Difference between revisions of "OWASP Top10:2021"
Line 5: | Line 5: | ||
* '''Stricter GET/POST Handling''': To prevent HTTP verb tampering attacks, ZK 10.0.0 has refined how GET and POST requests are processed. It now returns a 404 error if an Asynchronous Update (AU) request is incorrectly sent via GET, ensuring proper usage of HTTP methods. | * '''Stricter GET/POST Handling''': To prevent HTTP verb tampering attacks, ZK 10.0.0 has refined how GET and POST requests are processed. It now returns a 404 error if an Asynchronous Update (AU) request is incorrectly sent via GET, ensuring proper usage of HTTP methods. | ||
* '''Enhanced Security Framework''': ZK 10.0.0 integrates three advanced security checks into our CI/CD process: | * '''Enhanced Security Framework''': ZK 10.0.0 integrates three advanced security checks into our CI/CD process: | ||
− | + | ** '''Synk Scanning''': This tool analyzes both source code and third-party dependencies for vulnerabilities. | |
− | + | ** '''CodeQL PR Scanning''': It assesses pull requests for Java, JavaScript, and TypeScript to find security flaws before they are merged. | |
− | + | ** '''SonarCube''': It scans the source code comprehensively to identify bugs, vulnerabilities, and security risks. | |
* '''Enable InaccessibleWidgetBlockService by Default''': In ZK 10.0.0, the InaccessibleWidgetBlockService, which blocks requests from inaccessible widgets, is enabled by default. This feature enhances security by preventing interactions with UI components that should not be accessible, such as disabled or hidden components. | * '''Enable InaccessibleWidgetBlockService by Default''': In ZK 10.0.0, the InaccessibleWidgetBlockService, which blocks requests from inaccessible widgets, is enabled by default. This feature enhances security by preventing interactions with UI components that should not be accessible, such as disabled or hidden components. | ||
Line 14: | Line 14: | ||
== A10:2021 - Server-Side Request Forgery (SSRF) == | == A10:2021 - Server-Side Request Forgery (SSRF) == | ||
− | ZK Framework | + | While ZK Framework itself does not provide specific mechanisms for making server-side requests, it is essential for developers using ZK to be vigilant about SSRF risks. The responsibility to prevent SSRF lies with application developers who must ensure safe handling of URLs and external resources. They should employ strict input validation, use allowlisting for accessible internal systems, and be cautious with the exposure of HTTP endpoints. Ensuring that all server-side requests, particularly those calling Java APIs directly, are secure against SSRF attacks is crucial for maintaining application security. |
Revision as of 12:20, 13 May 2024
OWASP Top 10 Security Concerns 2021
A04:2021 - Insecure Design
ZK 10.0.0 addresses insecure design through several security enhancements, reinforcing the framework's defense against potential threats:
- Stricter GET/POST Handling: To prevent HTTP verb tampering attacks, ZK 10.0.0 has refined how GET and POST requests are processed. It now returns a 404 error if an Asynchronous Update (AU) request is incorrectly sent via GET, ensuring proper usage of HTTP methods.
- Enhanced Security Framework: ZK 10.0.0 integrates three advanced security checks into our CI/CD process:
- Synk Scanning: This tool analyzes both source code and third-party dependencies for vulnerabilities.
- CodeQL PR Scanning: It assesses pull requests for Java, JavaScript, and TypeScript to find security flaws before they are merged.
- SonarCube: It scans the source code comprehensively to identify bugs, vulnerabilities, and security risks.
- Enable InaccessibleWidgetBlockService by Default: In ZK 10.0.0, the InaccessibleWidgetBlockService, which blocks requests from inaccessible widgets, is enabled by default. This feature enhances security by preventing interactions with UI components that should not be accessible, such as disabled or hidden components.
A08:2021 - Software and Data Integrity Failures
While the ZK Framework itself does not manage software and data integrity directly, it is recommended that applications leveraging ZK implement appropriate controls. This includes the use of secure build pipelines, artifact verification, and runtime protection mechanisms to ensure data integrity throughout the application lifecycle.
A10:2021 - Server-Side Request Forgery (SSRF)
While ZK Framework itself does not provide specific mechanisms for making server-side requests, it is essential for developers using ZK to be vigilant about SSRF risks. The responsibility to prevent SSRF lies with application developers who must ensure safe handling of URLs and external resources. They should employ strict input validation, use allowlisting for accessible internal systems, and be cautious with the exposure of HTTP endpoints. Ensuring that all server-side requests, particularly those calling Java APIs directly, are secure against SSRF attacks is crucial for maintaining application security.