Jan 22nd 2021
Application security is a crucial practice for businesses using web and mobile applications to
offer services to your customers or operational support to your business.
It provides the necessary layers of protection that secure your data from malicious actors so
your business can maintain a positive reputation and build strong relationships.
OWASP Top Ten application security risks
• The Open Web Application Security Project (OWASP) developed a public framework that documents the top ten risks to application security.
• The OWASP Top Ten provides developers and security professionals with the industry’s consensus on the most significant risks to web applications and recommends security controls to mitigate them.
Here are the application security risks and mitigations described by the OWASP Top Ten:
Injection flaws occur when malicious data is sent to an interpreter, such as a database or terminal, and performs unintended actions by manipulating the execution logic. This can lead to a breach of sensitive data or a compromise of the application environment.
User-supplied data should not be trusted. “Whitelist” server-side input validation and safe functions, such as parameterised queries, should be used to effectively mitigate this risk.
2. Broken authentication
The improper design and implementation of identity controls lead to broken authentication. Malicious actors with access to billions of valid credentials can compromise just a few or one admin account to compromise an entire system.
Multi-factor authentication is the most effective way to mitigate this type of attack. Strong password management processes should be implemented and credentials should never be transferred insecurely.
3. Sensitive data exposure
Malicious actors can steal sensitive data that are inadequately protected by web applications and APIs. The biggest flaw is failing to encrypt data which enables criminals to access or modify Personally Identifiable Information (PII), financial information or credentials.
You should identify which data is deemed sensitive according to legislation and ensure it is encrypted at rest and in transit. You should not store data unnecessarily to ensure it cannot be stolen.
4. XML External Entities (XXE)
Flaws in old or misconfigured XML processors can lead to malicious actors extracting data, performing an external request or compromising internal documents, to name a few.
Developers must be trained to identify and mitigate XXE to ensure code is not weakened and XML processors are patched.
5. Broken access control
Malicious actors can use vulnerability scanning tools to identify the lack of appropriate access controls in applications. If they gain access through these flaws, it may be possible to impersonate users or administrators to access sensitive data.
Access controls should be implemented in server-side code so the user cannot modify them.
6. Security misconfiguration
Misconfiguration is the most common of all the top ten risks. It can occur as a result of many issues, including default or incomplete configurations and open cloud storage.
All systems, servers, firewalls and network devices within the application environment must be securely configured, and the latest security updates applied as soon as they are available.
7. Cross-Site Scripting (XSS)
XSS is the second most common vulnerability. The three forms of XSS, reflected, stored and DOM, enable malicious actors to execute scripts in the user’s browser to influence their session activity.
You must treat user input as zero-trust, using sanitisation and validation techniques to prevent injected malicious code from being processed by your application.
You may also apply built-in browser protections, such as HTTP security headers, to minimise the impact of an undetected XSS vulnerability.
8. Insecure deserialisation
Remote code execution is one of the most impactful results of insecure deserialisation. These attacks are difficult to carry out as the underlying exploit code often needs to be changed first.
It is essential to reject serialised objects from untrusted sources to mitigate insecure deserialisation attacks and use safe serialisation functions in your code where possible.
9. Using components with known vulnerabilities
Some components have known vulnerabilities that malicious actors can exploit to gain access to data and servers. Software components, such as underlying application libraries and frameworks, often contain weaknesses that may impact the security of the application as a whole.
You should implement a patching process to resolve vulnerabilities and remove any unnecessary components from your application environment.
10. Insufficient logging and monitoring
Logging and monitoring are important processes to enable fast detection and response to malicious activity, such as attempted or successful attacks.
You should implement a response and recovery plan that ensures suspicious activities are identified and mitigated efficiently.
Sentrium can improve your application security
Sentrium provides web and mobile application security testing and Threat Modelling as part of the routine development lifecycle.
Your security assessment is tailored to the size and complexity of your applications, giving you an efficient and comprehensive testing approach that will add value to your secure development lifecycle.
Contact us to discuss your application security requirements and learn how our services may support your security strategy.