/ TitanHQ Blog
/ OWASP Releases Their Top 10 Most Critical Application Security Risks for 2017
Posted by C Henry on Wed, Jun 7th, 2017
Consider for a moment just how much of your personal data is handled by web applications today. Users constantly interact with software applications involving healthcare, banking and retail transactions. Nearly every major company and organization that deals with high value data has some sort of web application presence today. What’s more, the infrastructure that supports the new application based websites of today has grown highly complex. Today’s web application based sites are commonly structured as a three-tiered application.
- The client tier is the first tier
- An engine using some dynamic Web content technology is the middle tier
- A database is the third tier
This multi-tiered type architecture means that in addition to the north-south traffic pattern between the user desktop and the client tier (the front end HTML server) the site also creates a large degree of east-west traffic amongst the multiple servers residing in these separate tiers. This additional traffic highway along with the added complexities in design make cyber security that much more difficult. Now add the rapid pace of software development processes and the integration of Dev ops and one begins to recognize the challenges of securing the web application experience today.
The Open Web Application Security Project (OWASP) is an open community dedicated to the mission of enabling companies to develop, purchase, and maintain applications and APIs that can be trusted. Insecure software undermines not only the trust that users have but the security of our country as well when it comes to industries such as energy and defense. In 2003 OWASP established a precedent by releasing the top 10 most prevalent application security risks at the time. The goal was to identify the primary exploits that hackers use to infiltrate and compromise data within web based applications. Since then, OWASP has released their Top 10 lists in 2007, 2010 and 2013.
The OWASP Top 10 has become an accepted benchmark of the application security world and has a large impact on application security program priorities. Today it serves as a staple for many vulnerability testing product-scoring mechanisms. Two weeks ago, OWASP released their much anticipated 2017 list. It is based upon the culmination of 11 datasets from firms that specialize in application security and spans vulnerabilities gathered from hundreds of organizations and over 50,000 real-world applications and APIs The Top 10 most critical web application security risks are shown below.
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Broken Access Control
- Security Misconfiguration
- Sensitive Data Exposure
- Insufficient Attack Protection
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Under Protected APIs
The old saying, the more things change the more they stay the same, is evident when comparing the various releases of the OWASP Top 10. In 2010, the top three risks were identical to this year’s release. When comparing 2010 and 2017, seven of the risk placements are identical. The primary reason for the difference between the two is that OWASP has devoted a greater focus on API this year.
Many of the outlined risks fall under the responsibility of programmers. A good example is Injections, which continues to serve as the #1 risk. This occurs when untrusted SQL, OS, and LDAP data is sent as part of a command or query. The attacker’s injected hostile data can result in the execution of unintended commands or accessing data without proper authorization. These type of attacks are usually the result of the absence of input validation (only allowing certain characters or commands within a text box or other input point).
Not all of the OWASP Top 10 are the result of improper programming techniques however. Many aspects of security misconfiguration usually fall under the jurisdiction of the server or network administrator. Admins need to ensure that all web, application and database servers are patched and up to date at all times. Configuration settings must be analyzed to ensure that these servers are hardened. An example would be ensuring that directory browsing is disabled on the web server. Another category that affects admins today is Sensitive Data Exposure. Organizations that fall under the compliance obligations of HIPAA and CPI should encrypt personal and high value data as encryption is the best means of protecting unauthorized acquisition of data by hackers and other third parties.
If your organization utilizes any type of web applications, then you need to implement regular vulnerability testing in order to ensure that these highly exploited risks are not a threat to your organization.
Are you an IT professional that wants to ensure your network and devices are protected? Talk to a security specialist or Email us at email@example.com with any questions.