You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/advocates/top-5-security-items-to-consider/3-inputs-and-outputs.yml
+27-27Lines changed: 27 additions & 27 deletions
Original file line number
Diff line number
Diff line change
@@ -5,8 +5,8 @@ metadata:
5
5
title: Inputs and Outputs
6
6
description: Inputs and Outputs
7
7
author: patridge
8
-
ms.author: adpatrid
9
-
ms.date: 05/26/2023
8
+
ms.author: robmcm
9
+
ms.date: 03/14/2025
10
10
ms.topic: unit
11
11
durationInMinutes: 10
12
12
content: |
@@ -15,44 +15,44 @@ quiz:
15
15
title: Check your knowledge
16
16
questions:
17
17
18
-
- content: 'Which of the following data sources need to be validated?'
18
+
- content: "Which of the following data sources need to be validated?"
19
19
choices:
20
-
- content: 'Data from a 3rd party API'
20
+
- content: "Data from a third-party API"
21
21
isCorrect: false
22
-
explanation: 'This is just one of many sources that needs to be validated.'
23
-
- content: 'Data from the URL parameter'
22
+
explanation: "This is just one of many sources that needs to be validated."
23
+
- content: "Data from the URL parameter"
24
24
isCorrect: false
25
-
explanation: 'This is just one of many sources that needs to be validated'
26
-
- content: 'Data collected from the user via an input field'
25
+
explanation: "This is just one of many sources that needs to be validated."
26
+
- content: "Data collected from the user via an input field"
27
27
isCorrect: false
28
-
explanation: 'This is just one of many sources that needs to be validated.'
29
-
- content: 'All of the above'
28
+
explanation: "This is just one of many sources that needs to be validated."
29
+
- content: "All of the above"
30
30
isCorrect: true
31
-
explanation: 'All these sources of data need to be validated. Never trust any data that could have been modified.'
31
+
explanation: "All these sources of data need to be validated. Never trust any data that could have been modified."
32
32
33
-
- content: 'Parameterized queries (stored procedures in SQL) are a secure way to talk to the database because:'
33
+
- content: "Parameterized queries (stored procedures in SQL) are a secure way to talk to the database because:"
34
34
choices:
35
-
- content: 'They're more organized than inline database commands, and therefore less confusing for users.'
35
+
- content: "They're more organized than inline database commands, and therefore less confusing for users."
36
36
isCorrect: false
37
-
explanation: 'Organization of the code is not the reason that parameterized queries are more secure than inline SQL.'
38
-
- content: 'There's a clear outline of the script in the stored procedure, ensuring better visibility.'
37
+
explanation: "Organization of the code isn't the reason that parameterized queries are more secure than inline SQL."
38
+
- content: "There's a clear outline of the script in the stored procedure, ensuring better visibility."
39
39
isCorrect: false
40
-
explanation: 'Clear outline of the script is not the reason that parameterized queries are more secure than inline SQL.'
41
-
- content: 'Parameterized queries substitute variables before running queries, meaning it avoids the opportunity for code to be submitted in place of a variable.'
40
+
explanation: "Clear outline of the script isn't the reason that parameterized queries are more secure than inline SQL."
41
+
- content: "Parameterized queries substitute variables before running queries, meaning it avoids the opportunity for code to be submitted in place of a variable."
42
42
isCorrect: true
43
-
explanation: 'Parameter fields used in parameterized queries are treated as data, not code, protecting against injection vulnerabilities. For more information on how to implement parameterized queries please see the [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html).'
43
+
explanation: "Parameter fields used in parameterized queries are treated as data, not code, protecting against injection vulnerabilities. For more information on how to implement parameterized queries please see the [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)."
44
44
45
-
- content: 'Which of the following data needs to be output encoded?'
45
+
- content: "Which of the following data needs to be output encoded?"
46
46
choices:
47
-
- content: 'Data saved to the database'
47
+
- content: "Data saved to the database"
48
48
isCorrect: false
49
-
explanation: 'Although data saved to the database needs to be validated to ensure the data is good, we don't need to encode it for output.'
50
-
- content: 'Data to be output to the screen'
49
+
explanation: "Although data saved to the database needs to be validated to ensure the data is good, we don't need to encode it for output."
50
+
- content: "Data to be output to the screen"
51
51
isCorrect: true
52
-
explanation: 'Data sent to the screen needs to be output encoded to ensure it's never interpreted as code.'
53
-
- content: 'Data sent to a 3rd party API'
52
+
explanation: "Data sent to the screen needs to be output encoded to ensure it's never interpreted as code."
53
+
- content: "Data sent to a third-party API"
54
54
isCorrect: false
55
-
explanation: 'Although data sent to a 3rd party API needs to be validated to ensure the data is good, we don't need to encode it for output.'
56
-
- content: 'Data in the URL parameters'
55
+
explanation: "Although data sent to a third-party API needs to be validated to ensure the data is good, we don't need to encode it for output."
56
+
- content: "Data in the URL parameters"
57
57
isCorrect: false
58
-
explanation: 'Although data from URL Parameters needs to be validated before it's used in our application, we don't need to encode it for output.'
58
+
explanation: "Although data from URL Parameters needs to be validated before it's used in our application, we don't need to encode it for output."
