As 2017 draws to a close, I find myself reminiscing about major application security risks today. Unsurprisingly, I recall the OWASP Top 10, which has become a de facto standard for web application security. In the Information Security industry, it is well known that once a web application or service is hosted, it is likely to be automatically probed for security flaws – and perhaps compromised – within hours.
This year, the OWASP Top Ten was revamped to cater to the latest changes in web development technology.
Whether you’re developing, maintaining, or own a web application or website, the top 10 security risks you should be aware of and mitigate are:
- Injection: Flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query.
- Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens.
- Sensitive Data Exposure: Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser
- XML External Entities: Many older or poorly configured XML parsers evaluate external entity references within XML documents, which can lead to remote code execution, denial of service, and other problems.
- Broken Access Control: Restrictions on what authenticated users are allowed to do are often not properly enforced.
- Security Misconfiguration: This very common issue is usually a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.
- Cross-Site Scripting (XSS): XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping.
- Insecure Deserialization: This can often to lead to remote execution of malicious code by attackers.
- Using Components with Known Vulnerabilities: If your software uses any component – including 3rd party or open source – that has security flaws, it could make your entire application and server vulnerable.
- Insufficient Logging & Monitoring: This allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
The list and description above is a tip of the iceberg. Click here to read all about The OWASP Top 10 2017, including suggested mitigations.
If you enjoyed this post, you can subscribe to receive my weekly newsletter via email.