Code injection

Strict input validation (such as for form inputs, query parameters, and API requests) is enforced to ensure user-provided data is checked against expected formats. By validating inputs against defined rules (such as, acceptable characters, data types, and length), PingOne prevents attackers from injecting malicious code into application fields.

Content Security Policy (CSP) headers are used to control the resources (such as, scripts, styles, images) that can be loaded and executed by the browser. This prevents cross-site scripting (XSS) attacks, a common form of code injection, by ensuring that only trusted and pre-approved scripts can be executed, and inline scripts are blocked.

Parameterized queries and prepared statements are used to protect against SQL injection attacks. These methods separate user inputs from the actual SQL query, ensuring that even if an attacker tries to inject SQL commands, this will be treated as plain data, preventing them from executing unauthorized database queries. For more information refer to Parameterized ACIs, Optimized page searches using caching, and Searching entries.

Regular code reviews and static analysis tools are used to detect potential injection vulnerabilities during our development process. By identifying and addressing vulnerabilities early, PingOne reduces the likelihood of code injection issues in production environments.

Automated dynamic application security scans are used to identify vulnerabilities, such as SQL injection and XSS, in web applications. These scans help detect injection vulnerabilities before attackers can exploit them.

Regular third-party penetration testing is conducted on the PingOne platform to simulate real-world attacks, including code injection attempts. These tests help ensure that the platform’s defenses are strong enough to withstand sophisticated injection attacks.

Implement Intrusion Detection Systems (IDS) for your applications to monitor network traffic for suspicious behavior or abnormal requests that may indicate a code injection attempt. Real-time monitoring ensures administrators are alerted to unusual activity, and can respond quickly.

Use secure server configurations for your applications to reduce your attack surface and limit potential vulnerabilities. For instance, disable unnecessary ports and services, and keep software updated with the latest security patches.

Follow the least privilege principle, ensuring that both users and applications have only the minimum permissions necessary to perform their tasks. This limits the damage that can be done if an attacker successfully executes code. For more information refer to Roles, scopes, and permissions.