Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/15/2009
09:23 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

The Web Application Security New Top 10 Risks

With a focus on risks, rather than only ranking software vulnerabilities, the Open Web Application Security Project (OWASP) has made a significant - and welcomed - change in how the organization rates Web application security weaknesses.

With a focus on risks, rather than only ranking software vulnerabilities, the Open Web Application Security Project (OWASP) has made a significant - and welcomed - change in how the organization rates Web application security weaknesses.The OWASP Top Ten has always been required reading for Web application developers and server administrators. But the list, as it was initially published nearly seven years ago, probably didn't mean much to the business managers and executives who need to authorize the budget, and additional time, needed to deploy reasonably secure Web applications.

One of the most profound changes, and shows how OWASP is maturing from its software development centric view to a risk view is the inclusion of Security Misconfigurations to the list. Misconfigurations and poor system change management is one of the most common - and avoidable - ways organizations shoot themselves in the security foot. Proper configuration settings, if there's any hope at keeping an application or Web server secure must be defined and put into place - and periodically validated. Misconfigurations always belonged on the list - and it's good news to see it included.

Also, for each risk, the guide details how easy the vulnerability is exploited, prevalence of the flaw, and the severity of its technical impact. The guide also explains how organizations are typically vulnerable, how to mitigate the risk, and example attacks.

Developers , server administrators, and application owners interested in maintaining secure applications should not only use the OWASP Top 10 as a technical reference guide - but also as a way to help secure the budget required to do the things that need to be done to make security part of an organization's business process.

The OWASP Top 10 Application Security Risks 2010 (release candidate) can be found at the OWAPS Web site, right here. The list includes the classes of Web risks we read about every day, as web sites and databases are pwned: Injection attacks (think buffer overflow and SQL attacks), bad authentication, cross-site scripting attacks.

While good security can never attained by checking through mere lists. Although mitigating the risks included in the OWASP Top 10 will enhance the security far beyond any Web application that does not. These vulnerabilities are typically the first doorknobs the digital burglar tries to rattle hoping to find an opening.

OWASP has excellent resources designed to help organizations improve their Web application security including the OWASP Developer's Guide, the OWASP Testing Guide, and OWASP Code Review Guide.

For my security and technology observations throughout the day, follow my Twitter account.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.