10 Considerations Open Source Security Has Shown About Application Security
OWASP – the Open Web Application Security Project – is an open-source, not-for-profit organization committed to raising IT security standards across all industries. As part of these awareness efforts, they have identified 10 application security risks that need to be addressed in current and future software projects.
Here are the Top 10:
- Injection flaws (SQLi)
Injection flaws allow hackers to send untrusted data or commands to a backend web application. If a web application has not been configured correctly, hackers can use injected SQL commands (SQLi) to steal or destroy data or to assume control of the underlying database.
Many of these SQLi attacks can be prevented relatively easily through data input validation checks and the use of safe APIs that avoid the use of interpreters. Additional safeguards such as server-side whitelists and built-in SQL controls (the LIMIT command for instance) will limit potential for attack.
- Broken authentication
The username/password combination is understood to be vulnerable to compromise through basic loss of credentials. Some badly-designed authentication mechanisms make it easier for hackers to breach systems in bulk, however; login processes that allow for brute force dictionary-style attacks, or credential stuffing allow hackers to use automated hacking tools to gain access. Other applications maintain session state for longer than is required, offering attackers a potential to hijack a user’s authentication tokens to gain system access.
One of the most effective solutions is to deploy multi-factor authentication systems that require an additional token or similar before granting access. Developers should also include basic password complexity rules to prevent users from choosing credentials that are quickly and easily broken with a dictionary attack. Similarly, systems should be configured to control the number of failed login attempts, automatically blocking accounts that breach a pre-defined threshold.
- Exposing sensitive or personal data
The protections safeguarding personal data in transit or at rest are frequently insufficient. Data transmitted in plain text, or via insecure protocols like HTTP, SMTP or FTP are vulnerable to man-in-the-middle (MITM) attacks, allowing hackers to capture sensitive information that can be used to further compromise security, perpetuate identity theft and fraud, or to sell that information to third parties.
Organisations need to make greater use of strong encryption algorithms like Blowfish, Twofish and AES to protect sensitive data in transit and at rest. This will better protect the company against data loss, and potential prosecution for breaching data protection laws like GDPR.
- XML external entities (XEE)
Similar to SQL injection attacks, security systems can be breached by uploading or submitting unauthorised XML directly into a processor. Depending on the system being compromised, this form of attack can be used to extract data, run system commands or execute denial of service (DoS) type attacks.
XXE attacks typically require updates to underlying frameworks, such as moving towards less complex data formats like JSON. XLM processor security also needs to be enhanced by upgrading to SOAP 1.2 (or higher), data input whitelisting and validation, and disabling external XML and DTD processing.
- Broken access control
Access control is used to enforce permissions, ensuring authenticated users cannot access restricted systems, data or resources. If access control mechanisms are incomplete, misconfigured, or not sufficiently hardened, hackers are able to elevate privileges and assume control of internal resources.
Access controls need to be audited regularly and configured to deny access by default. Access controls must be implemented consistently throughout applications to simplify administration and reduce the risk of misuse. And access control logging should be deployed to assist with auditing, providing evidence of attempts to circumvent controls and identifying specific areas of concern that must be addressed.
- Security misconfiguration
Security controls are only effective if applied correctly. By failing to harden the application stack, or configuring permissions incorrectly, some organisations are creating ‘gaps’ in their defences that can be exploited by hackers. In many cases this is as simple as retaining default accounts and passwords on connected devices/applications, making it easy for hackers to gain a foothold inside the company network.
Businesses need to undertake a detailed security hardening project, locking down as much of the environment as possible using industry best practice principles. The process of administration can be further simplified by removing unused applications, features and systems to reduce the number of potential attack surfaces. Segmenting and containerising services will further reduce potential for hackers to extend their reach in the event of a successful security breach.
- Cross-site scripting (XSS)
XSS attacks can be avoided by using frameworks that automatically protect against these techniques, such as Ruby on Rails and React JS. Reflected and Stored XSS attacks can be mitigated by escaping untrusted HTTP request data according to context. DOM XSS attacks can be prevented using context-sensitive encoding when performing document modifications on the client browser side. OWASP also recommend creating a content security policy to provide defence-in-depth controls that mitigate against XSS.
- Insecure deserialization
The process of transforming stored data to an application object – deserialization – can be hijacked by hackers to execute arbitrary code. Deserialization (and serialization) is a common aspect of web applications, particularly when dealing with formats like JSON and XML. The danger occurs when deserializing untrusted user input; hackers can build an exploit that uses the native deserialization function of a programming language to bypass authentication, execute remote code or launch a denial of service attack.
To avoid these problems, developers should ensure they never deserialize data from a source outside the application. Further safeguards are created by using language-agnostic methods for deserialization, such as YAML, XML or JSON.
- Insecure website components
Web platforms like WordPress, Magento and Joomla offer plug-in support to extend core functionality – but these components may contain their own vulnerabilities. Any website component – OS, database, APIs, applications, runtime environments etc – can contain security flaws, especially older versions. Hackers will exploit these known vulnerabilities to compromise a website/application.
It is vital that unused components and frameworks are fully removed to reduce the number of potential attack surfaces. This should be complemented by a regular update program that ensures components are always up-to-date, ensuring that known vulnerabilities are patched as quickly as possible.
- Insufficient logging and monitoring
Hackers tend to create a digital trail as they break into systems, but many organisations miss the warning signs. Application logs – event, warning, notification – all contain useful evidence of hacking attempts. Assuming the logs have been configured and are being monitored. Without log monitoring, victims miss the opportunity to identify and block hackers early, before they can fully penetrate defences.
OWASP recommends capturing and analysing all login, access control failures and server-side validation failures. The logs should also include an audit trail to maintain integrity and prevent hackers from covering their tracks after a breach. Applied correctly, these logs provide early warning of potential problems and direction as to where additional resources need to be deployed.
Navisite and OWASP’s Top Ten
Navisite has partnered with Alert Logic to provide both logging and monitoring for clients to detect OWASP’s Top Ten issues in client environments. Our logging services (Item 10) can be leveraged to monitor areas of concern, providing necessary audit trails and desired levels of retention for investigations. Further, our threat manager (Items 1, 3-4, 7) service detects for OWASP Top Ten type attacks to help clients mitigate and/or enforce stronger policy. Our incident response team (IRT) use these service platforms to ensure that clients assets are protected and data integrity maintained.
Navisite provides assessment services (Items 6-7, 9) through partners to determine external security posture, the extent of secure coding, and typical configuration issues.