DevSecOps

Correct-Auth-KrishnaG-CEO

Ensuring Trust Through Correct Authorisation: A Comprehensive Examination of CWE-863

by

CWE-863: Incorrect Authorisation occurs when an application fails to enforce correct authorisation measures, allowing unauthorised users or processes to access resources, perform operations, or retrieve data that should be off-limits. It is sometimes conflated with authentication flaws, but the essence of CWE-863 lies in improper or missing checks that would otherwise confirm if a user has the necessary permissions to perform a specific action.
From a technical standpoint, one might imagine an application employing robust identity verification (authentication) only to overlook critical checks about what a user is allowed to do once logged in (authorisation). This oversight can be the gateway to data leaks, privilege escalation, or even sabotage of core business processes.

Unrestricted-Resource-KrishnaG-CEO

OWASP Top 10 API Security Risks – 2023: API4:2023 – Unrestricted Resource Consumption

by

Unrestricted resource consumption occurs when an API allows users or clients to request resources without proper limits or controls. Every API request consumes a certain amount of resources such as CPU cycles, memory, network bandwidth, storage, and other external services (e.g. email, SMS, or biometric validation). If these resources are not regulated, an attacker can exploit the API to consume disproportionate resources, leading to a range of undesirable consequences including:
Denial of Service (DoS): An attacker may cause the API to become unresponsive by overwhelming it with an excessive number of requests, or by requesting resources that are computationally expensive, leading to system crashes or slowdowns.
Inflated Operational Costs: APIs that involve third-party services, such as SMS or email delivery, may incur costs for each request. Without proper restrictions, malicious actors can generate high volumes of such requests, leading to unexpected cost overruns.
Data Loss or Degradation: APIs that allow unregulated access to large amounts of data or storage can be abused, resulting in slow system performance, data corruption, or loss.

WP-DB-Injection-KrishnaG-CEO

WordPress db Injection: A Comprehensive Guide for Pen Testers and C-Suite

by

WordPress, which began as a simple blogging platform in 2003, has evolved into one of the most widely used content management systems (CMS) globally. Currently powering over 40% of websites, WordPress has become synonymous with digital publishing—ranging from small personal blogs to large-scale enterprise solutions. For many C-level executives, WordPress represents an agile, cost-effective solution to rapidly establish and manage an online presence.
However, with extensive adoption comes amplified risk. The same features that make WordPress easy to use—such as its vibrant plugin ecosystem and open-source nature—can also create ripe opportunities for attackers to exploit vulnerabilities. WordPress database injection, often referred to more broadly as SQL injection (SQLi), stands out as a critical concern. Attackers who successfully execute a database injection can gain unauthorised access to sensitive data, manipulate website content, or even pivot to other parts of the organisation’s network.
WordPress relies on a MySQL (or MariaDB) database to store content, user data, plugin settings, and other critical information. An SQL injection attack leverages insecure code or configurations to inject malicious SQL queries into the database, allowing attackers to read, modify, or even delete data, and in some extreme cases, compromise the server itself.

Insecure-Deserialisation-KrishnaG-CEO

Insecure Deserialisation: An Essential Guide for C-Suite

by

Insecure deserialisation refers to a scenario where an application deserialises data without validating its integrity or origin. This process, if compromised, can allow attackers to inject code, manipulate data, or trigger unintended operations within an application. For example, if an attacker injects crafted data into the deserialisation process, they could potentially gain control over the application server, extract sensitive information, or cause service disruptions.

Mobile-App-Sec-KrishnaG-CEO

Mobile AppSec: A Survival Guide for MSMEs

by

In today’s digital age, security is not just a compliance requirement; it’s a competitive advantage. MSMEs that prioritise mobile security are better positioned to thrive and succeed in the long term.