Top 10 Most Critical Web App Security Risks
Tactical or StrategicOWASP suggests responses, both tactical and strategic, from Ryan Barnett, its director of application security training for breach security. Barnett: tactical responses are mainly handled by security operations staff and aim to minimize the Time-to-Fix exposures, while strategic fixes are for developers to eradicate the underlying weaknesses in the code.
No Title
Injection Flaws – Tactical Response- Commercial Web Application Firewalls (WAFs) with automated learning capabilities can create proper input validation policies and include negative security signatures to identify attack payloads.- Static/dynamic scanning data is used by a web application firewall to create virtual patches.- By analyzing the outbound pages, WAFs can also identify when an injection flaw is successful by identifying information leakages.
No Title
Injection Flaws – Strategic Response- Implement the OWASP Enterprise Security API to properly handle and escape user-supplied data.
No Title
Cross-site Scripting (XSS) – Tactical Response- Commercial WAFs with automated learning capabilities can create proper input validation policies and include negative security signatures to identify attack payloads. – Static/dynamic scanning data is used by a web application firewall to create virtual patches.- By analyzing outbound data, WAFs can also be used to identify when applications do not properly output escape user-supplied data when sending it to users.
No Title
Cross-site Scripting (XSS) – Strategic Response- Implement the OWASP Enterprise Security API to properly handle and escape user-supplied data. – Have developers review the OWASP XSS Cheatsheet.
No Title
Broken Authentication and Session Management – Tactical Response- WAFs can detect Session Hijacking attempts when attackers try and use stolen SessionIDs.- WAFs can identify when attackers manipulate Cookie data. – WAFs can also be used to identify application defects such as when applications fail to use cookie flags such as HTTPOnly which help to prevent Session Hijacking via XSS.
No Title
Broken Authentication and Session Management – Strategic – Implement the OWASP Enterprise Security API Authenticator and User API.
No Title
Insecure Direct Object Reference – Tactical Response – Commercial WAFs with automated learning capabilities can create proper input validation policies to identify when attacker manipulate hidden form fields. – WAFs also include negative security signatures to identify attack payloads that point to other unauthorized files. – By analyzing the outbound pages, WAFs can also identify when an injection flaw is successful by identifying information leakages.
No Title
Insecure Direct Object Reference – Strategic Response- Implement the OWASP Enterprise Security API and use indirect reference maps.
No Title
Cross-site Request Forgery (CSRF): Tactical Response – Use a WAF to implement a unique CSRF token into web pages and then validate them on subsequent requests.
No Title
Cross-site Request Forgery (CSRF): Strategic – Implement the OWASP CSRFGuard.
No Title
Security Misconfiguration: Tactical Response – WAFs can be used to identify when there are information leakages and improper error handling issues as these are often used by attackers to fine tune attack payloads and extract data.- Static/dynamic scanning data is used by a web application firewall to create virtual patches.
No Title
Security Misconfiguration: Strategic Response- Ensure that all configurations are set appropriately when moving from Dev/Staging into Production.
No Title
Patch Management Processes, Failure to Restrict URL Access: Tactical Response- Commercial WAFs with automated learning capabilities can identify forceful browsing attempts. – In addition, controling URL access also includes setting proper access rate thresholds (anti-automation) to identify/prevent Denial of Service, Brute Force and Scraping attacks.
No Title
Patch Management Processes: Strategic Response- Implement the OWASP Enterprise Security API Access Control API.
No Title
Unvalidated Redirects and Forwards: Tactical Response- A WAF can be used to validate the URL locations used in parameter redirection to only allow proper locations.
No Title
Unvalidated Redirects and Forwards: Strategic Response- Use the OWASP Enterprise Security API override the SendRedirect() Method and return safe locations.
No Title
Insecure Cryptographic Storage: Tactical Response- A WAF can be used to identify if web applications are not properly encrypting sensitive user data in databases if this data is sent back out the clients.
No Title
Insecure Cryptographic Storage: Strategic Response- Use the OWASP Enterprise Security API Encryptor API.
No Title
Insufficient Transport Layer Security: Tactical Response- A WAF can be used to identify application defects such as when an application fails to use the "Secure" cookie flag when sending data to the client over an encrypted channel or if a user is sending sensitive data (login credentials or Credit Card data) over an unencrypted channel.
No Title
Insufficient Transport Layer Security: Strategic Response- Ensure that SSL is properly implemented on all sensitive data paths included back-end connections to database systems.