Assign topic to the user
Such threats and loopholes are basically the same commonly used as references for VA-PT testing. For example, according to OWASP top 10 for web applications they are:
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
The main difference in their use is that such threats are applied against zero-day vulnerabilities, which are vulnerabilities either unknown to the organization (i.e., it does not know they should require mitigation) or known but for which a patch has not been developed yet.
Until the zero-day vulnerabilities are mitigated, hackers can exploit them to compromise information security. For such situations, the application of control 6.1.4 Contact with special interest groups, for earlier identification of zero-day vulnerabilities, is highly recommended.
These articles will provide you with a further explanation about OWASP and special interest groups:
- How to use Open Web Application Security Project (OWASP) for ISO 27001? https://advisera.com/27001academy/blog/2018/04/24/how-to-use-open-web-application-security-project-owasp-for-iso-27001/
- Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/
This material will also help you regarding OWAPS:
- OWASP Top Ten https://owasp.org/www-project-top-ten/
Comment as guest or Sign in
Nov 25, 2021