OWASP Top 10: How to Address These Common Application Vulnerabilities in Your Business

Posted on November 19, 2020 - by Justin Gratto - in Building Your InfoSec Program

OWASP-Top-10-Application-Vulnerabilities

Application vulnerabilities aren’t always novel. In cybersecurity, there are a few vulnerabilities that professionals encounter often. In fact, a handful of them are so prominent that Open Web Application Security Project® (OWASP) has developed the Top 10 list for developers and cybersecurity professionals.

If your company uses applications, websites, or networks and servers, there’s a good chance you’ve got one or two of these vulnerabilities lurking. Read on to discover the OWASP Top 10 application vulnerabilities and how to solve them in your business for good.

How to Address the OWASP Top 10 Application Vulnerabilities in Your Business

It’s easy to look out for unusual, clever hacker tactics and forget that some of the most effective techniques are also some of the most well-known. Here’s a quick rundown of the top 10 most common application vulnerabilities and what to do about them.

1. Injections

What they are: Injection attacks occur when an actor tricks an application into executing commands or code to access data without the proper authorization. They can happen with SQL, NoSQL, OS, and LDAP data stores.

How to address them: Avoid accessing external interpreters whenever possible by choosing to use language-specific libraries instead. When calls to backend databases must occur, apply rigorous validation measures to prevent malicious content from entering the database. Likewise, run all applications with the minimum privileges they need to perform their functions.

2. Broken Authentication

What it is: It’s extremely easy to implement application functions for authentication incorrectly. This can occur due to poor design, but poor password practices are another common cause.

How to address it: Use multi-factor authentication wherever possible, and limit failed login attempts. Implement weak-password checks and align password strength to NIST 800-63 B. To minimize broken authentication as a design flaw, use built-in and secure server-side session managers that generate new session IDs after login. Make sure these session IDs do not display in the URL. You want to ensure early on that you have strong authentication features for your application, making space for this on your development roadmap.

3. Sensitive Data Exposure

What it is: Despite regulatory compliance requirements, it’s not unusual for web applications or APIs to improperly store or transmit sensitive data. Frequent causes include old or weak cryptographic algorithms, unencrypted transmissions, and server certificates that are not verified by the user agent.

How to address it: Use a data classification system to identify sensitive information. Enforce encryption requirements (using modern algorithms) and encrypt all transmissions. Don’t store sensitive data unnecessarily and implement procedures to securely erase it.

4. XML External Entities (XXE)

What it is: Outdated or XML processors that are not properly configured will evaluate external XML within a document. Attacks will attempt to interfere with an application’s processing of XML data to view or access files on the application server filesystem. 

How to address it: OWASP recommends developer training to recognize and prevent this top 10 vulnerability. Otherwise, consider virtual patching, API security gateways, web application firewalls, and whitelisting server-side input validation to prevent attacks.

5. Broken Access Control

What it is: Some applications don’t adequately restrict the things verified users may do within their accounts or while connected to a server. This may lead to an abuse of functions or things like metadata manipulation such as tampering with JSON Web Tokens.

How to address it: Enforce access control from trusted server-side codes, or from server-less API where it places metadata or access control checks safely out of reach from hackers.

6. Security Misconfigurations

What it is: The most prevalent vulnerability issue, security misconfigurations may allow users (or non-users) access to parts of the server, cloud storage, or network that store sensitive information.

How to address it: Make sure all user permissions are correct, keep systems and servers patched, and deploy segmented architecture to prevent unbridled access to resources.

7. Cross-Site Scripting (XSS)

What it is: One of the oldest application vulnerabilities known, attackers often abuse insecure HTML and JavaScript code to inject client-side scripts into web pages viewed by other users, such as on message boards. And it’s not just Javascript or HTML, but any code vulnerable to an XSS that the browser might execute. Even as late as 2018, XSS attacks still represented around 40 percent of all attacks.

How to address it: Separate untrusted data from active browser content through the output escaping (disallowing key characters associated with code) or contextual output encoding (whitelisting specific characters).

8. Insecure Deserialization

What it is: This occurs when an attacker attempts to abuse the logic of an application to deserialize untrusted user input. Frequently, this vulnerability is exploited to carry out denial-of-service attacks.

How to address it: The only way to fully prevent this vulnerability is to disallow serialized objects from untrusted sources – that is, data sources or input streams not directly controlled by the application.

9. Using Components with Known Vulnerabilities

What it is: Developers often rely on components like frameworks, libraries, or software modules to cut down their workload. However, if these use privileges similar to that of the application and contain vulnerabilities, they may undermine other security measures.

How to address it: Implement a patch management process to remove unused dependencies, continuously inventory client-side and server-side components, and identify components that require updating. Only use components from official sources over secure links.

10. Insufficient Logging and Monitoring

What it is: Failing to adequately monitor and log cyber activity increases the overall vulnerability of a system. Breaches go undiscovered longer, and attackers can penetrate deeper into systems before they’re detected.

How to address it: A solid cybersecurity strategy, coupled with the right tools can reduce an organization’s attack surface and catch incidents before they become breaches.

Reduce Your Cyber Vulnerabilities with Securicy

The OWASP Top 10 represents some of the most prevalent vulnerabilities out there today, which your developers should be trained on and testing to detect. Securing coding is a critical part of a strong security posture. You need to make sure you are prepared when customers start asking questions about your security policies and procedures. In vendor security questionnaires you’ll get from customer or prospects, you’re almost guaranteed to get questions about security around your software development lifecycle.

But these aren’t the only threats that may assail your infrastructure. That’s why a strong cybersecurity strategy is crucial to your success in business. With a centralized information security management platform, you can make sure you’re ready to showcase your security program and sell to enterprise businesses.

Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing a cybersecurity program.

Try Securicy Free

About the author

Justin Gratto is a Canadian Army veteran, experienced information security professional, and the Senior Director of Product at Securicy. Justin is accountable for product ownership at Securicy, a SaaS platform that assists businesses through creating, implementing, and managing their information security and privacy compliance program. He leads the customer success team, coordinates advisory service delivery, and holds the responsibility of Security and Privacy Officer at Securicy. When Justin isn’t performing his duties at Securicy, he likes to go on adventures to new places to visit, learn about, and taste different cultures. He is from Nova Scotia, Canada.