Some developers take shortcuts when it comes to application security, but security is a matter Sofmen takes very seriously.

Attackers can potentially use many different paths through your application to do harm to your business or organization. The costs of a breach can be astronomical; not just the monetary cost, but also the harm to your company’s reputation and loss of trust of your users.

Sofmen abides by the guidelines set forth by the non-profit organization Open Web Application Security Project (OWASP).   OWASP provides tools and best practices to support the development of secure web and mobile applications.

Sofmen abides by the guidelines set forth by the non-profit organization Open Web Application Security Project (OWASP).   OWASP provides tools and best practices to support the development of secure web and mobile applications.

Top Ten Security Risks

In 2017 OWASP identified the following top ten application security risks:

  1. Injection: 
    Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
  2. Broken Authentication: 
    Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
  3. Sensitive Data Exposure: 
    Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
  4. XML External Entities (XXE):
    Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
  5. Broken Access Control: 
    Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
  6. Security Misconfiguration: 
    Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure
    default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.
  7. Cross-Site Scripting (XSS): 
    XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
  8. Insecure Deserialization: Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
  9. Using Components with Known Vulnerabilities: Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
  10. Insufficient Logging and Monitoring: 
    Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.

Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

Sofmen offers a free security evaluation which is a $___ value.
The consultation is free and you’re sure to learn valuable insights that you can implement whether you hire us or not.

Mitigating the Risk

To mitigate these risks, the OWASP recommends using the following top ten proactive controls. Sofmen incorporates these into our standard practice:

  1. Define Security Requirements:
    A security requirement is a statement of needed security functionality that ensures one of many different security properties of software is being satisfied. Security requirements are derived from industry standards, applicable laws, and a history of past vulnerabilities. Security requirements define new features or additions to existing features to solve a specific security problem or eliminate a potential vulnerability.  OWASP has a catalog of available security requirements Sofmen uses as one resource for accomplishing this task.
  2. Leverage Security Frameworks and Libraries:
    Secure coding libraries and software frameworks with embedded security help software developers guard against security-related design and implementation flaws. A developer writing an application from scratch might not have sufficient knowledge, time, or budget to properly implement or maintain security features. Leveraging security frameworks helps accomplish security goals more efficiently and accurately.
  3. Secure Database Access:
    Four aspects to consider when designing secure database access are:

    1. Secure Queries
      SQL Injection occurs when untrusted user input is dynamically added to a SQL query in an insecure manner, often via basic string concatenation. SQL Injection is one of the most dangerous application security risks. SQL Injection is easy to exploit and could lead to the entire database being stolen, wiped, or modified. The application can even be used to run dangerous commands against the operating system hosting your database, thereby giving an attacker a foothold on your network.In order to mitigate SQL injection, untrusted input should be prevented from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as ‘Query Parameterization’. This defense should be applied to SQL, OQL, as well as stored procedure construction.
    2. Secure configuration
      Unfortunately, database management systems do not always ship in a “secure by default” configuration. Care must be taken to ensure that the security controls available from the Database Management System (DBMS) and hosting platform are enabled and properly configured. There are standards, guides, and benchmarks available for most common DBMS.
    3. Secure authentication:All access to the database should be properly authenticated. Authentication to the DBMS should be accomplished in a secure manner. Authentication should take place only over a secure channel.  Credentials must be properly secured and available for use.
    4. Secure communication:
      Most DBMS support a variety of communications methods (services, APIs, etc) – secure (authenticated, encrypted) and insecure (unauthenticated or unencrypted). It is a good practice to only use the secure communications options per the Protect Data Everywhere control.
  4. Encode and Escape Data:
    Encoding and escaping are defensive techniques meant to stop injection attacks. Encoding (commonly called “Output Encoding”) involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example translating the “<” character into the &lt; string when writing to an HTML page. Escaping involves adding a special character before the character/string to avoid it being misinterpreted, for example, adding a “\” character before a “” (double quote) character so that it is interpreted as text and not as closing a string.Output encoding is best applied just before the content is passed to the target interpreter. If this defense is performed too early in the processing of a request then the encoding or escaping may interfere with the use of the content in other parts of the program. For example if you HTML escape content before storing that data in the database and the UI automatically escapes that data a second time then the content will not display properly due to being double escaped.
  5. Validate All Inputs:
    Input validation is a programming technique that ensures only properly formatted data may enter a software system component.
  6. Implement Digital Identity:
    Digital Identity is the unique representation of a user (or other subject) as they engage in an online transaction. Authentication is the process of verifying that an individual or entity is who they claim to be. Session management is a process by which a server maintains the state of the users authentication so that the user may continue to use the system without re-authenticating.
  7. Enforce Access Controls:
    Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process. Access control also involves the act of granting and revoking those privileges.
  8. Protect Data Everywhere:
    Sensitive data such as passwords, credit card numbers, health records, personal information and business secrets require extra protection, particularly if that data falls under privacy laws (EU’s General Data Protection Regulation GDPR), financial data protection rules such as PCI Data Security Standard (PCI DSS) or other regulations.Attackers can steal data from web and webservice applications in a number of ways. For example, if sensitive information in sent over the internet  without communications security, then an attacker on a shared wireless connection could see and steal another user’s data. Also, an attacker could use SQL Injection to steal passwords and other credentials from an applications database and expose that information to the public.
  9. Implement Security Logging and Monitoring:
    Logging is a concept that most developers already use for debugging and diagnostic purposes. Security logging is an equally basic concept: to log security information during the runtime operation of an application. Monitoring is the live review of application and security logs using various forms of automation. The same tools and patterns can be used for operations, debugging and security purposes.
  10. Handle All Errors and Exceptions:
    Exception handling is a programming concept that allows an application to respond to different error states (like network down, or database connection failed, etc) in various ways. Handling exceptions and errors correctly is critical to making your code reliable and secure.Error and exception handling occurs in all areas of an application including critical business logic as well as security features and framework code.Error handling is also important from an intrusion detection perspective. Certain attacks against your application may trigger errors which can help detect attacks in progress.

The above information has been excerpted from OWASP which is freely available under the Creative Commons Attribution ShareAlike 3.0 license (CC-BY-SA).

Like it? Share it!