Top 10 Application Security Risks    



Every couple of years the Open Web Application Security Project (OWASP) releases a report on the 10 most common threats to web sites and web based applications. These threats typically emerge when programmers and systems managers aren’t aware of the threat.

This paper gives some insight to the latest OWASP Top 10 reported threats and explains how to test for and defend against them.

How the threats emerge
Many people don’t like doing the same thing over and over again. Coders seek efficiency by reusing code snippets from past projects. This practice is understandable: why reinvent the wheel every time you require the same function. Unfortunately speed of development and the need to make the result pretty is put ahead of security. Oftentimes security is considered only during the final stage of development, if at all. Unsecure code snippets used in one place present a minimal risk, but used over and over, they become a ripe target for security breachers.

Another way these threats emerge is through R&D which in this case means ROB & DUPLICATE. Here the coder finds code that performs the function needed online and simply copies it into the new code base. Along with that function, any security weaknesses inherent in the code are also inherited.

System administration provides a third avenue for threats to emerge. Fresh out-of-the-box operating system installations and application deployments are not secure. The National Institute of Standards and Technology (NIST) provide good resources for hardening (the process of turning off unneeded and risky services) nearly any aspect of the IT environment. These are well thought-out instruction manuals for IT administration. Hardening your servers and their applications can limit the number of threats.

How to test for threats
From the Top 10, I’ll walk through 3, and provide quick and easy ways to determine if your code base is susceptible to them.

The most common attack on web sites and applications is injection, SQL being a favorite of the malicious, followed by Cross Site Scripting (XSS) and insecure direct access. Testing for these vulnerabilities is simple to pull off manually. Testing tools such as the Tamper Data plug-in for Firefox can and should be used to evaluate your web based applications.

SQL injection – Find form fields on your site (the search field is a good candidate) and enter the line below. If the results returned include the field name you know you have an issue.
    x' AND fieldName IS NULL; --

XSS – In the search field, copy and paste the line below. If you get a pop-up saying ‘alert’ it is time to review your security position.
    >%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>

Direct Access – Here you are testing to ensure that system files are not available. In the example below look to see if you can access the password file on your UNIX-based system. This assumes the existence of the file “download.php”
    http://www.mysite.com/download.php?filename=/etc/passwd

Protecting your Assets
The first step to improving the integrity of your website and online applications is architecting the security parameters up front. And most important step is testing for vulnerability once your code is finished. The depth and breadth of the testing should be directly proportionate to what’s at risk. If the site is simply there for marketing or informational purposes the level of testing and protection needed is significantly less than for a site accepting personal or credit card information. The frequency of the testing is determined by the risk level since new exploits are regularly discovered and used.

The two main methods for protecting online sites are code review and firewalling. Code review is the practice of having third parties validate the code looking for potential weaknesses in security and ensuring that best practices, such as input validation are adhered to. Firewalling is done at the application layer where the firewall inspects the HTTP headers and the HTML content inbound and outbound ensuring that everything is compliant with your standards and also with policies set up by the administrator.

My preference is for the Web Application Firewall (WAF) as it allows for separation of duties. The coders while aware of security can focus on the coding and the security specialists can ensure the safety of the application. Also, in the event of changes to the online application or site, the organization’s security policy is maintained regardless of code changes. An additional advantage grows out of this collaboration: conversation between development and security team members educates both.

And, if you collect credit card information, PCI-DSS 2.0 section 6.6 now requires that an application firewall be installed in front of your online shopping centre.

Conclusion – Code Security is the Priority
2011 has been peppered with stories of data spills and site defacements. According to an article on Data Express written in May of that same year the 5 most expensive data spills combined cost over 500 million USD. We can guess at some of the costs; legal fees, credit checks, fines or penalties. These are the easy costs to understand. The less tangible ones such as client trust are harder to calculate.

Security is now a critical part of being on-line. Security is not a one time or annual activity: it is an ongoing process. Those wishing to do ill whether for monetary gain, an ideal of political righteousness, or just because they can don’t try once and go away. They try again, and their automated hacking tools try over and over, searching the entire Internet for sites with vulnerabilities. And remember, there are many more of them then there are of you. Design your security wisely, test regularly for new vulnerabilities, and ensure your firewalling is meeting your needs.


Orginally published Nov, 2011

PDF this Page
Fragment - Current Release


Articles
Administration

IT Roles and Responsibilities
App_Sec
BCP STATS
On Passwords
Spending Enough
Planning to Fail
Living With the Enemy
A Reason for Policy
Mission Critical Messaging – Do you have a policy
Globalizing the SMB
High Availability: People and Processes
Case for Project Management
Risk Management
Networking

On Routing
VLAN Tutorial
IPs 4 Golden Rules
WAN Technology primer
DHCP Primer
Your Head in the Cloud(s)
DNS: Terms and Process
VPN Surfing Challenge
Network Slowdown
Importance of Time
High Availability: Technologies
Security

Spammers Go Full Circle
Beyond the Lock
The Guardian at the Gate
A Web of Trust
Data Breach Notification
Misc

Electricity Primer
Documentation-101
Data Control
Open Source in the Enterprise
Closing the Loop
Helping IT to help you
Your ICT Keystone

eSubnet Services

Contact us regarding your network,
security and Internet services needs




All content © eSubnet 2003-2017
ESUBNET ENTERPRISES INC. TORONTO CANADA