School of Computer Science and Artificial Intelligence, SR University

Course Course Title L R P Cr Unit 2 Session

Code 1.Design Principles: Abstraction, Secure Coding Principles
Decomposition, Modularity, Cohesion,
SOFTWARE 2 0 2 3 Coupling, Information Hiding and
23CS201PC302 ENGINEERING AND Common Vulnerabilities
SYSTEM DESIGN 2.Architectural Styles: Layered, Overview
Client-Server, MVC, Microservices vs
Program Core Monolith

3. Object-Oriented Design Review -

UML: Class, Sequence Diagrams;
SOLID Principles
Dr. Ajit Kumar 4. Design Patterns: Creational -
Assistant Professor Singleton, Factory Method, Structural
-Adapter

5.Behavioral -Observer, Strategy,

Command

6. Secure Coding Principles and

Common Vulnerabilities Overview -
OWASP Top 10 awareness
1
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

Secure Coding What we are going to learn today

Principles
• Understand the need for secure coding in software development

Common • Explore common vulnerabilities through the OWASP Top 10

Vulnerabilities • Learn core secure coding principles

• Analyze real-world examples of insecure code

OWASP Top 10

• Identify best practices for secure software design

awareness 2
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

Secure Coding What is Secure Coding?

Writing software resistant to vulnerabilities

Principles

Minimizing the attack surface

Common
Ensuring confidentiality, integrity, and availability (CIA)
Vulnerabilities

OWASP Top 10

awareness 3
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

Secure Coding Why is Secure Coding Important?

Increasing cyberattacks
Principles

Real-world breaches due to insecure code (e.g., Equifax breach)

Common
Compliance and legal implications
Vulnerabilities

OWASP Top 10

awareness 4
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

Secure Coding Principles

Secure Coding
Validate all inputs

Principles Use least privilege

Keep software components updated

Common
Fail securely

Vulnerabilities Avoid security through obscurity

Keep security simple

OWASP Top 10

awareness 5
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

Software Vulnerabilities
Secure Coding Buffer Overflow – Writing data beyond memory boundaries, allowing code injection.
SQL Injection (SQLi) – Malicious SQL queries inserted into input fields to access/modify
Principles DB.
Cross-Site Scripting (XSS) – Injecting malicious scripts into web pages viewed by others.
Common Cross-Site Request Forgery (CSRF) – Trick a user into performing unwanted actions on a
trusted site.
Vulnerabilities Insecure Deserialization – Manipulating serialized objects to run arbitrary code.
Command Injection – Executing OS commands via unsensitized inputs.
OWASP Top 10

awareness 6
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

System / Network Vulnerabilities

Secure Coding
Unpatched Software – Outdated versions with known exploits.

Principles Weak Authentication – Default passwords, poor password policies, or no MFA.

Privilege Escalation – Gaining higher access rights than intended.

Common
Open Ports / Services – Unnecessary exposed services vulnerable to attacks.

Vulnerabilities Misconfigurations – Weak permissions, exposed admin consoles, insecure APIs.

OWASP Top 10

awareness 7
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

Cryptographic Vulnerabilities
Secure Coding
Weak Encryption (e.g., MD5, SHA-1, outdated TLS versions).

Principles Hardcoded Keys / Passwords – Secrets stored in code or configs.

Insecure Key Management – Poor handling of cryptographic material.

Common
Replay Attacks – Reusing valid authentication tokens/messages.

Vulnerabilities

OWASP Top 10

awareness 8
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

Human / Process Vulnerabilities

Secure Coding
Social Engineering – Phishing, pretexting, baiting users.

Principles Poor Security Awareness – Employees falling for scams.

Improper Access Control – Granting unnecessary privileges.

Common
Insider Threats – Malicious or careless internal users.

Vulnerabilities

OWASP Top 10

awareness 9
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

OWASP Overview

Secure Coding
OWASP: Open Worldwide Application Security Project

Principles • Community-driven effort to improve software security

Common • Produces freely available tools, documentation, and standards

OWASP Top 10 - Overview

Vulnerabilities

• List of the most critical web application security risks

OWASP Top 10
• Regularly updated (latest: 2021)

awareness 10
• Helps teams focus on what matters most in web security
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

OWASP Top 10 (2021)

Secure Coding 1. Broken Access Control
2. Cryptographic Failures
Principles 3. Injection
4. Insecure Design
Common 5. Security Misconfiguration
6. Vulnerable & Outdated Components
Vulnerabilities 7. Identification & Authentication Failures
8. Software & Data Integrity Failures
OWASP Top 10 9. Security Logging & Monitoring Failures
10. Server-Side Request Forgery (SSRF)
awareness 11
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

