Mitigating OWASP Top Ten Risks in Cloud-Native Healthcare and Education Platforms: A Comparative Analysis of SQL Injection and Cross-Site Scripting Defenses
DOI:
https://doi.org/10.63282/3117-5481/AIJCST-V6I1P107Keywords:
OWASP Top Ten, SQL Injection, Cross-Site Scripting, XSS, Parameterized Queries, Contextual Output Encoding, Healthcare Software, Education Software, Cloud-Native, Application Security, Defense In DepthAbstract
The Open Web Application Security Project Top Ten remains the most widely referenced consensus statement on web application security risks. Its 2021 revision consolidated cross-site scripting into the broader injection category, elevated broken access control to the top position, and introduced new categories for insecure design and software and data integrity failures. The categories are not abstract: they map directly to defect classes that recur across cloud-native applications regardless of domain. This paper compares mitigation patterns for two long-standing high-impact categories, SQL injection and cross-site scripting, in two regulated domains in which the author has worked: healthcare software and university research and education platforms. The two domains share the structural property that the data they handle is sensitive and regulated, but they differ in deployment topology, in user population, and in the engineering practices typical of their respective organizations. The paper documents the defenses that worked in each domain, the differences in how those defenses had to be expressed to fit the local engineering culture, and the residual risks that remained after the defenses were in place. The intent is to give practitioners a comparative reference that goes beyond restating the OWASP categories and reaches the level of operational detail at which security work actually happens.
References
[1] Open Web Application Security Project. OWASP Top Ten Web Application Security Risks, 2021 edition. https://owasp.org/Top10/2021/ | https://scholar.google.com/scholar?hl=en&q=OWASP Top Ten Web Application Security Risks, 2021 edition
[2] Open Web Application Security Project. OWASP Top Ten, A03 Injection, 2021 edition. https://scholar.google.com/scholar?hl=en&q=OWASP Top Ten, A03 Injection, 2021 edition.
[3] Open Web Application Security Project. OWASP Cross-Site Scripting Prevention Cheat Sheet. https://scholar.google.com/scholar?hl=en&q=OWASP Cross-Site Scripting Prevention Cheat Sheet
[4] Open Web Application Security Project. OWASP SQL Injection Prevention Cheat Sheet. https://scholar.google.com/scholar?hl=en&q=OWASP SQL Injection Prevention Cheat Sheet
[5] Open Web Application Security Project. OWASP Application Security Verification Standard, Version 4.0.3. https://scholar.google.com/scholar?hl=en&q=OWASP Application Security Verification Standard, Version 4.0.3.
[6] Open Web Application Security Project. OWASP Secure Coding Practices Quick Reference Guide. https://scholar.google.com/scholar?hl=en&q=OWASP Secure Coding Practices Quick Reference Guide
[7] Common Weakness Enumeration. CWE-89: Improper Neutralization of Special Elements used in an SQL Command, MITRE Corporation. https://scholar.google.com/scholar?hl=en&q=CWE-89: Improper Neutralization of Special Elements used in an SQL Command, MITRE Corporation
[8] Common Weakness Enumeration. CWE-79: Improper Neutralization of Input During Web Page Generation, MITRE Corporation. https://scholar.google.com/scholar?hl=en&q=CWE-79: Improper Neutralization of Input During Web Page Generation, MITRE Corporation
[9] Common Weakness Enumeration. CWE Top 25 Most Dangerous Software Weaknesses. https://scholar.google.com/scholar?hl=en&q=CWE Top 25 Most Dangerous Software Weaknesses
[10] World Wide Web Consortium. Content Security Policy Level 3, W3C Working Draft. https://scholar.google.com/scholar?hl=en&q=Content Security Policy Level 3, W3C Working Draft
[11] SonarSource. SonarQube static analysis platform documentation. https://scholar.google.com/scholar?hl=en&q=SonarQube static analysis platform documentation
[12] International Business Machines Corporation. IBM Security AppScan documentation. https://scholar.google.com/scholar?hl=en&q=IBM Security AppScan documentation
[13] United States Department of Health and Human Services. Health Insurance Portability and Accountability Act Security Rule, 45 CFR Part 164 Subpart C. https://scholar.google.com/scholar?hl=en&q=Health Insurance Portability and Accountability Act Security Rule, 45 CFR Part 164 Subpart C
[14] United States Department of Education. Family Educational Rights and Privacy Act, 20 U.S.C. 1232g. https://scholar.google.com/scholar?hl=en&q=Family Educational Rights and Privacy Act, 20 U.S.C
[15] National Institute of Standards and Technology. Secure Software Development Framework, NIST Special Publication 800-218. https://scholar.google.com/scholar?hl=en&q=Secure Software Development Framework, NIST Special Publication 800-218
[16] National Institute of Standards and Technology. Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 Revision 5. https://scholar.google.com/scholar?hl=en&q=Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 Revision 5
[17] Provos, N. and Mazieres, D. A Future-Adaptable Password Scheme. USENIX, 1999. https://scholar.google.com/scholar?hl=en&q=and Mazieres, D
[18] Biryukov, A., Dinu, D., and Khovratovich, D. Argon2: New Generation of Memory-Hard Functions for Password Hashing and Other Applications. IEEE EuroS and P, 2016. https://scholar.google.com/scholar?hl=en&q=Argon2: New Generation of Memory-Hard Functions for Password Hashing and Other Applications
[19] Howard, M. and Lipner, S. The Security Development Lifecycle. Microsoft Press, 2006. https://scholar.google.com/scholar?hl=en&q=and Lipner, S
