Followers

Tuesday, 5 March 2019

What Is OWASP

The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security. One of OWASP’s core principles is that all of their materials be freely available and easily accessible on their website, making it possible for anyone to improve their own web application security. The materials they offer include documentation, tools, videos, and forums. Perhaps their best-known project is the OWASP Top 10. 
The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks. The report is put together by a team of security experts from all over the world. OWASP refers to the Top 10 as an ‘awareness document’ and they recommend that all companies incorporate the report into their processes in order to minimize and/or mitigate security risks. 
Top 10 web application threats to know 
  1. Injection: Injection flaws such as SQL, NoSQL, OS, and LDAP injections can attack any source of data and involve attackers sending malicious data to a recipient. This is a very prevalent threat in legacy code and can result in data loss, corruption, access compromise, and complete host takeover. Using a safe database API, a database abstraction layer, or a parameterized database interface helps reduce the risk of injection threats. 
  1. Broken Authentication: Incorrectly implemented session management or authentication gives attackers the ability to steal passwords, tokens, or impersonate user identities. This is widespread due to poorly implemented identity and access controls. Implementing multi-factor authentication and implementing weak-password checks is a great start to preventing this problem. However, don’t fall into the trap of enforcing composition rules on passwords (such as requiring uppercase, lowercase, numeric and special characters), as these have been to weaken rather than strengthen security. 
  1. Sensitive Data Exposure:  When web applications and APIs aren’t properly protected, financial, healthcare, or other personally identifiable information (PII) data can be stolen or modified and then used for fraud, identity theft, or other criminal activities. Proper controls, encryption, removal of unnecessary data, and strong authentication can help to prevent exposure.  
  1. External Entities (XXE): Attackers can exploit vulnerable XML processors if they include malicious content in an XML document or exploit vulnerabilities. External entities can disclose internal files or be used to execute internal port scanning, remote code execution, and DDoS attacks. It is difficult to identify and eliminate XXE vulnerabilities, but a few easy improvements are patching all XML processors, ensuring comprehensive validation of XML input according to a schema, and limiting XML input where possible. 
  1. Broken Access Control: This happens when policies on what users can access are loosely enforced. This results in attackers exploiting flaws to access data and functionality they are not authorized to access, such as accessing other users’ accounts, viewing sensitive files, modifying other users’ data, and changing access rights. It is suggested to use access control that is enforced in trusted server-side code, or even better, an external API gateway. 
  1. Security Misconfiguration: Misconfigurations are the most common threat to organizations. This results from insecure or incomplete default configurations, open cloud storage, and verbose error messages. It is essential to securely configure and patch all operating systems, frameworks, libraries, and applications, and to follow best practices suggested by each hardware or software vendor to harden their systems. 
  1. Cross-Site Scripting (XSS): These flaws occur when an application includes untrusted data in a web page. With XSS flaws, attackers can execute scripts in the victim’s browser, which can result in hijacked user sessions, defaced websites, or redirecting the user to a malicious site. In order to prevent XSS, you must separate untrusted data from active browser content, for example by using libraries that automatically escape user input. 
  1. Insecure Deserialization: Insecure deserialization often leads to remote code execution scenarios. Even if remote code execution doesn’t happen, these flaws can be used to perform replay, injection, and privilege escalation attacks. One way to prevent this is not to accept serialized objects from untrusted sources.  
  1. Using Components with Known Vulnerabilities: Components include operating systems, web servers, web frameworks, encryption libraries, or other software modules. Applications and APIs using components with known vulnerabilities will undermine application protection measures and enable several types of attacks. A strong patch management measure largely prevents this problem. 
  1. Insufficient Logging and Monitoring: Insufficient logging and monitoring can allow attackers to spread unchecked within an organization, maintain persistence, and extract or destroy data. This results in attackers having access for weeks, sometimes months. Using an effective monitoring and incident alerting solution can close the gap and spot attackers much quicker. 
Keep in mind that these top 10 threats are just the most common of thousands of vulnerabilities that cyber criminals can exploit. Many people overlook web applications when they plan their security, or they falsely assume web applications are protected by their network firewall. In fact, the web application threat vector is one of the most successfully exploited because of these misunderstandings.  
The best way to defend this threat vector is with a Barracuda web application firewall (WAF) that is purpose-built to secure your web applications. These firewalls provide several types of Layer 7 security, including DDoS protection, server cloaking, web scraping protection, data loss prevention, web-based identity and access management, and more.  Including a web application firewall in an organization’s security strategy and technology stack will ensure protection from these top threats and the many other threats specifically targeting your applications. 

No comments:

Post a Comment

Softech Middle East FZC Announces Partnership with SolarWinds

Softech Middle East FZC to offer SolarWinds comprehensive IT management and monitoring solutions to partners and customers in Pakistan Sof...