Copy file name to clipboardExpand all lines: learn-pr/advocates/top-5-security-items-to-consider/includes/2-azure-security-center.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,9 +15,9 @@ Defender for Cloud is part of the [Center for Internet Security](https://www.cis
15
15
16
16
## Activating Microsoft Defender for Cloud
17
17
18
-
Microsoft Defender for Cloud provides unified security management and advanced threat protection for hybrid cloud workloads and is offered in several plans. The Foundational Cloud Security Posture Management (CSPM) plan, which is free and activated by default provides security policies, assessments, and recommendations. The Defender CSPM plan provides a robust set of features, including threat intelligence. There are also plans for Servers, App Service, and more.
18
+
Microsoft Defender for Cloud provides unified security management and advanced threat protection for hybrid cloud workloads, and is offered in several plans. The Foundational Cloud Security Posture Management (CSPM) plan, which is free and activated by default provides security policies, assessments, and recommendations. The Defender CSPM plan provides a robust set of features, including threat intelligence. There are also plans for Servers, App Service, and more.
19
19
20
-
Given the benefits of Defender for Cloud, the security team at your company has decided that it will be turned on for all subscriptions at your office. You got an email this morning to turn it on for your applications, so let's look at how to do that.
20
+
Given the benefits of Defender for Cloud, your company's security team has decided to turn it on for all subscriptions at your office. You got an email this morning to turn it on for your applications, so let's look at how to do that.
21
21
22
22
> [!IMPORTANT]
23
23
> Microsoft Defender for Cloud is not supported in the free Azure sandbox. You can perform these steps in your own subscription, or just follow along to understand how to activate Defender for Cloud.
@@ -26,7 +26,7 @@ Given the benefits of Defender for Cloud, the security team at your company has
26
26
27
27
28
28
29
-
1. If you've never opened Defender for Cloud, the pane will start on the **Getting started** entry which might ask you to upgrade your subscription. Ignore that for now; select **Skip** at the bottom of the page, then select **Overview**.
29
+
1. If you've never opened Defender for Cloud, the pane starts on the **Getting started** entry, which might ask you to upgrade your subscription. Ignore that for now; select **Skip** at the bottom of the page, then select **Overview**.
30
30
- This will display the "big security picture" across all the elements available in your subscription.
31
31
- This has a ton of great information you can explore.
32
32
@@ -36,7 +36,7 @@ Given the benefits of Defender for Cloud, the security team at your company has
36
36
37
37
### Foundational CSPM vs. Defender CSPM pricing tier
38
38
39
-
While you can use a free Azure subscription tier with Defender for Cloud, it's limited to assessments and recommendations of Azure resources only. To really leverage Defender for Cloud, you will need to upgrade to a Defender CSPM subscription as shown previously. You can upgrade your subscription through the **Upgrade** button on the **Getting Started** pane in the Defender for Cloud menu, which will walk you through changing your subscription level. The pricing and features may change based on the region, you can get a full overview on the [pricing page](https://azure.microsoft.com/pricing/details/security-center/).
39
+
Although you can use a free Azure subscription tier with Defender for Cloud, it's limited to assessments and recommendations of Azure resources only. To really leverage Defender for Cloud, you'll need to upgrade to a Defender CSPM subscription as shown previously. You can upgrade your subscription through the **Upgrade** button on the **Getting Started** pane in the Defender for Cloud menu, which will walk you through changing your subscription level. The pricing and features might change based on the region; you can get a full overview on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
40
40
41
41
> [!NOTE]
42
42
> To upgrade a subscription to the Defender CSPM tier, you must be assigned the role of Subscription Owner, Subscription Contributor, or Security Admin.
@@ -46,22 +46,22 @@ While you can use a free Azure subscription tier with Defender for Cloud, it's l
46
46
47
47
## Turning off Microsoft Defender for Cloud
48
48
49
-
For production systems, you definitely want to keep Microsoft Defender for Cloud turned on so it can monitor all your resources for threats. However, if you're just playing with Defender for Cloud and turned it on, you will likely want to disable it to ensure you're not charged. Let's do that now.
49
+
For production systems, you definitely want to keep Microsoft Defender for Cloud turned on so it can monitor all your resources for threats. However, if you're just playing with Defender for Cloud and turned it on, you'll likely want to disable it to ensure you're not charged. Let's do that now.
50
50
51
51
1. Open the [Azure portal](https://portal.azure.com?azure-portal=true) and select **Microsoft Defender for Cloud** from the left-hand menu. If you don't see it there, you can select **All services** and find **Microsoft Defender for Cloud** in the security section as shown in the following image:
52
52
53
53
54
54
55
-
1. Select **Environment settings**from the left-hand menu.
55
+
1. Select **Environment settings**under **Management** in the left-hand menu.
56
56
57
-
1. Next, select the ellipses next to the subscription for which you want to downgrade, then select **Edit settings**.
57
+
1. Next, select the ellipses next to the subscription you want to downgrade, then select **Edit settings**.
58
58
59
59
1. A new page will appear that looks like the image below. Toggle the **Defender CSPM** plan to **Off**.
60
60
61
61
62
62
63
-
1.Press the **Save** button at the top of the screen.
63
+
1.Select the **Save** button at the top of the screen.
64
64
65
-
You have now downgraded your subscription to the free tier of Microsoft Defender for Cloud.
65
+
You've now downgraded your subscription to the free tier of Microsoft Defender for Cloud.
66
66
67
-
Congratulations, you have taken your first (and most important) step to securing your application, data and network!
67
+
Congratulations, you've taken your first (and most important) step to securing your application, data and network!
0 commit comments