Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/15/2009
09:23 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

The Web Application Security New Top 10 Risks

With a focus on risks, rather than only ranking software vulnerabilities, the Open Web Application Security Project (OWASP) has made a significant - and welcomed - change in how the organization rates Web application security weaknesses.

With a focus on risks, rather than only ranking software vulnerabilities, the Open Web Application Security Project (OWASP) has made a significant - and welcomed - change in how the organization rates Web application security weaknesses.The OWASP Top Ten has always been required reading for Web application developers and server administrators. But the list, as it was initially published nearly seven years ago, probably didn't mean much to the business managers and executives who need to authorize the budget, and additional time, needed to deploy reasonably secure Web applications.

One of the most profound changes, and shows how OWASP is maturing from its software development centric view to a risk view is the inclusion of Security Misconfigurations to the list. Misconfigurations and poor system change management is one of the most common - and avoidable - ways organizations shoot themselves in the security foot. Proper configuration settings, if there's any hope at keeping an application or Web server secure must be defined and put into place - and periodically validated. Misconfigurations always belonged on the list - and it's good news to see it included.

Also, for each risk, the guide details how easy the vulnerability is exploited, prevalence of the flaw, and the severity of its technical impact. The guide also explains how organizations are typically vulnerable, how to mitigate the risk, and example attacks.

Developers , server administrators, and application owners interested in maintaining secure applications should not only use the OWASP Top 10 as a technical reference guide - but also as a way to help secure the budget required to do the things that need to be done to make security part of an organization's business process.

The OWASP Top 10 Application Security Risks 2010 (release candidate) can be found at the OWAPS Web site, right here. The list includes the classes of Web risks we read about every day, as web sites and databases are pwned: Injection attacks (think buffer overflow and SQL attacks), bad authentication, cross-site scripting attacks.

While good security can never attained by checking through mere lists. Although mitigating the risks included in the OWASP Top 10 will enhance the security far beyond any Web application that does not. These vulnerabilities are typically the first doorknobs the digital burglar tries to rattle hoping to find an opening.

OWASP has excellent resources designed to help organizations improve their Web application security including the OWASP Developer's Guide, the OWASP Testing Guide, and OWASP Code Review Guide.

For my security and technology observations throughout the day, follow my Twitter account.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...
CVE-2021-20208
PUBLISHED: 2021-04-19
A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2021-27458
PUBLISHED: 2021-04-19
If Ethernet communication of the JTEKT Corporation TOYOPUC product series’ (TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: Al...
CVE-2020-27241
PUBLISHED: 2021-04-19
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger...
CVE-2021-3497
PUBLISHED: 2021-04-19
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.