Application security risks are pervasive and can pose a direct threat to business availability. Although it is not a standalone security requirement, its increasing risk to cause denial of service attacks makes it a highly important one. Applications are the primary tools that allow people to communicate, access, process and transform information. How can businesses reduce security risks around these applications? There are three front-line approaches: Better training, more rigorous testing, and more stringent policies and procedures.
- Developers must be trained in and employ secure coding practices.
- Professional security testers must test the applications before deployment.
- Policies and procedures must be in place to prohibit the deployment of applications with vulnerabilities.
While these techniques can offer a first layer of protection, time-to-market pressures often interfere with such approaches being followed. Too often the “It won’t happen to me” mentality remains in place until a breach occurs that exposes known vulnerabilities.
Exploring application vulnerability
The world works using Web-based applications and Web-based software. Because of the proliferation of Web-based apps, vulnerabilities are the new attack vector. An attack of a Web-based application may yield information that should not be available, browser spying, identify theft, theft of service or content, damage to corporate image or the application itself and the dreaded Denial of Service.
Why are Web applications vulnerable? Due to the very nature of HTTP, which is clear text, attackers find it very easy to modify the parameters and execute functionality that was not intended to be executed as a function of the application.
There are known vulnerabilities that simple programming practices can reduce. However, I have been surprised to meet professional programmers who have never heard of them – their organizations have not provided the necessary information and guidance for awareness. Fortunately, even if the organization is not fully aware of its vulnerabilities, the average developer can make a huge difference to avoid the top 10 vulnerabilities of web applications. While these application coding flaws are not all of the potential security coding flaws that could occur, these are the ones that are the most serious for most organizations. If the methods for reducing or eliminating these Top Ten are exercised when coding and testing applications, the security of an application can be increased substantially. Referencing the Open Web Application Security Project (OWASP) is a great start to reducing risk.
A risk management program is essential for managing vulnerabilities. OWASP is reaching out to developers and organizations to help them better manage Web application risk. The following are the Top Ten OWASP security risks briefly explained:
1: Injection – This attack involves the exploiter breaking out of a data context and switching into a code context by using special coding characters.
2: Cross-Site Scripting (XSS) – This attack is a form of injection, with the browser being used to bury the attack.
3: Broken Authentication and Session Management – This attack involves the exploiter stealing or assuming the identity of the unprotected authentication credentials of a user.
4: Insecure Direct Object References – A risk of being exposed can occur when there is a reference to an objects in a URL (an object such as a file, directory, database record or key) or form parameter because an exploiter could change these direct object references and attempt to access a different, unauthorized file, database record or key.
5: Cross-Site Request Forgery (CSRF) – is where the user’s browser is tricked into logging into a site with someone else’s credentials.
6: Security Misconfiguration – Misconfigurations of the application server as well as the database and database platform underlying the application can be exploited, especially when implemented with the known default settings. The exploits can be extremely varied due to the many configurations that could be misconfigured.
7: Insecure Cryptographic Storage – Exploiters may take or change data that is unprotected such credit card information, Social Security Numbers or authentication credentials if there is no strong encryption or hashing utilized.
8: Failure to Restrict URL Access – Applications that do not have access control checks each time a page is accessed may allow attackers to forge URLs to access pages that are thought to be hidden.
9: Insufficient Transport Layer Protection – When applications do not authenticate, encrypt or protect the confidentiality and integrity of sensitive network traffic by proper use of certificates the traffic may be intercepted by an untrusted party.
10: Unvalidated Redirects and Forwards - This allows attackers to redirect the user to a site they did not intend to go to and perhaps ask for personal information by tricking the user into thinking they are at a valid, familiar, trusted site.
There is a plethora of information available describing each of these risks, how to avoid them, and how to review code and test for them. While each of these Top Ten risks can be addressed through proactive training and testing, along company security policies that address them, you can find many vital next steps to take to keep your business safe now by checking out the OWASP web site.
You can read more about these exploits, download the testing guide, get developer cheat sheets or find out where to attend a meeting among other advantages. One of my favorite OWASP references is the Cross-Site Scripting explanation because while there are a large number of XSS attack vectors, the following of a few rules can defend against the majority of them greatly!