Skip to content

Module 16 of 16 · 📖 5 min read · ⏱ 30 min total

FI-AE 16 IT-Sicherheit, OWASP Top 10 und DSGVO (EN)

Table of contents (6 sections)
  1. Concepts and Background
  2. Architecture Diagram
  3. Practical Steps
  4. Common Pitfalls
  5. Further Resources
  6. Knowledge Check

FI-AE 16 IT-Security, OWASP Top 10 and GDPR

In this module, you will learn the essential concepts of IT security for application developers. You will understand the most common security vulnerabilities from the OWASP Top 10 and learn how to avoid them in practice. Additionally, you will acquire in-depth knowledge of secure authentication mechanisms and the GDPR-relevant obligations when processing personal data.

The focus is on practical applicability: You will receive specific implementation guidelines for securing web applications and complying with data protection requirements, particularly with regard to the principle of data minimization.

Concepts and Background

OWASP Top 10
The annually updated list of the ten most critical security risks for web applications. It serves as a guide for developers to identify and avoid the most common attack vectors such as Injection, Broken Authentication, and Cross-Site Scripting.
Authentication vs. Authorization
Authentication verifies the identity of a user (Who are you?), while authorization determines which actions an authenticated user is permitted to perform (What are you allowed to do?). Both processes are crucial for application security.
Data Minimization
A principle of the GDPR that states only the personal data necessary for the processing purpose may be collected and processed. Unnecessary data should not be stored.
Principle of Least Privilege
A security principle stating that users and systems should only receive the minimal necessary rights for their tasks. This limits potential damage in case of a security incident.

Architecture Diagram

flowchart LR
  A[Internet] --> B[Web Application Firewall]
  B --> C[Load Balancer]
  C --> D[Webserver 1]
  C --> E[Webserver 2]
  D --> F[Database]
  E --> F
  G[Admin Interface] --> H[Remote Admin Server]

Practical Steps

  1. Implement HTTPS for all applications with a valid TLS certificate. This protects data transmission between client and server.
  2. Use prepared statements for all database queries to prevent SQL injection attacks.
  3. Enforce secure password policies: minimum length of 12 characters, mix of uppercase/lowercase, numbers, and special characters.
  4. Implement Multi-Factor Authentication (MFA) for all administrative accounts and users with sensitive data access.
  5. Validate and sanitize all user inputs server-side to prevent Cross-Site Scripting (XSS) and other injection attacks.
  6. Configure CSP headers (Content Security Policy) to prevent the execution of unauthorized scripts.
  7. Implement secure session management with regular regeneration of session ID after login and sensitive actions.
  8. Appoint a Data Protection Officer and document all data processing procedures according to GDPR Article 30.

Common Pitfalls

Further Resources

Knowledge Check

Four questions for self-assessment. Click on each question to see the correct answer and explanation.

What is the main difference between authentication and authorization?
  • A) Authentication checks permissions, authorization verifies identity
  • B) Authentication verifies identity, authorization sets permissions
  • C) Authentication always occurs before authorization
  • D) Authorization is only relevant for administrators

Correct Answer: B. Authentication determines who the user is, while authorization determines what the user is allowed to do. Option A confuses the terms. Option C is often the case but not a defining difference. Option D is incorrect as authorization is relevant for all user roles.

Which of the following examples most violates the principle of data minimization?
  • A) Storing email addresses for customer communication
  • B) Collecting birth data only for age-restricted content
  • C) Collecting browsing history for personalized advertising
  • D) Logging login attempts for security

Correct Answer: C. Browsing history is not required for personalized advertising and exceeds the processing purpose. Options A and B are appropriate for the stated purpose. Option D serves the security purpose and is therefore justified.

Which measure is most effective for preventing SQL injection attacks?
  • A) Regular password changes for database users
  • B) Using prepared statements
  • C) Restricting database user permissions
  • D) Implementing a Web Application Firewall

Correct Answer: B. Prepared statements separate SQL code from data, effectively preventing SQL injection. Option A protects against password theft, not injection. Option C reduces risk but does not completely prevent it. Option D can block attacks but is not direct prevention in code.

Which of the following attacks is classified as "Broken Access Control" in the OWASP Top 10 2021?
  • A) Cross-Site Scripting (XSS)
  • B) SQL Injection
  • C) Broken Authentication
  • D) Insecure Direct Object References

Correct Answer: D. Insecure Direct Object References is a form of broken access control where attackers can manipulate references to objects to access unauthorized data. Option A is a separate category. Option B is injection-based. Option C is authentication-related.