WEB APPLICATION SECURITY ASSESSMENT
There is no doubt that every business is integrating web applications or has already done so to allow employees and customers to interact on a daily basis. This can be an employee who is checking his or her emails or a customer placing an order through a shopping cart application. The first problem is that we cannot distinguish between a normal user and a criminal one. The second problem, applications are written by humans and therefore are susceptible to bugs and errors.
What you need to know
Most of the threats are errors while coding the application and wrong assumptions by the programmer about how his application will be executed within the browser. Other threats rely on patch management or system misconfiguration. As a reference, we are using the Top 10 threats that were defined by the OWASP organization for 2010-2013:
YEAR 2017 TOP 10
- A1:2017-Injection
- A2:2017-Broken Authentication
- A3:2017-Sensitive Data Exposure
- A4:2017-XML External Entities (XXE)
- A5:2017-Broken Access Control
- A6:2017-Security Misconfiguration
- A7:2017-Cross-Site Scripting (XSS)
- A8:2017-Insecure Deserialization
- A9:2017-Using Components with Known Vulnerabilities
- A10:2017-Insufficient Logging & Monitoring
YEAR 2021 TOP 10
- A1:2021-Broken Access Control
- A2:2021-Sensitive Data Exposure
- A3:2021-Injection
- A4:2021-Insecure Design
- A5:2021-Security Misconfiguration
- A6:2021-Using Components with Known Vulnerabilities
- A7:2021-Broken Authentication
- A8:2021-Insecure Deserialization
- A9:2021-Insufficient Logging & Monitoring
- A10:2021-Server-Side Request Forgery (SSRF)
THE SOLUTION
2Secure has developed a solution that has three stages that can help mitigate the threats:
- Preform risk assessments BEFORE & AFTER web application is in production
- Based on the results from the risk assessment, implement mitigating controls.
- Integrate safeguards during the Software Development Life Cycle (SDLC) BEFORE the application is published on the Internet or Intranet.
