The SQL Injection is used by malicious users to attack your application surface in legitimate manner to exploit weakness in the coding pattern especially how the application interact with the Database. The purpose of attack could be to get unauthorized access to sensitive data especially for other users and accounts. In some cases if such vulnerability exists then using attacks like Command Injections, the attacker may tak...

Cross Site Scripting (XSS) is the act of injecting malicious scripts or other HTML code into a web page that runs on the client browser and cause damage to your web site users. Mostly it works with the trusted user input (e.g. feedback comments) and when such information is rendered as part of web page HTML without validating the user provided contents thus all other users who visit this web page may become victom of XSS attack.

Threat Modeling is Risk Analysis Exercise that can be applied to not only a software product but to any asset that is valuable to your organization.

This is an iterative exercise and it may not be possible to ensure 100% coverage or do it 100% correct in first go. Ideally you should start by protecting outer trust boundry and then continue securing internal layers and sub-components of your application.

Broken Authentication and Session Management – OWASP definition

"Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities."

The Insecure Direct Object References represent the flaws in system design where access to sensitive data/assets is not fully protected and data objects are exposed by application with assumption that user will always follow the application rules. For example let’s take a scenario where an financial data report displayed to an user who is authorized to see his personal/organization’s financial data report but not expected to see other users/organ...

Cross-Site Request Forgery (CSRF) is a way to perform an malicious action by tricking legitimate web site users and using an valid user context to pass an malicious request to web server. Because the request is originated under a valid user context, web server failed to validate malicious intent and execute user request with full trust thus allow attacker to exploit any weakness in server side environment.

The Microsoft Security Assessment Tool (MSAT) is a risk-assessment application designed to provide information and recommendations about best practices for security within an information technology (IT) infrastructure.

UrlScan works as an ISAPI filter on Microsoft Internet Information Services (IIS) and protect IIS by restricts the malicious HTTP requests. When properly configured, UrlScan is effective at reducing the exposure of IIS to potential Internet attacks.

ModSecurity is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity must be configured with rules. In order to enable users to take full advantage of ModSecurity out of the box, Trustwave’s SpiderLabs is providing a free certified rule set for ModSecurity 2.x. Unlike intrusion detection and prevention systems, which rely on signatures specific to ...

The OWASP AntiSamy project is available in versions for Java & .Net respectively. It’s an API that helps you make sure that clients do not supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server.

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications.

Overview The Microsoft Baseline Security Analyzer (MBSA) provides a streamlined method to identify missing security updates and common security misconfigurations.
To easily assess the security state of Windows machines, Microsoft offers the free Microsoft Baseline Security Analyzer (MBSA) scan tool. MBSA includes a graphical and command line interface that can perform local or remote scans of Microsoft Windows systems.

About OWASP Top 10 Project OWASP Top 10 project was launched in 2003 to understand the top security risks & vulnerabilities associated with the Web Applications. The outcome of the project is the list of top 10 Threats & Vulnerabilities as found common across the globe. The Top 10 project is now referenced by many organizations and compliance groups including MITRE, PCI DSS, DISA and FTC. The latest version was released in 2010...

The below section enlist the common attacks applicable to most of web applications and must be considered. For a business critial application the checks & balances should be much more exaustive that can be identified with formal Threat Modeling exercise.

DREAD is a risk rating model that is used in Threat Modeling exercise.
Using DREAD Risk Rating Model along with STRIDE Model can be very helpful in understanding Threat influence and to priotize threats based on Risk Value assigned to each threat using DREAD Model.

STRIDE Model is recommended by Microsoft to analyze web application threats by allocating each threat under six different categories. STRIDE Model and Data Flow Diagrams can be used very effectively during Threat Modeling exercise.

Data Flow Diagram can be used effectively during Threat Modeling exercise. We first create high level DFDs and break further to clarify the context.

Think about Threat Modeling as the process to understand what all assets you need to protect, from whom you need to protect, how you protect, what is the implementation priority and what risk you live with if few of threats are not included in implementation scope.