1. Broken Access Control

Secure Coding

Principles

Common

Vulnerabilities • A system where access is not granted as per user roles, i.e. anyone in the system can access any
resource, no principle of least privilege is being followed.
• Use of insecure direct object references to access someone else's account without their
OWASP Top 10 knowledge
• Lack of access controls in PUT, POST, DELETE in APIs
• Any kind of tampering with JSON web tokens to elevate privileges like changing roles from to
awareness 'user' to that of an 'admin'. 12
https://www.geeksforgeeks.org/ethical-
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

2. Cryptographic Failures

Secure Coding

Principles

Common

Vulnerabilities

A company stores the passwords of its users without proper encryption. An attacker if
OWASP Top 10 successfully gains the access to the database, could easily gain credentials of all the users.
Hashes that are made by simple hash functions could be easily cracked by strong GPUs.
awareness 13
https://www.geeksforgeeks.org/ethical-
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

3. Injection

Secure Coding

Principles

Common

Vulnerabilities
Injection vulnerabilities occur when an attacker uses a query or command to insert untrusted data into
the interpreter via SQL, OS, NoSQL, or LDAP injection. The data that is injected through this attack
OWASP Top 10
vector makes the application do something it is not designed for.

awareness 14
https://www.geeksforgeeks.org/ethical-
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

4. Insecure Design

Secure Coding

Principles

Common

Vulnerabilities
• A mobile banking app allows users to transfer money between accounts. However, the app's design
does not require re-authentication for high-value transactions, like transferring a large sum of
OWASP Top 10
money. Instead, it only asks for authentication during the initial login session.
• An attacker who gains access to a user's unlocked phone can initiate a high-value transfer without
needing to re-authenticate, allowing unauthorized transactions.
awareness 15
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

5. Security Misconfiguration

Secure Coding

Principles

Common

Vulnerabilities
A company sets up a new content management system (CMS) for its corporate website. The system is
installed using default settings, including the default administrator username and password
OWASP Top 10
(admin/admin). The team forgets to change these credentials before deploying the website to
production.
awareness 16
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

6. Vulnerable and Outdated Components

Secure Coding

Principles

Common

Vulnerabilities
A company’s web application runs on Apache Struts 2.3, a version with a known vulnerability that
allows remote code execution (RCE). Despite the patch being available for months, the company fails
OWASP Top 10
to update the framework. An attacker scans for applications using this outdated version, exploits the
vulnerability, and gains control of the server allowing them to execute arbitrary commands, access
sensitive data, and potentially pivot deeper into the network.
awareness 17
https://www.geeksforgeeks.org/ethical-
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

7. Identification and Authentication Failures

Secure Coding

Principles

Common

Vulnerabilities
A mobile app allows users to log in using only their email address, without requiring a password or
any second factor of authentication. Once an attacker identifies a valid email address, they can
OWASP Top 10
impersonate that user and gain full access to their account without needing to prove their identity.

awareness 18
https://www.geeksforgeeks.org/ethical-
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

8. Software and Data Integrity Failures

Secure Coding

Principles

Common

Vulnerabilities
A company sets up automatic updates for its desktop software but does not verify the authenticity of
the update source or use digital signatures. An attacker compromises the update server and pushes a
OWASP Top 10
malicious software update. All clients that download the update unknowingly install malware.

awareness 19
https://www.geeksforgeeks.org/ethical-
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

9. Security Logging and Monitoring Failures

Secure Coding

Principles

Common

Vulnerabilities
An e-commerce website suffers a brute-force login attack, where an attacker makes thousands of login
attempts using different username and password combinations. However, the system lacks proper
OWASP Top 10
logging and monitoring, so the repeated failed login attempts go unnoticed by the security team until
user accounts are compromised.
awareness 20
 Slide
Secure Coding Principles Title Vulnerabilities Overview
and Common

10. Server-Side Request Forgery

Secure Coding

Principles

Common

Vulnerabilities
• A web application allows users to input a URL to fetch and display metadata (e.g., a preview of a
link). The server takes the user-supplied URL and makes an HTTP request to retrieve content,
OWASP Top 10
without proper validation or restriction.
• The attacker tricked the server into making a request to an internal resource that would otherwise
be inaccessible, leading to credential theft or internal network access
awareness 21