Prevention from Cross-site Scripting (XSS)

Recommendations:

Fix recommendations for XSS
Fix recommendations for XSS
  • Validate data at source. For example: at Server
  • Perform input validation
  • Perform output validation
  • Use Regular Expressions for validating the inputs. Should there be a requirement to use special characters, such requirements must be approved and Regular Expressions should be updated to accept such special characters
  • Follow a white-list validation approach
  • Do not use a black-list validation approach
  • Upon error reject all invalid inputs and clear the user input values
  • Validate all data passing between the trust boundaries
  • Develop, maintain educate and follow Secure Coding practice


SecureFirst Solutions Private Limited is a security centric Product-cum-Services Organization assisting its Clients to develop and maintain security applications. Our offerings are classified broadly into two categories:
1. Product: Vulnerability Management System (VMS)
2. Services: Security as a Service (SaaS)

Download our brochure at: http://securefirstsolutions.com/downloads/SecureFirstSolutions_Brochure.pdf

Learn more about our Security Offerings at: http://securefirstsolutions.com/

 

Prevention from Injection Flaws

Recommendations from Injection flaws:

Prevention recommendations from Injection flaws
Prevention recommendations from Injection flaws
  • Validate user inputs before passing them to the query
  • Use of StoredProcedures or PreparedStatement. However, this alone does not safeguard from Injection flaws
  • Use Safe APIs which provides a parameterized APIs
  • Escape special characters before passing them to the query
  • Follow a white list validation approach
  • Conduct Server-side validation
  • If special characters are required to be passed to the query, then safely escape such special characters using safe customizable APIs


SecureFirst Solutions Private Limited is a security centric Product-cum-Services Organization assisting its Clients to develop and maintain security applications. Our offerings are classified broadly into two categories:
1. Product: Vulnerability Management System (VMS)
2. Services: Security as a Service (SaaS)

Download our brochure at: http://securefirstsolutions.com/downloads/SecureFirstSolutions_Brochure.pdf

Learn more about our Security Offerings at: http://securefirstsolutions.com/

 

Data Classification

Data: Information in its raw format or unrecognized form (such as alphabets, numbers or special characters). Example: 3210521410236547

Information: Meaningful data or processed data. Example: Debit/Credit card number is: 3210-5214-1023-6547

Data Classification: Every Organization has to segregate their data into various categories and restrict user access based on an well-documented & maintained access control process.

Following is an depiction of Data Classification, its meaning, usage, measures to be taken during an Non-compliance and an example from each category.

Data Classification
Data Classification

Security as a Service

SecureFirst Solutions provide the following Security Offerings.

SecureFirst Offerings
SecureFirst Offerings

Our Services Offering includes the Security as a Service (SaaS) model covering all the phases of Secure Software Development LifeCycle (SDLC):

Security as a Service in Secure SDLC
Security as a Service (SaaS) in Secure SDLC
  • Requirement Gathering Phase: Security Requirement Gathering Questionnaire and Evaluation
  • Design Phase: System Design & Threat Modeling
  • Development Phase: Static Code Analysis Security Testing (SAST)
  • Testing Phase: Vulnerability Assessment & Penetration Testing (VAPT)
  • Deployment Phase: Network Penetration Testing (NPT)
  • Maintenance Phase & Post Production Deployment Phase: Continuous Monitoring and Reporting of ZERO-Day attacks, Vendor patches, Hot fixes, Third party fix recommendations; Threat Intelligence; Risk Ranking; Customized Threat Intelligence Reporting

We follow the below SaaS Methodology to cover Secure SDLC & Post Production Deployment.

Security as a Service: Methodology
Security as a Service: Methodology

Also as part of our offering, we conduct an thorough evaluation of your Organization’s Security posture inline with BSIMM7 model and provide complete guidelines during this activity.

Read more about BSIMM7

BSIMM Sample Evaluation Template

Contact us at: info@SecureFirstSolutions.com

 

Upgraded our offering from BSIMM6 to BSIMM7

We have just upgraded our offering from BSIMM6 to BSIMM7. Here are the five changes from BSIMM according to that paradigm:

  1. AM1.1 Build and maintain a top N possible attacks list became AM2.5
  2. AM1.4 Collect and publish attack stories became AM2.6
  3. AM1.6 Build an internal forum to discuss attacks became AM2.7
  4. CR1.1 Use a top N bugs list (real data preferred) became CR2.7
  5. CR2.2 Enforce coding standards became CR3.5

Below are the screenshots from our VMS Product integrated with BSIMM7. For complete evaluation of your Organization against BSIMM7, send us an email at: info@SecureFirstSolutions.com.

BSIMM7 User inputs screen
BSIMM7 User inputs screen
BSIMM7 Evaluation Results
BSIMM7 Evaluation Results

BSIMM sample evaluation template available

We are glad to release a sample self-evaluation template of BSIMM-V (Building Security Into Maturity Model) on our website.

Direct link: http://www.securefirstsolutions.com/BSIMMGovernance.html

Link to BSIMM-V Sample self-evaluation template
Link to BSIMM-V Sample self-evaluation template
Sample BSIMM-V self-evaluation page
Sample BSIMM-V self-evaluation page

Make the best use of this opportunity to populate the Activities conducted at your Firm/Organization and compare how many other Firms already have this activity in-place. BSIMM-V evaluated 67 firms against the Four Domains ‘Governance’, ‘Intelligence’, ‘SSDLC Touchpoints’ and ‘Deployment’ and have come up with the number of firms having a particular Activity in-place.

This sample evaluation template is readily available on our website only for the ‘Strategy & Metrics (SM)’ Practice under the ‘Governance’ Domain. For a complete BSIMM6 evaluation please write us an email at info@SecureFirstSolutions.com and our Executive will provide more details.