OWASP Top 10 2021

La versión 2021 del Top 10 de vulnerabilidades en aplicaciones web de OWASP ha sido liberada oficialmente.

Esta lista de vulnerabilidades es una referencia clave en la industria de seguridad informática y conlleva una actualización que es importante que conozcamos quienes estamos involucrados en ella.

Particularmente una de las cosas que llama la atención es la inclusión de una categoría denominada A02: Cryptographic Failures. Esta categoría incluye los debilidades ( CWE ) asociadas a fallas criptográficas ya sea por problemas en las configuraciones o en las implementaciones de la criptografía en las aplicaciones. Entre ellas destacan:

  • Debilidad en las contraseñas.
  • Intercambio de llaves criptográficas sin autenticación.
  • Nivel de entropía insuficiente.
  • Problemas en la generación de datos pseudoaleatorios.
  • Transmisión de información sensible en claro.
  • entre muchos otros.

… seguramente estaré platicando de algunas en el transcurso de los días.

La lista actualizada de vulnerabilidades quedó de la siguiente forma:

  • A01:2021-Broken Access Control
  • A02:2021-Cryptographic Failures
  • A03:2021-Injection
  • A04:2021-Insecure Design
  • A05:2021-Security Misconfiguration
  • A06:2021-Vulnerable and Outdated Components
  • A07:2021-Identification and Authentication Failures
  • A08:2021-Software and Data Integrity Failures
  • A09:2021-Security Logging and Monitoring Failures
  • A10:2021-Server-Side Request Forgery

El enlace oficial y toda la documentación la encuentran directamente en el portal de OWASP.org Top 10.

OpenSSL Cheat Sheet v1.2

OpenSSL reference by Alberto Gonzalez

A new version of the OpenSSL reference has been released.

Version 1.2

These are the changes:

  • Asymmetric encryption: Changes in how to export the public key to be consistent with the encryption command using RSA public key.
  • Asymmetric encryption: Encrypt a file using RSA public key.
  • Asymmetric encryption: Decryption of the previously encrypted file was included.
  • Symmetric encryption: Changes in the decryption of a file using another file as the key, instead of a password.
  • Digital Signatures: Signing a file using SHA-256 and RSA private key.
  • Digital Signatures: Verifying the signature previously generated using the RSA public key file.
  • Working with TLS protocol: Extract the domain certificate from an HTTPS/TLS connection.
  • Working with TLS protocol: nmap command: Display enabled cipher-suites over an HTTPS/TLS Connection.
  • Working with TLS protocol: nmap command: Display enabled cipher-suites over a TLS (HTTPS) Connection using SNI.

OpenSSL Cheat Sheet v1.1

I have released a new OpenSSL Cheat Sheet version. The version 1.1.

You can download the PDF here: https://albertx.mx/wp-content/uploads/2020/07/The-OpenSSL-Cheat-Sheet-v1.1.pdf

or access the online version, here: https://cheatography.com/albertx/cheat-sheets/openssl/

Release notes for version 1.1:

  • Inclusion of openssl command for generating random bytes specifying bytes of length for random data, in “Basics” section.
  • Added the command for displaying digital certificates information in Abstract Sintax Notation One, in “Digital Certificates” section.
  • Inclusion of command for generating a hash with its output in bytes, instead of hex encoding. This command is under “working with hashes” section.

TLS Server Certificate Management NIST Publication

Yesterday The National Institute of Standards and Technology released a new Special Publication ( SP 1800 – 16 ), guideline style, addressing security best practices and recommendations for managing almost everything around TLS and digital certificates.

This extraordinary guideline was written in collaboration with Digicert, Venafi, Thales, F5, MITRE, Symantec. All of them well known technology and security companies around the world.

The document has 4 different parts:

  1. An Executive Summary
  2. Security Risks and Recommended Best Practices
  3. Approach, Architecture and Security Characteristics
  4. How-to Guides.

This is a must for the administration of large-scale TLS server certificates, how to establish a formal TLS certificate management program and it also enumerates all elements that should be considered for inclusion in such a program.

It addresses some specific challenges like: The automatic renewal of digital certificates in production environments, working with DevOps and TLS certificates, implementing an architecture to be protected of attacks hidden in TLS connection tunnels, recommendations for key-lenght, signing algorithms, validity periods in digital certificates, recommendation for crypto-agility (a very popular topic in cryptography these days) and much more.

You can download the complete document directly from its site:

https://www.nist.gov/publications/securing-web-transactions-tls-server-certificate-management