Menu

Most Critical Web Application Security Risks in 2017

In Information Security Damilare

As 2017 draws to a close, I find myself reminiscing about major application security risks today. Unsurprisingly, I recall the OWASP Top 10, which has become a de facto standard for web application security. In the Information Security industry, it is well known that once a web application or service is hosted, it is likely to be automatically probed for security flaws – and perhaps compromised – within hours.

This year, the  OWASP Top Ten was revamped to cater to the latest changes in web development technology.

Whether you’re developing, maintaining, or own a web application or website, the top 10 security risks you should be aware of and mitigate are:

  1. Injection: Flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query.
  2. Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens.
  3. Sensitive Data Exposure: Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser
  4. XML External Entities: Many older or poorly configured XML parsers evaluate external entity references within XML documents, which can lead to remote code execution, denial of service, and other problems.
  5. Broken Access Control: Restrictions on what authenticated users are allowed to do are often not properly enforced.
  6. Security Misconfiguration: This very common issue is usually a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.
  7. Cross-Site Scripting (XSS): XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping.
  8. Insecure Deserialization: This can often to lead to remote execution of malicious code by attackers.
  9. Using Components with Known Vulnerabilities: If your software uses any component – including 3rd party or open source – that has security flaws, it could make your entire application and server vulnerable.
  10. Insufficient Logging & Monitoring: This allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.

The list and description above is a tip of the iceberg. Click here to read all about The OWASP Top 10 2017, including suggested mitigations.

Subscribe

If you enjoyed this post, you can subscribe to receive my weekly newsletter via email.



Post Navigation

Using Deep Learning to Build Secure Software

Quick Overview of Spectre and Meltdown Attacks – Vulnerabilities in CPUs

Related Posts:

Securing IoT Apps and The OWASP IoT Project

Basic Video Privacy and Security Requirements from GDPR

What is Software Architecture?

Leave a reply:

Your email address will not be published.

Time limit exceeded. Please complete the captcha once again.

Sliding Sidebar

About Me

About Me

Hi there, Thanks for stopping by! I'm Damilare, a Security Architect at Intel Corporation, an author, and an un-hibernating entrepreneur. I started this blog as my little contribution to the information sharefest that is the internet. I'm a Jesus follower who enjoys nature, and exercise. Here’s to sharing and connecting!

Tweets