3.2.c Common Security Threats

While designing a system, it's important to be aware of common vulnerabilities and plan defenses against them. You don't need to be a cybersecurity expert, but showing awareness of these threats demonstrates a mature design approach.

SQL Injection (SQLi)

• What it is: An attack where malicious SQL code is inserted into user input fields. If the application constructs its database queries by simply concatenating strings, this malicious code can get executed by the database, allowing an attacker to bypass authentication, steal data, modify data, or even gain administrative control over the database.
• Mitigation:
  • Prepared Statements (with Parameterized Queries): This is the primary defense. It separates the SQL query logic from the data. The database is told what the query structure is first, and then the user input is supplied as a parameter, ensuring it is treated only as data and never as executable code.
  • Use ORMs (Object-Relational Mappers): Modern ORMs typically use prepared statements under the hood, providing a strong layer of protection.
  • Input Validation and Sanitization: Treat all user input as untrusted.

Cross-Site Scripting (XSS)

• What it is: An attack where malicious scripts (usually JavaScript) are injected into a web page that is then viewed by other users. When another user's browser loads the page, it executes the malicious script. This can be used to steal the user's session cookies, impersonate the user, or deface the website.
• Mitigation:
  • Output Encoding: Before rendering user-generated content in a web page, encode it so the browser interprets it as literal text rather than executable code (e.g., convert < to <, > to >). Modern templating engines often do this automatically.
  • Content Security Policy (CSP): Use the Content-Security-Policy HTTP header to tell the browser which sources of content (scripts, styles, images) are trusted. This can prevent the execution of scripts from untrusted sources.

Cross-Site Request Forgery (CSRF)

• What it is: An attack that tricks an authenticated user's browser into making an unwanted, malicious request to a web application. For example, a user logs into their banking site, then visits a malicious website. A link or script on the malicious site could trigger a request to the banking site (e.g., POST /transfer?to=attacker&amount=1000) from the user's browser. Since the browser automatically includes the user's session cookies, the banking site sees it as a legitimate request.
• Mitigation:
  • Anti-CSRF Tokens: The server generates a unique, unpredictable token for the user's session and embeds it in forms as a hidden field. When the user submits the form, the server validates that the token in the request matches the one stored for the session. This proves the request originated from the legitimate site.
  • SameSite Cookie Attribute: Setting cookies with SameSite=Strict or SameSite=Lax instructs the browser not to send them on cross-site requests, which mitigates most CSRF attacks.

Denial-of-Service (DoS) / Distributed DoS (DDoS)

• What it is: An attempt to make a machine or network resource unavailable to its intended users by overwhelming it with a flood of superfluous requests or traffic. A DDoS attack uses a large number of compromised computer systems (a botnet) to launch the attack from many different locations.
• Mitigation: This requires a multi-layered approach.
  • Edge Protection: Use a CDN or a specialized cloud-based DDoS mitigation service (like Cloudflare, Akamai, AWS Shield). These services can absorb and filter malicious traffic at the network edge before it ever reaches your application servers.
  • Rate Limiting: Implement rate limiting at your API Gateway or Load Balancer to block traffic from individual sources that exceed defined thresholds.
  • Scalable Infrastructure: Design your system to scale horizontally to handle traffic spikes.

Summary for an Interview

• Acknowledge that security is a core requirement.
• For web applications, mention you would mitigate common threats like SQL Injection by using prepared statements, XSS with output encoding and CSP, and CSRF with anti-CSRF tokens.
• State that DDoS protection is best handled at the edge using a CDN or cloud provider service, supplemented by rate limiting. This demonstrates a practical, layered approach to security.