CompTIA Pentest+ Certification For Dummies. Glen E. Clarke
put your organization at risk. The OWASP Foundation has other projects as well, including its OWASP Mobile Security Testing Guide. Following are the URLs for each of these projects:
OWASP Top 10: https://owasp.org/www-project-top-ten
OWASP Mobile Security Testing Guide: https://owasp.org/projects,/mstg/2021/07/29/MSTG-Release.html
OWASP Top 10 (2017)
Following is a summary of the 2017 version of the OWASP Top 10 Web Application Security Risks that you should be familiar with for the PenTest+ exam:
A1:2017-Injection: The number one flaw found in web applications is injection flaws. Injection flaws occur when data is input into an application but the input is not sanitized or validated by the developer of the application.
A2:2017-Broken Authentication: The second most common flaw in web application is flaws in authentication or session management. This may allow attackers to access passwords, keys, or session tokens.
A3:2017-Sensitive Data Exposure: The third most common flaw in web applications is sensitive data exposure flaws that involve web applications or APIs not protecting sensitive data within the application. This could be financial data, healthcare data, or Personally Identifiable Information (PII) data. This could be due to a lack of encryption at rest and in transit, or other missing access control methods.
A4:2017-XML External Entities (XXE): Poorly configured XML processors can use external entities to disclose internal files or internal file shares, and possibly perform remote code execution or denial of service (DoS) attacks.
A5:2017-Broken Access Control: Many web applications do not enforce restrictions on what an authenticated user can do within the application. An attacker that exploits this flaw can gain access to sensitive information or perform undesired actions.
A6:2017-Security Misconfiguration: Applications should have their default settings altered and security configuration settings reviewed as security misconfigurations is a common flaw in web applications.
A7:2017-Cross-Site Scripting (XSS): XSS flaws occur when an application processes and displays untrusted data in a web application without validating the information. XSS flaws enable attackers to execute malicious code in a victim’s browser and possibly hijack the session.
A8:2017-Insecure Deserialization: Insecure deserialization flaws may result in an attacker being able to perform remote code execution, replay attacks, injection attacks, and privilege escalation attacks.
A9:2017-Using Components with Known Vulnerabilities: Components are libraries of code that an application may use. Your application may be following secure coding best practices, but once you call a third-party library, that component may be developed in an unsecure manner that exposes your application to security flaws.
A10:2017-Insufficient Logging and Monitoring: Lack of logging and monitoring means that an application or system does not have the capabilities to detect and log breaches in security. Adequate logging and monitoring should be configured within an application or system to help determine the extent of a security breach during incident response.
OWASP Top 10 (2021)
The OWASP Top 10 flaws were updated in 2021. Many of the flaws were relabeled and regrouped, with a few changes to the order of the most common flaws:
A01:2021-Broken Access Control: Broken access control moved up from the fifth most common flaw in 2017 to the most common flaw in 2021.
A02:2021-Cryptographic Failures: Previously known as Sensitive Data Exposure in 2017, this common flaw was renamed Cryptographic Failures and was also moved to the second most common web application flaw in 2021.
A03:2021-Injection: Injection attacks have moved down to the third most common flaw in 2021. This flaw also encompasses the cross-site scripting (XSS) category from 2017.
A04:2021-Insecure Design: Insecure design is a new category in 2021 and covers risk-related design flaws in applications. This new category looks to improve on the use of threat modeling and secure design patterns and principles during the development of the application.
A05:2021-Security Misconfiguration: Secure misconfiguration includes the Secure Misconfiguration and XML External Entities (XXE) flaws from the 2017 Top 10 list.
A06:2021-Vulnerable and Outdated Components: This Top 10 category for 2021 is a relabeled version of the Using Components with Known Vulnerabilities flaw in 2017. Note that this flaw has moved up three spots in 2021!
A07:2021-Identification and Authentication Failures: This category was known as Broken Authentication in the 2017 Top 10 listing. Note that it has been renamed and also fell to the seventh position in 2021.
A08:2021-Software and Data Integrity Failures: Another new category for the 2021 Top 10 security flaws list, this flaw pertains to failures when verifying the integrity of components when applying software updates or updates to critical data. Note that Insecure Deserialization from 2017 is included in this category.
A09:2021-Security Logging and Monitoring Failures: Logging and Monitoring has moved up one position in 2021.
A10:2021-Server-Side Request Forgery: A new category for the 2021 Top 10 list is Server-Side Request Forgery. This security flaw enables attackers to invoke requests from a vulnerable web application to another system.
National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) is a federal agency designed to improve science, standards, and technology. Over the years, NIST has created many publications related to information security and recommendations on how to secure different types of systems. In recent years, the NIST has created Special Publication (SP) documents that relate to many aspects of security, security controls, penetration testing, and cybersecurity. Following are some key special publications to be aware of:
NIST SP 800-30: This special publication provides guidance related to risk assessment.
NIST SP 800-53: This special publication provides guidance related to security and privacy controls.
NIST SP 800-39: This special publication provides guidance on risk management strategies.
There are a number of other standards and recommendations published by NIST that are designed to help organizations improve security:
NIST Cybersecurity Framework (CSF): The NIST CSF is designed to help organizations create a solid cybersecurity program. The framework is organized into five functions to help identify assets within the business and reduce the risk against those assets. The five functions are identify, protect, detect, respond, and recover.
NIST SP 800-115: In this special publication the NIST makes recommendations on steps to take when performing information security testing and assessments.
OSSTMM, PTES, and ISSAF
The Open-Source Security Testing Methodology Manual (OSSTMM) is a methodology for security testing that is maintained by the Institute for Security and Open Methodologies (ISECOM). You can download the OSSTMM document from www.isecom.org/OSSTMM.3.pdf
.