Crowdsource your security knowledge: A simple guide to OWASP Top 10
Over the past two years, the Internet has seen some of the biggest, most devastating data breaches in history. With each attack, millions of personal identifiable information records are stolen, leading to the possibility of identity theft, banking fraud, and in some of the most notable cases, that's right -- divorce.
From an internet security standpoint, what’s most interesting about these data breaches isn’t the various celebrities naive enough to sign up for Ashley Madison with their real names but rather that these breaches often come from some of the most common methods hackers have for accessing data. Shouldn’t these common methods be the most widely protected against? That’s what a large portion of the internet security community believes, and that’s where the Open Web Application Security Project (OWASP) comes in. OWASP is an open-source security community that publishes the most common attacks to help developers keep their software from being the source of a critical (and possibly humiliating) breach. Keep reading to find out what OWASP’s Top 10 Project is as well as what those Top 10 actually are.
The ins and outs of the Top 10 Project
OWASP is a non-profit organization that uses the cloud to crowdsource case studies and information surrounding security. When you don’t have time to research security trends due to your other work demands, life demands or Netflix, OWASP is excellent enough to aggregate this information for you.
Every few years, OWASP publishes a list of the biggest security threats -- the so-called Top 10 Project. These attacks include threats against infrastructure and applications, and the information is gathered from open-source participants.
According to cybersecurity organization Checkmarx, every one of the OWASP 10 vulnerabilities should be a concern for developers. Whether you use tools or manual scripts written from scratch to deal with these concerns is up to you, but these vulnerabilities need to be tested for before deploying an application to production.
A speedy breakdown of the OWASP Top 10 threats
- SQL Injection
In the number one vulnerability, malformed SQL is sent to the database server and results in your data being exposed. Even worse, the hacker can sometimes gain elevated privileges on the server through this attack method. Perhaps most insultingly, SQL injection scripts are available for download, so advanced knowledge isn’t even required to perform this attack. To defend against these attacks, always validate form input.
- Broken Authentication & Session Management
Sessions should always be unique to the individual. Without this appropriate session management, an attacker can masquerade as a user and steal tokens and passwords to gain access he or she should just not have.
- Cross-Site Scripting (XSS)
XSS attackers do their damage by fooling a browser into accepting data from an untrusted source. This can happen when the attacker uses code such as JavaScript or malicious HTML as input and the developer doesn’t scrub out these characters. XSS can be used with session hijacking to gain access to user credentials.
- Insecure Direct Object References
Without good authentication coding, attackers can bypass defenses and gain access to server resources. This type of attack can give attackers administrative access. To prevent these attacks, avoid publishing backdoors to applications even if it makes life easier for developers.
- Security Misconfiguration
Poor security configurations can lead to illegal access from an attacker that has intimate knowledge of the hardware or system. Always remember that careful security configurations are necessary for the application, the server and firewalls.
- Sensitive Data Exposure
Several SSL vulnerabilities were exposed in 2014 and 2015. Proper implementation and configuration of security protocols like HTTPS and SSL is necessary for these protocols to protect private data. Weak algorithms can lead to sensitive data exposure.
- Missing Function Level Access Control
Every critical function within an application should undergo a security check before it runs. Without the right security checks made, an attacker may be able to run functionality that only authorized staff or customers should have access to.
- Cross Site Request Forgery Attacks (CSRF)
CSRF attacks use forged HTTP requests from the user’s browser. These requests can then manipulate cookies or sessions and gain access to data. The application sees the requests as legitimate, so it sends the attacker sensitive data including personal identifiable information, credentials, or even corporate data.
- Using Components with Known Vulnerabilities
Most software needs security patches periodically. These patches should be applied as soon as they are released, because they resolve the current threats found in the internet threat landscape. Leaving your systems unpatched exposes them to common vulnerabilities. This exposure is wildly unnecessary.
- Unvalidated Redirects and Forwards
Attackers use unvalidated forwards to direct users to malicious phishing sites that contain malware or attempt to trick users into entering sensitive data. Worse yet, these attacks usually mean the attacker already has access to your application.
When it comes to data breaches, there are degrees of terribleness. Should one of your applications should fall victim, it will be infinitely better for your reputation if a hacker gets in with a brand new, entirely creative type of attack. Keep up with the OWASP Top 10.
Photo Credit: pryzmat/Shutterstock
Debbie Fletcher is an enthusiastic, experienced writer who has written for a range of different magazines and news publications over the years. Graduating from City University London specializing in English Literature, Debbie's passion for writing has since grown. She loves anything and everything technology, and exploring different cultures across the world. She's currently looking towards starting her Masters in Comparative Literature in the next few years.