attachment:958352bb-0b00-4732-b63b-4aa228ba6085.png)

Let’s look at server-side request forgeries.

There are three types of SSRF.

* **Basic (or Blind) SSRF**: In this case, the attacker provides a URL to the affected server, but the data from the URL is never returned to the attacker.
* **Semi-blind SSRF**: In this case, the attacker provides a URL to the affected server, but only some data is exposed to the attacker that could potentially give them more information to use.
* **Non-blind**: 
    * These are the most dangerous.
    * In this case, data from any Uniform Resource Identifier (or URI) will be returned to the attacker by an internal service.

# Preventing SSRF attacks

![image.png](attachment:b16314c8-67f6-4f08-9404-17534be57f74.png)

You can prevent SSRF attacks by using some or all of the following controls: 
* Sanitize and validate all input data provided by clients.
* Create a whitelist for enforcing permitted URLs, ports, and destinations.
* Configure web servers to disallow HTTP redirects.
* Disallow your applications to send raw responses to clients without validation.

# Summary

![image.png](attachment:77ce0681-419d-460f-b086-f434a34fe092.png)

In this video, you learned: 
* You can make your app and infrastructure more secure by closing security vulnerabilities, building better logs, and adding visibility with a quality monitoring and alerting system.
* Implementing integrity checks and digital signatures prevent tampering.
* Software updates, and data or components from untrusted sources can be tampered with if integrity checks are missing.
* Input data should always be sanitized and validated.
* Unsigned, unencrypted, or serialized data should never be sent to untrusted clients.
* Configuring your web server correctly to disallow certain functions can reduce server-side request forgeries.