Technology in the current scenario is ever advancing. Every new day brings about new developments in this vibrant and turbulent tech industry. To sail through and develop successfully, an unbiased, genuine and easy-to-access source of information is needed. OWASP aims to educate developers, designers and business owners about the most common application security vulnerabilities that are often overlooked.
On average, about 30 000 websites get hacked every day and in reality, the majority of these 30,000 sites are legitimate small businesses that are unwittingly distributing malicious code for the cybercriminals, WebARX reports.
Web Applications have been an important aspect of every business. From offering user-friendly interfaces, quick access to business resources and seamless services to remote users. These websites are created to ensure a hassle-free experience to its potential customers on the web. Unfortunately, this hassle-free experience is misused, and critical business data becomes vulnerable to security risks.
No information on the web is safe enough to be left without taking proper security measures. In today’s race towards success, cutting-edge technologies are being deployed but at the same time, security is being compromised. Web Application Security is often overlooked to overcomeHiscox reported, ‘Nearly half of all small businesses suffered a cyber-attack in 2018’. Ensuring highest security standards should be the key-highlight of web applications.
OWASP – AppSec Guide
Open Web Application Security Project or OWASP is an international non-profit organization which has created a platform to improve the web application security standards. The organization defines its mission as, ‘to make software security visible so that individuals and organizations are able to make informed decisions’. It strives to provides impartial & practical information about web development & security to individuals, corporations, government agencies, and other related organizations worldwide.
OWASP has created an Application Security Verification Standard, ASVS which is a free and open software security community. This community aims to provide an established framework for security measures along with varying levels of verification, that can enhance the security measures undertaken by the developers. These platforms lay emphasis on the importance of security & the standardized methods that need to be implemented. OWASP also offers its Top 10 listing, which is compiled using the data of 40+ firms that specialize in application security and an industry survey that is usually taken by 500+ individuals.
OWASP Top 10
OWASP Top10 is considered as a powerful awareness document that is published to inculcate security practices. To build a highly secure application, the inclusion of security testing in the software development life cycle is important. It should be carefully designed to deal with critical business data & information. If the security phase is skipped, it might lead to lasting impact because the security gaps can be misused by attackers to gain access to the information contained within the application. The importance of AppSec might be clearly understood but the implementation is still lagging. According to a report by the SANS Institute’s 2016 State of Application Security, as many as 97 per cent of respondents to the report revealed that they have an AppSec program in place. Surprisingly, only 26 per cent of respondents described their AppSec program as an advanced level of security.
OWASP has listed Top 10 Security Vulnerabilities that are highly critical. It has been recommended that the developers should incorporate these into their processes in order to minimize and/or mitigate security risks.
Below are the security risks reported in the OWASP Top 10 2017 report:
- Injection – Injection Attacks occur when an attacker provides untrusted inputs to the program. By doing this, the query or the command is executed by the interpreter and the attacker can gain unauthorized access to the data.
- Broken Authentication & Session Management – Broken Authentication usually involves capturing or bypassing the authentication methods that are used by applications. Compromise of passwords or session tokens is done to exploit flaws and gain rights over the account in the same way as its actual user.
- Broken Access Control – Applications that do not protect significant or vulnerable data are often targeted. Broken access control allows attackers to crack or bypass authorization and access sensitive data and perform actions as privileged users or administrators. Attackers tend to attack & steal vulnerable data, which is weakly protected, to inflict losses by credit card fraud, identity theft, or other crimes.
- Cross-Site Scripting (XSS) – XSS is a flaw that occurs when untrusted input is accepted by an application and sent to the web browser without proper validation. This vulnerability allows attackers to execute Java scripts in the browser, which can hijack user sessions or redirect the user to malicious sites.
- XML External Entity (XXE) – This attack is inflicted to the application when the attacker carefully substitutes XML input that contains the reference of an external entity and is made to process with a weak XML parser. External entity and weak parser become lead to a pathway and the attacker gains unauthorized control of the application.
- Security Misconfiguration – Good security always requires having a secure configuration deployed for the application, frameworks etc. It should be defined, implemented, and maintained because the default is mostly insecure.
- Cross-Site Request Forgery – During a CSRF attack, a forged HTTP request is sent to the victim’s session cookie or any other authentication information, to the vulnerable application. This provides the attacker, access to generate requests of vulnerable information.
- Using Components with known vulnerabilities – Applications are usually developed by using several components. A developer uses open-source libraries and dockers that are not up to date with the latest patched version. This results in a security hole and makes it highly vulnerable and the attackers can easily exploit the vulnerabilities of the components to gain complete unauthorized access of the application.
- Insecure Deserialization – Serialization is defined as a process of turning an object into a serialized data that can be sent to a destination and stored. By doing this, the other system can obtain or recreate the same object by deserialization. Attackers usually send objects that give them unauthorized access to run malicious code, when deserialized. These attacks are often difficult to detect.
- Insufficient Logging & Monitoring – Logging & monitoring are usually implemented in the applications. But surprisingly, they are not capable enough to detect data breaches and other criminal activities. The average time taken to detect a breach is around 200 days. This gives attackers quite several days to remove the traces.
All these application security vulnerabilities are interconnected in some way or the other. Often, one vulnerability can lead to another and cause massive damage. It is important to understand the application security landscape and place the security phases in the SDLC model itself.
Cyber-attacks work more often than you think, save your application from the threats. Bulwark CyberX aims to secure and protect your information, applications & reputation.